{"id":33838,"date":"2023-12-15T18:18:13","date_gmt":"2023-12-15T17:18:13","guid":{"rendered":"https:\/\/bezbednost.org\/?post_type=publikacija&#038;p=33838"},"modified":"2023-12-21T15:27:26","modified_gmt":"2023-12-21T14:27:26","slug":"serbian-civil-society-members-targeted-by-military-grade-spyware","status":"publish","type":"publikacija","link":"https:\/\/bezbednost.org\/en\/publication\/serbian-civil-society-members-targeted-by-military-grade-spyware\/","title":{"rendered":"Serbian Civil Society Members Targeted by Military-Grade Spyware"},"content":{"rendered":"<p>On October 30th, 2023, two citizens of Serbia, both members of civil society organizations, received the same\u00a0<a href=\"https:\/\/support.apple.com\/en-sg\/102174\">threat notification<\/a>\u00a0that a \u201cstate-sponsored\u201d technical attack had been detected on their mobile devices. They sought counsel from SHARE Foundation, a Belgrade-based digital rights watchdog, whose forensic experts extracted evidence from the devices,\u00a0<a href=\"https:\/\/www.sharefoundation.info\/en\/spyware-attack-attempts-on-mobile-devices-of-members-of-civil-society-discovered\/\">confirmed<\/a>\u00a0that the warning was warranted, and sent the evidence for independent expert analyses: one conducted by\u00a0<a href=\"https:\/\/securitylab.amnesty.org\/latest\/2023\/11\/serbia-civil-society-threatened-by-spyware\/\">Amnesty International<\/a>\u00a0and the other by\u00a0<a href=\"https:\/\/www.accessnow.org\/spyware-attack-in-serbia\/\">Access Now<\/a>\u00a0in collaboration with\u00a0<a href=\"https:\/\/citizenlab.ca\/2023\/11\/serbia-civil-society-spyware\/\">Citizen Lab<\/a>. Both analyses came up with the same results: the attack on two devices occurred almost simultaneously in mid-August; the attack utilized a known system vulnerability, but it was not entirely clear whether it had been successful; traces of the attack detected in late October indicate that\u00a0<strong>the advanced spyware\u00a0<em>Pegasus<\/em>\u00a0was used<\/strong>. However, given the available evidence, it was not possible to definitively ascertain both the type of software employed and the identity of the attacker.<\/p>\n<p>In its statement, Amnesty International also notes that- in a separate research- it identified evidence that the\u00a0<em>Pegasus<\/em>\u00a0spyware was in fact\u00a0<strong>used in recent months to target other civil society members<\/strong>\u00a0in Serbia. It is virtually impossible to determine how many such cases there really are: some may not have paid attention to the threat notification, others may not know what it means, or who to contact about it.<\/p>\n<p>The attention of the foreign press confirms the gravity of the incident: \u201cCritics of Serbia\u2019s government targeted with \u2018military-grade spyware\u2019\u201d the\u00a0<em>Guardian<\/em>\u00a0<a href=\"https:\/\/www.theguardian.com\/technology\/2023\/nov\/28\/critics-of-serbias-government-targeted-with-military-grade-spyware\">reported<\/a>. The\u00a0<em>Washington Post<\/em>\u00a0<a href=\"https:\/\/www.washingtonpost.com\/politics\/2023\/11\/28\/spyware-abuses-travel-serbia-first-time\/\">wrote<\/a>\u00a0that one of the targeted individuals they spoke with was shocked that someone would use\u00a0<strong>such expensive means<\/strong>\u00a0to target them personally.<\/p>\n<p>For global human rights organizations and the media, Serbia is just another in a long line of countries where assaults on civilians with military weapons \u2013 albeit digital and bloodless \u2013 have been recorded in recent years. Such attacks target citizens engaged in socially significant activities that are usually unfavorable to the authorities:\u00a0<strong>investigative journalists, human rights activists, whistleblowers<\/strong>. Meanwhile, experts and the broader community persistently \u2013 and so far unsuccessfully \u2013 call on states\u00a0<a href=\"https:\/\/www.scmagazine.com\/news\/predator-files-report-prompts-call-for-worldwide-ban-on-spyware\">to ban<\/a>\u00a0the production, sale, and use of such tools due to the intrusiveness and the ease of their abuse. While their primary purpose is the thorough surveillance leading to the obliteration of privacy in individual lives, their\u00a0<a href=\"https:\/\/www.theguardian.com\/world\/2022\/aug\/09\/spyware-canada-threat-democracy-human-rights\">immediate consequence<\/a>\u00a0is\u00a0<strong>the destruction of a society where citizens are no longer autonomous beings,<\/strong>\u00a0and norms no longer serve to protect material and human values.<\/p>\n<p>The reference to the \u201cstate-sponsored\u201d attack in the threat notification indicates the use of highly sophisticated technology developed with state funds or exclusively sold to states. This technology serves the purpose of maintaining a \u2018monopoly of force\u2019 in cyberspace, enabling the fight against terrorism and addressing other challenges within the realm of national security. In other words,\u00a0<strong>it is a type of military weapon<\/strong>, and its price is worthy of its purpose: a trial annual license for the mentioned\u00a0<em>Pegasus<\/em>, one of only a few in the world of that rank,\u00a0<a href=\"https:\/\/www.theguardian.com\/news\/2022\/feb\/02\/fbi-confirms-it-obtained-nsos-pegasus-spyware\">reportedly costs<\/a>\u00a0around five million US dollars. The amounts vary significantly depending on the number of devices planned for the attack.<\/p>\n<p>Unlike \u2018commercial\u2019 viruses we are accustomed to, this level of advanced cyber-attacks is not triggered by a random click on suspicious files and links. The device owner does not have to do anything risky: the spyware infiltrates the system without any interaction, from a safe distance. This is its key comparative advantage and a distinctive feature that sets it apart in a saturated market of computer viruses, from cheap packages for parental control of children\u2019s online behavior to more expensive criminal \u2018solutions\u2019 intended for data theft and ransom extortion.<\/p>\n<p>The\u00a0<strong>infamous\u00a0<em>Pegasus<\/em>\u00a0is produced by the Israeli company NSO<\/strong>, specialized in so-called intelligence technologies, and is sold exclusively to states. While, like other manufacturers of similar tools for cyber warfare, the company claims that its clients have a contractual obligation to use the software\u00a0<strong>only for investigating crimes and terrorism<\/strong>, international organizations have compiled a long, worldwide list of proven\u00a0<a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2023\/10\/global-predator-files-spyware-scandal-reveals-brazen-targeting-of-civil-society-politicians-and-officials\/\">cases of abuse<\/a>\u00a0of the spyware \u2013 within the client-state against independent journalists, civil activists, and government critics in general, and externally against foreign politicians and diplomats. The software is notorious for its\u00a0<strong>capacity to bypass security measures<\/strong>\u00a0effortlessly and gain access to sensitive information. Once deployed,\u00a0<em>Pegasus<\/em>\u00a0has the capability to monitor communication, track location, and access various data on the targeted device, raising significant concerns about privacy and individual rights.<\/p>\n<p>So, who could have launched such an attack in Serbia? According to one of the targeted individuals, the work they do could be unsettling for\u00a0<strong>both Serbia and Russia<\/strong>. However, the disproportion between the targets and the invested resources is strikingly bizarre \u2013 civil rights activists and independent journalists in Serbia are already muffled enough by tabloid smear campaigns and explicit threats by state officials, with occasional old-school spying incidents. Officially, Russia is blacklisted by Israeli and other companies producing cyber warfare tools, but this ban does not apply to many of Russian satellites and allies around the world. Suspicions that Russia was behind advanced espionage techniques in Finland, Poland, Germany, the USA, and elsewhere have never been confirmed. Moreover, one theory claims that Russia deliberately encourages such suspicions as this achieves its goals in the field Russia is actually interested in: creating noise in the public space of the targeted state, polarizing society, and fostering distrust in local institutions.<\/p>\n<p>On the other hand, Serbia has been seen as an interested buyer of digital espionage tools on several occasions. Security services and the Ministry of Defense negotiated the purchase and tested software solutions from an Italian company starting in 2011. We\u00a0<a href=\"https:\/\/labs.rs\/en\/hacking-team-the-italian-job-of-serbian-security-services\/\">learned about this<\/a>\u00a0a few years later thanks to hacked emails published on WikiLeaks. The German FinFisher or FinSpy \u2013 a product of a company that Reporters Without Borders marked in 2013 as one of the\u00a0<a href=\"https:\/\/rsf.org\/en\/special-report-internet-surveillance-focusing-5-governments-and-5-companies-enemies-internet\">five corporate enemies<\/a>\u00a0of the internet \u2013\u00a0<a href=\"https:\/\/resursi-sharefoundation-info.translate.goog\/sr\/resource\/wikileaks-softver-za-nadzor-i-u-srbiji\/?_x_tr_sl=auto&amp;_x_tr_tl=en&amp;_x_tr_hl=en&amp;_x_tr_pto=wapp\">was detected in Serbia<\/a>\u00a0the same year. The presence of various digital tools for monitoring, tracking, and intercepting communication in Serbia has been confirmed in recent years by several\u00a0<a href=\"https:\/\/citizenlab.ca\/2021\/12\/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware\/\">independent sources<\/a>. Similar phenomena are recorded\u00a0<a href=\"https:\/\/balkaninsight.com\/2023\/09\/14\/surveillance-states-monitoring-of-journalists-goes-unchecked-in-central-south-east-europe\/\">in other countries of the region<\/a>\u00a0as well,\u00a0<strong>particularly in Hungary.<\/strong><\/p>\n<p>During the ongoing\u00a0<a href=\"https:\/\/www.reuters.com\/world\/europe\/serbias-vucic-dissolves-parliament-sets-snap-vote-dec-17-2023-11-01\/\">election campaign<\/a>, Serbian security services appear to be engrossed in\u00a0<a href=\"https:\/\/balkaninsight.com\/2023\/12\/01\/belgrade-opposition-candidate-quits-election-campaign-over-private-video-leak\/\">sexually explicit video<\/a>\u00a0leaked from a stolen laptop belonging to an opposition MP. Consequently, there seems to be a lack of attention in the \u00a0safeguarding of citizens who may be vulnerable to military cyber-attacks. If we assume that the attack on members of the civil society originated from Serbian territory, employing state-licensed tools, it raises questions about whether there is still control over various devices and systems accumulated in the frenzy of digitization\u2014or perhaps, it was intentionally left unattended.<\/p>\n<p>* This article is a translation and modification of the\u00a0<a href=\"https:\/\/pescanik.net\/sajber-rat-protiv-civila\/\">text originally published<\/a>\u00a0on the Serbian website Pe\u0161\u010danik on November 30, 2023. The content has been adapted with permission for clarity and relevance.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In October, two members of Serbian civil society organizations were notified that a \u201cstate-sponsored\u201d attack was detected on their devices.<\/p>\n","protected":false},"author":8,"featured_media":33839,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[7415,8610,11155],"tags":[11229,7461,11230],"vrsta":[9441],"pdfpub":[],"coauthors":[],"class_list":["post-33838","publikacija","type-publikacija","status-publish","has-post-thumbnail","hentry","category-bscp","category-cyber-security","category-digital-surveillance","tag-cybersecurity","tag-serbia","tag-serbian-civil-society","vrsta-analysis"],"acf":[],"_links":{"self":[{"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/publikacija\/33838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/publikacija"}],"about":[{"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/types\/publikacija"}],"author":[{"embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/comments?post=33838"}],"version-history":[{"count":2,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/publikacija\/33838\/revisions"}],"predecessor-version":[{"id":33842,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/publikacija\/33838\/revisions\/33842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/media\/33839"}],"wp:attachment":[{"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/media?parent=33838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/categories?post=33838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/tags?post=33838"},{"taxonomy":"vrsta","embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/vrsta?post=33838"},{"taxonomy":"pdfpub","embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/pdfpub?post=33838"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/bezbednost.org\/en\/wp-json\/wp\/v2\/coauthors?post=33838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}