"Critics of Serbia’s government targeted with ‘military-grade spyware’", 28 November 2023

Critics of Serbia’s nationalist government who have documented the country’s endemic corruption were targeted with military-grade spyware earlier this year, according to new findings by security researchers.

The attempted hacking of two Serbian pro-democracy activists – who have asked not to be named to protect their safety – was ultimately not successful because both individuals’ Apple iPhones had been updated with the latest iOS software, which the researchers said protected the devices from being infiltrated.

The individuals were first alerted of the attempted hack by Apple, which sent both an alert that they may have been targeted by a state-sponsored actor. The warning was later confirmed after investigations by researchers at Access Now, the Share Foundation in Serbia, the Citizen Lab at the Munk School at the University of Toronto, and Amnesty International.

Natalia Krapiva, the tech-legal counsel at Access Now, said: “These findings are extremely worrying for the rule of law and democracy in Serbia. Uncontrolled use of commercial spyware is poison not only for human rights, but also security and democratic institutions in any country.”

The researchers said use of the technical vulnerability was “consistent” with those previously used by states improperly using one of the world’s most sophisticated cyber weapons, known as Pegasus, which is sold by Israel’s NSO Group.

The researchers in the Serbian case could not definitively confirm what kind of spyware was used because available forensic indicators were limited.

NSO said in a statement to the Guardian that Citizen Lab and Access Now’s report were “inconclusive”. The company has repeatedly said that Pegasus is sold to governments for the purpose of being used in serious crime and terror investigations and that its use “saves lives”.

It added: “NSO does not operate its technology and is not privy to the collected intelligence.”

While the researchers could not definitively attribute the attempted attacks in Serbia to a specific spyware, the attempted hacks are likely to renew focus on past findings involving covert data collection and surveillance by Serbia’s Security Information Agency (BIA)

One alleged victim of the hacking attempt who was interviewed by the Guardian described their work as focused on being critical of Serbia’s “autocratic regime” and the country’s “widespread corruption”, as well as the current government’s pro-Russian foreign policy, which has not aligned with the EU on issues such as sanctions against Moscow.

The attempted hacking, the person said, was likely an attempt to intimidate or discredit their work, “to find something compromising against me”.

The Serbian government did not respond to requests for comment.