“Most of the people targeted were those working on topics related to human rights violations,” says Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
While the researchers were unable to conclusively determine who was behind the surveillance, NSO Group has historically said that it only licenses its products to governments, particularly to law enforcement and intelligence agencies. Previous reporting has found that Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates were all likely NSO Group customers, In 2022, the company said it would no longer sell to non-NATO countries.
A Pegasus infection is a “zero-click” attack, meaning the victim doesn’t need to open a suspicious email or click a bad link. “There is no behavior that would have protected these people from this spyware,” says John Scott-Railton, senior researcher at Citizen Lab.
While Pegasus has historically been used by government officials against their own populations, particularly activists and journalists, for which the company has come under international scrutiny, Scott-Railton says the use across borders in a conflict is particularly concerning. “NSO is always saying, ‘We sell our stuff to fight crime and terror,’ obviously this suggests that the reality goes beyond that,” he says.
While Scott-Railton says it’s unclear what information was being sought from the victims, the Pegasus software gives nearly unprecedented access to anything in an infected phone. It also allows the surveillant to turn on the microphone or camera remotely, turning the device into a “pocket spy.” “It’s the kind of thing that could potentially … change or influence the course of a conflict.”
Nowhere is this more evident than in the experience of one victim, Anna Naghdalyan, a former spokesperson for the Armenian Foreign Ministry. In her role, Naghdalyan had intimate knowledge of the ceasefire negotiations between Armenia and Azerbaijan, with “all the information about the war on my phone,” she told Access Now.
“It’s one thing for a state to use a tool like this against military adversaries on the battlefield,” says David Kaye, a former UN special rapporteur on the right to freedom of opinion and expression and a clinical professor of law at the University of California, Irvine. But the potential to surveil across borders in a time of conflict has “not just human rights concerns, but national security concerns.”
According to the report, if any humanitarian organizations were caught in the surveillance dragnet, that could make the use of Pegasus a violation of international law, which protects humanitarian workers in conflict settings.
“Humanitarian workers are considered outside of combat, so efforts to infiltrate their communications or to conduct surveillance for purposes of military advantage on humanitarian aid workers and humanitarian installations is prohibited in most cases,” says Raymond, a coleader of the Humanitarian Research Lab and lecturer at Yale’s School of Public Health.
“Regardless of which state is using this, there needs to be a comprehensive investigation and accountability,” says Ó Cearbhaill.