Serbian Civil Society Members Targeted by Military-Grade Spyware

On October 30th, 2023, two citizens of Serbia, both members of civil society organizations, received the same threat notification that a “state-sponsored” technical attack had been detected on their mobile devices. They sought counsel from SHARE Foundation, a Belgrade-based digital rights watchdog, whose forensic experts extracted evidence from the devices, confirmed that the warning was warranted, and sent the evidence for independent expert analyses: one conducted by Amnesty International and the other by Access Now in collaboration with Citizen Lab. Both analyses came up with the same results: the attack on two devices occurred almost simultaneously in mid-August; the attack utilized a known system vulnerability, but it was not entirely clear whether it had been successful; traces of the attack detected in late October indicate that the advanced spyware Pegasus was used. However, given the available evidence, it was not possible to definitively ascertain both the type of software employed and the identity of the attacker.

In its statement, Amnesty International also notes that- in a separate research- it identified evidence that the Pegasus spyware was in fact used in recent months to target other civil society members in Serbia. It is virtually impossible to determine how many such cases there really are: some may not have paid attention to the threat notification, others may not know what it means, or who to contact about it.

The attention of the foreign press confirms the gravity of the incident: “Critics of Serbia’s government targeted with ‘military-grade spyware’” the Guardian reported. The Washington Post wrote that one of the targeted individuals they spoke with was shocked that someone would use such expensive means to target them personally.

For global human rights organizations and the media, Serbia is just another in a long line of countries where assaults on civilians with military weapons – albeit digital and bloodless – have been recorded in recent years. Such attacks target citizens engaged in socially significant activities that are usually unfavorable to the authorities: investigative journalists, human rights activists, whistleblowers. Meanwhile, experts and the broader community persistently – and so far unsuccessfully – call on states to ban the production, sale, and use of such tools due to the intrusiveness and the ease of their abuse. While their primary purpose is the thorough surveillance leading to the obliteration of privacy in individual lives, their immediate consequence is the destruction of a society where citizens are no longer autonomous beings, and norms no longer serve to protect material and human values.

The reference to the “state-sponsored” attack in the threat notification indicates the use of highly sophisticated technology developed with state funds or exclusively sold to states. This technology serves the purpose of maintaining a ‘monopoly of force’ in cyberspace, enabling the fight against terrorism and addressing other challenges within the realm of national security. In other words, it is a type of military weapon, and its price is worthy of its purpose: a trial annual license for the mentioned Pegasus, one of only a few in the world of that rank, reportedly costs around five million US dollars. The amounts vary significantly depending on the number of devices planned for the attack.

Unlike ‘commercial’ viruses we are accustomed to, this level of advanced cyber-attacks is not triggered by a random click on suspicious files and links. The device owner does not have to do anything risky: the spyware infiltrates the system without any interaction, from a safe distance. This is its key comparative advantage and a distinctive feature that sets it apart in a saturated market of computer viruses, from cheap packages for parental control of children’s online behavior to more expensive criminal ‘solutions’ intended for data theft and ransom extortion.

The infamous Pegasus is produced by the Israeli company NSO, specialized in so-called intelligence technologies, and is sold exclusively to states. While, like other manufacturers of similar tools for cyber warfare, the company claims that its clients have a contractual obligation to use the software only for investigating crimes and terrorism, international organizations have compiled a long, worldwide list of proven cases of abuse of the spyware – within the client-state against independent journalists, civil activists, and government critics in general, and externally against foreign politicians and diplomats. The software is notorious for its capacity to bypass security measures effortlessly and gain access to sensitive information. Once deployed, Pegasus has the capability to monitor communication, track location, and access various data on the targeted device, raising significant concerns about privacy and individual rights.

So, who could have launched such an attack in Serbia? According to one of the targeted individuals, the work they do could be unsettling for both Serbia and Russia. However, the disproportion between the targets and the invested resources is strikingly bizarre – civil rights activists and independent journalists in Serbia are already muffled enough by tabloid smear campaigns and explicit threats by state officials, with occasional old-school spying incidents. Officially, Russia is blacklisted by Israeli and other companies producing cyber warfare tools, but this ban does not apply to many of Russian satellites and allies around the world. Suspicions that Russia was behind advanced espionage techniques in Finland, Poland, Germany, the USA, and elsewhere have never been confirmed. Moreover, one theory claims that Russia deliberately encourages such suspicions as this achieves its goals in the field Russia is actually interested in: creating noise in the public space of the targeted state, polarizing society, and fostering distrust in local institutions.

On the other hand, Serbia has been seen as an interested buyer of digital espionage tools on several occasions. Security services and the Ministry of Defense negotiated the purchase and tested software solutions from an Italian company starting in 2011. We learned about this a few years later thanks to hacked emails published on WikiLeaks. The German FinFisher or FinSpy – a product of a company that Reporters Without Borders marked in 2013 as one of the five corporate enemies of the internet – was detected in Serbia the same year. The presence of various digital tools for monitoring, tracking, and intercepting communication in Serbia has been confirmed in recent years by several independent sources. Similar phenomena are recorded in other countries of the region as well, particularly in Hungary.

During the ongoing election campaign, Serbian security services appear to be engrossed in sexually explicit video leaked from a stolen laptop belonging to an opposition MP. Consequently, there seems to be a lack of attention in the  safeguarding of citizens who may be vulnerable to military cyber-attacks. If we assume that the attack on members of the civil society originated from Serbian territory, employing state-licensed tools, it raises questions about whether there is still control over various devices and systems accumulated in the frenzy of digitization—or perhaps, it was intentionally left unattended.

* This article is a translation and modification of the text originally published on the Serbian website Peščanik on November 30, 2023. The content has been adapted with permission for clarity and relevance.