Serbian government targets critics with spyware
3 min read
Security researchers discovered that critics of Serbia’s nationalist government, known for exposing widespread corruption, faced military-grade spyware earlier this year.
Two Serbian pro-democracy activists, opting to remain anonymous for safety reasons, survived a hacking attempt. Their updated Apple iPhones, equipped with the latest iOS software, thwarted the infiltration, according to researchers.
Initially, Apple notified the individuals of the attempted hack, issuing an alert suggesting they might have been targeted by a state-sponsored actor. Subsequent validation of this warning occurred through investigations conducted by Access Now, the Share Foundation in Serbia, the Citizen Lab at the Munk School at the University of Toronto, and Amnesty International.
Months ago, researchers disclosed that Russian journalists critical of Vladamir Putin and residing in the European Union encountered spyware. Despite efforts by the Council of Europe and the European Parliament to implement policies restraining spyware use, recent instances within the bloc indicate some European governments’ apparent readiness to employ spyware for silencing and intimidating political dissenters.
Natalia Krapiva, Access Now’s tech-legal counsel, expressed deep concern: “These findings pose a grave threat to the rule of law and democracy in Serbia. Unrestrained usage of commercial spyware not only jeopardizes human rights but also undermines security and democratic institutions in any nation.”
The research revealed that the Serbians were targeted approximately a minute apart on or around August 16, 2023. Access Now and Citizen Lab identified signs of the attempted intrusion, which aimed to exploit a potential vulnerability in the iPhone’s HomeKit application.
The exploitation of the technical vulnerability aligns with methods previously employed by states utilizing Pegasus, among the world’s most advanced cyber weapons, marketed by Israel’s NSO Group. When successfully deployed, Pegasus can effectively commandeer a mobile phone, transforming it into a portable eavesdropping tool. It enables access to encrypted applications and allows viewing of a user’s messages and photos.
However, in the Serbian case, the researchers couldn’t definitively identify the specific spyware used due to limited available forensic indicators.
“We’re refraining from attributing these attacks to a specific operator currently. Nevertheless, our decade-long investigations at Citizen Lab indicate Serbia’s consistent procurement of mercenary spyware and other commercial surveillance technologies,” stated John Scott-Railton, a senior researcher at Citizen Lab.
NSO responded to the Guardian, stating that the report by Citizen Lab and Access Now lacked definitive conclusions. The company has consistently asserted that Pegasus is marketed to governments exclusively for tackling serious crimes and terrorism, emphasizing that its application “saves lives.”
Additionally, NSO clarified, “NSO does not oversee the operation of its technology and does not have access to the gathered intelligence.”
Although the researchers couldn’t definitively link the attempted attacks in Serbia to a particular spyware, these incidents are expected to refocus attention on previous discoveries involving clandestine data gathering and surveillance conducted by Serbia’s Security Information Agency (BIA). The BIA’s former director, Aleksander Vulin, faced US Treasury sanctions in July 2023 due to his backing of Moscow and leveraging “his political positions to advance Russia’s detrimental activities” and destabilize Serbia. Vulin resigned from his role on November 3.
One individual, reportedly a target of the hacking attempt and interviewed by the Guardian, described their work as centered on criticizing Serbia’s “autocratic regime,” widespread corruption, and the current government’s pro-Russian foreign policy, which diverges from the EU stance, particularly regarding Moscow sanctions.
This person believed the attempted hacking aimed to intimidate or discredit their work, possibly to uncover compromising information.
Both targeted individuals suspected the attempted hacks could also be linked to demands for official investigations into the government’s handling of a mass shooting that claimed 17 lives, including children, during the past summer. Subsequent mass protests criticized President Aleksandar Vučić, accusing him of fostering divisions within the country that some believe led to the tragic shooting.
