The Utility of Spyware in War: What Spyware Usage in Armenia and Azerbaijan Signals About the Future

By: Brooke Spens, Ahissa Rice, Emma Szczesniak, and Riley Phillips

Abstract:

The proliferation of spyware has led to revelations of human rights abuses by democratic governments and authoritarian states alike. The latest reporting on the global surveillance-for- hire industry details the utilization of military-equivalent cyber weapons, the likes of NSO Group’s Pegasus and Cytrox’s Predator, in international conflict, specifically the Nagorno- Karabakh conflict in Armenia and Azerbaijan.1 The deployment of powerful spyware that is maintained and sold by a third-party company calls into question the rules of cross-border surveillance. What does the presence of Predator and Pegasus spyware in the Nagorno- Karabakh region indicate about the forthcoming uses of cyber espionage in times of war? Finally, a description of the current legal system and human rights safeguards in place and its shortcomings in the global spyware industry will be examined.

History of the Nagorno-Karabakh Region

The conflict between Armenia and Azerbaijan over the disputed region of Nagorno- Karabakh is rooted in the early 20th century. At the time, both countries were a part of the Soviet Union. In the late 1980s, the Armenian population in the Nagorno-Karabakh region voted to secede from Azerbaijan and join Armenia. This withdrawal led to ethnic violence and war following the collapse of the Soviet Union in 1991. The 1994 ceasefire brought an end to active fighting in the Nagorno-Karabakh conflict. However, tensions remained high between Armenia and Azerbaijan over the disputed region. In 2020, fighting once again erupted between Armenian and Azerbaijani forces for control of the border area before a Russian-brokered deal established another ceasefire. Since 2020, there have been allegations that Armenia and Azerbaijan alike are covertly using surveillance techniques amid ongoing geopolitical tensions, including cross- border surveillance and targeted spyware tools. Armenia has been linked to Cytrox and Azerbaijan has been identified as an operator of Pegasus. Access Now and Citizen Lab discovered spyware infections during the recent Nagorno-Karabakh military conflict, thus hindering humanitarian relief efforts.2 While the decades-long conflict over Nagorno-Karabakh has seen both war and attempts at peace, the purchasing and deploying of spyware for surveillance and intelligence gathering purposes by both sides raises privacy concerns and shows how surveillance technologies of today can be utilized in decades-long disputes.

Armenia and Azerbaijan Employ Mercenary Spyware

According to reports from Citizen Lab, Access Now, and Amnesty International, the mercenary spyware Pegasus and Predator has been purchased and deployed in Armenia and Azerbaijan. Armenia is believed to be operating Predator whilst evidence points to Azerbaijan deploying Pegasus.3 The timing and detection of infections and the significance of the chosen targets will be introduced in the following section; however, the spyware is notable due to its technical capabilities and deleterious effects. Predator is spyware operated by Cytrox, a company

within the Intellexa Alliance.4 Pegasus is the infamous spyware owned and operated by the NSO Group. Both of these companies sell this powerful surveillance technology to states where, given current regulation, they will use it at their own discretion. Pegasus is a zero-click surveillance technology that is covertly installed on a mobile device and can access video, audio, location, and other data on a user’s phone.5 Predator is a lesser-known iteration of mercenary spyware, yet it shares many of the same abilities.6 Knowledge of Predator is becoming more widespread following the release of the ‘Predator Files’ in early October 2023. Predator can be delivered through zero-click or single-click attacks; single-click attacks occur when a target clicks on a link, historical instances have shown delivery is typically through WhatsApp or social media platforms while zero-click attacks, in this instance, have been spyware delivery through tactical methods reliant on proximity.7 Following the user accessing that link, infection attempts begin shortly on the device. Technical knowledge of Predator and Pegasus is crucial to understanding the intrusive nature of surveillance technology in the current digital age. Along with this, the implications of cross-border surveillance and the impact of a cyber weapon of this nature being present in the Nagorno-Karabakh region will be covered in subsequent sections.

Predator & Pegasus War Zone Detection and Case Studies

The Pegasus infiltrations on individuals in Armenian and Azerbaijani civil society were likely the result of government intelligence operations. Based on data obtained by Amnesty International and the Citizen Lab, the timing of spyware infections occurred between October 2020 and December 2022, aligning closely with pivotal events in the Armenia-Azerbaijan conflict.8 The Azerbaijani government is the suspected perpetrator for the infiltrations, both those in Armenia and Azerbaijan. Greater knowledge of Azerbaijan’s spyware is due to considerable research of Pegasus spyware including detection techniques, leading to a more thorough analysis of Azerbaijan’s spyware use. Twelve individuals residing in Armenia were confirmed to have been infected with Pegasus spyware, one of whom was Anna Naghdalyan, the Spokesperson of the Ministry of Foreign Affairs (MFA) who was privy to confidential conversations surrounding the Nagorno-Karabakh crisis.9 Anna’s device was infiltrated a minimum of 27 times between October 2020 and June 2021, during which time Anna was involved in domestic policy through her position with the MFA.10 Additionally, Ruben Melikyan and Kristinne Grigoryan were human rights ombudspeople whose device infections in 2022 were closely tied to critical events in Azerbaijan’s offensive strikes. Following a meeting and contact exchange with Sabina Aliyeva, the ombudsperson in Azerbaijan, Kristinne attempted correspondence, but received no response.11 However, shortly thereafter in mid-September 2022, Azerbaijan attacked the Armenian border and proceeded to post videos of the executions.12 After viewing the videos in early October 2022, Kristinne vocalized concern regarding the atrocities in analytical reports and while briefing diplomats in Armenia in early October 2022.13 This corresponded to the Pegasus attack on Kristinne’s device around October 4. Although unsuccessful, a Pegasus attack on Ruben’s phone in December 2022 concurred with Azerbaijan’s blockade of the Lachin corridor.14

In addition to those who held positions in the political sector, three contributors to media sources: Samvel Farmanyan, Astghik Bedevyan, and Karlen Aslanyan were Pegasus victims. Samvel is the co-founder of ArmNews television, a broadcasting company that openly criticized the Armenian government’s tactics and defeat during the Nagorno-Karabakh war in 2020.15 Interestingly, the television channel was shut down in February, four months prior to the infection on Samvel Farmanyan’s phone, a potential indication of Azerbaijan’s use of Pegasus to glean intel on the Armenian government that was no longer being broadcasted. Karlen and Astghik are Radio Azatutyun journalists whose devices were infected in April and May of 2021, respectively.16 Through the radio show, Karlen interviewed various political guests knowledgeable on the Nagorno-Karabakh conflict, including Kristinne Grigoryan who spoke on the show one month prior to the Pegasus attack on her own device.17 A commonality among most infected with Pegasus was having proprietary knowledge or news reports on the parliamentary election proceedings in May and June of 2021. As the Nagorno-Karabakh conflict intensified in May 2021 with Azerbaijan on the offensive, the spyware infiltrations could have provided vital information into the political stability of Armenia to initiate an effectively timed attack. However, Azerbaijan’s use of Pegasus only accounts for one side of the conflict. Armenia is suspected to have used the Cytrox product, Predator, as the spyware technology was reported to have been deployed via Armenian servers.18 As such, it is probable that both parties have utilized spyware technology as a means of attack during the Armenia-Azerbaijan conflict. The correlation between an individual vocalizing concern and their device being subject to a spyware infection attempt points to possible censorship attempts by the governments involved.

Current Regulation Standards and Implications of a Cyber Weapon in an International Conflict

The use of spyware in the Azerbaijan-Armenian conflict points to the growing market for malware. This instance once again indicates that state centric security and commercial interests have trumped discussion and consideration for human rights.19 The Armenia-Azerbaijan conflict is the newest phase of spyware proliferation that is aided by the lack of due diligence practices and regulation standards. Private companies like NSO group and Intellexa have become actors in conflicts outside of their origin states. In the case of NSO Group, the Israeli government which regulates the spyware, and the private actors facilitating its sale, have gained access to the innerworkings of another state’s conflict. Given the role that an external party has played in an event outside of its sovereign bounds, it must be considered what level of accountability must be rendered to the external state that is responsible for the exportation of this mercenary spyware. Given the capabilities of modern surveillance spyware, there is reason to argue that applications of this nature should be subject to the same regulations as arms control. Supranational legislation lacks efficacy to enforce human rights agreements and standards that it sets for itself under the current legislation that is used to mitigate technological advances and protect citizens.

Terms such as “dual-use” provide loopholes for European member states like Armenia and Azerbaijan to bypass legislation restricting spyware use. The EUDUR defines dual-use as goods and technologies used for both ‘military’ and ‘civil’ purpose.”20 Dual-use as it is applied through the EU’s export controls under EU Common and Commercial Policy and EUDUR maintains that member states should control and command the delivery of intrusion software through national authorities.21 In application, the ambiguity of words like ‘military’ and ‘civil’ coupled with state jurisdiction over trade, export, and spyware practices leads to the abuse of malware technology in times of conflict.22 To facilitate change, international organizations could leverage the possibility of hinderance to humanitarian aid produced by mercenary spyware as a means of legal accountability. Deciphering the effects of spyware could lead to the establishment of legal structures that would better uphold human rights standards and regulations of spyware use both within individual nation states and outside of its sovereign bounds. Lack of accountability translates into a thriving spyware market that has facilitated a foothold for the presence of technology like Pegasus and Predator within a war zone. If not properly regulated, the Azerbaijan and Armenian conflict marks the start of a new type of weapon in a warzone. The presence of spyware in the Nagorno-Karabakh region is a predictor of the capabilities of spyware when utilized in conflict. Thus far, mercenary spyware’s continuing ability to enable human rights abuses against civil society in times of both conflict and peace warrants calls for change.

1 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023, https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

2 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023, https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

3 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023, https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

4 “The Predator Files: Caught in the Net,” October 9, 2023, https://www.amnesty.org/en/documents/act10/7245/2023/en/.

5 “Forensic Methodology Report: How to Catch NSO Group’s Pegasus” (London, UK: Amnesty International, July 18, 2021), https://www.amnesty.org/en/wp-content/uploads/2021/08/DOC1044872021ENGLISH.pdf.

6 Bill Marczak et al., “Predator in the Wires: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions” (Citizen Lab, September 22, 2023), https://citizenlab.ca/2023/09/predator-in-the-wires- ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/.

7 “The Predator Files: Caught in the Net,” October 9, 2023, https://www.amnesty.org/en/documents/act10/7245/2023/en/.
8 Avetisyan, Aram. “Analysts Say Use of Spyware During Conflict Is Chilling,” August 7, 2023. https://www.voanews.com/a/analysts-say-use-of-spyware-during-conflict-is-chilling-/7215333.html.

9 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

10 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

11 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.
12 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

13 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.
14 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

15 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.
16 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.

17 “Hacking in a War Zone: Pegasus Spyware in the Azerbaijan-Armenia Conflict,” May 25, 2023. https://www.accessnow.org/publication/armenia-spyware-victims-pegasus-hacking-in-war/.
18 Avetisyan, Aram. “Analysts Say Use of Spyware During Conflict Is Chilling,” August 7, 2023. https://www.voanews.com/a/analysts-say-use-of-spyware-during-conflict-is-chilling-/7215333.html.
19 Riecke, L. (2023) ‘Unmasking the term “dual use” in EU Spyware Export Control’, European Journal of International Law, 34(3), pp. 697–720. doi:10.1093/ejil/chad039.

20 Riecke, L. (2023) ‘Unmasking the term “dual use” in EU Spyware Export Control’, European Journal of International Law, 34(3), pp. 697–720. doi:10.1093/ejil/chad039.
21 Riecke, L. (2023) ‘Unmasking the term “dual use” in EU Spyware Export Control’, European Journal of International Law, 34(3), pp. 697–720. doi:10.1093/ejil/chad039.

22 Riecke, L. (2023) ‘Unmasking the term “dual use” in EU Spyware Export Control’, European Journal of International Law, 34(3), pp. 697–720. doi:10.1093/ejil/chad039.