Has Serbia hacked activists’, journalists’ phones? Why?

Amnesty International has revealed that phones belonging to Serbian activists and journalists have been hacked by Serbian intelligence and police using Israeli spyware and other mobile device forensics tools.

The software is being used “to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign”, Amnesty said on Monday.

Many individuals who were targeted had not been arrested or charged with any offence, it added.

The Serbian Security Intelligence Agency, known as BIA, rejected accusations that spyware had been used illegally.

“The forensic tool is used in the same way by other police forces around the world,” it said in a statement. “Therefore, we are not even able to comment on nonsensical allegations from their [Amnesty’s] text, just as we do not normally comment on similar content.”

So what has happened in Serbia and what does it all mean?

How did the use of spyware come to light?

According to Amnesty’s 87-page report titled A Digital Prison: Surveillance and the Suppression of Civil Society in Serbia, independent journalist Slavisa Milanov was taken to a police station after what appeared to be a routine traffic stop in February.

When he retrieved his phone after a police interview, Milanov noticed that both the data and Wi-Fi settings had been disabled. Recognising this as a possible indication of hacking, Milanov contacted Amnesty International’s Security Lab and requested an examination of his mobile device. 

The lab found digital traces of software group Cellebrite’s Universal Forensic Extraction Device (UFED) technology, which appeared to have been used to unlock Milanov’s Android device.

It also found spyware that Amnesty said was previously unknown to it – a programme called NoviSpy – which had been installed on Milanov’s phone.

Milanov said he was never advised that the police intended to search his phone and the police had not provided any legal justification for doing so. He said he did not know what specific data had been extracted from his phone.

Amnesty said the use of this sort of technology without proper authorisation is “unlawful”.

“Our investigation reveals how Serbian authorities have deployed surveillance technology and digital repression tactics as instruments of wider state control and repression directed against civil society,” said Dinushika Dissanayake, Amnesty International’s deputy regional director for Europe.

What did Amnesty’s investigation find?

Amnesty International’s investigation made two significant findings. First, it found “forensic evidence” indicating the use of Cellebrite technology to access the journalist’s device.

Cellebrite, a digital intelligence company based in Israel, produces data extraction technology widely used legitimately by law enforcement departments globally, especially in the United States.

In response to the Amnesty report, Cellebrite issued a statement saying: “We are investigating the claims made in this report and are prepared to take measures in line with our ethical values and contracts, including termination of Cellebrite’s relationship with any relevant agencies.”

Amnesty also found the second type of spyware on the journalist’s phone. It is unclear who created NoviSpy or where it comes from.

This technology appears to be capable of allowing attackers to remotely access and extract confidential information from infected smartphones.

NoviSpy, which can be used to retrieve data from Android devices, can also grant unauthorised control over a device’s microphone and camera, posing significant privacy and security risks, the report found.

The Amnesty report stated: “An analysis of multiple NoviSpy spyware app samples recovered from infected devices, found that all communicated with servers hosted in Serbia, both to retrieve commands and surveil data. Notably, one of these spyware samples was configured to connect directly to an IP address range associated directly with Serbia’s BIA.”

NoviSpy works similarly to commercial spyware such as Pegasus, a sophisticated spyware developed by the Israeli cyberintelligence firm NSO, which was involved in a hacking scandal highlighted in 2020.

According to the report, the NoviSpy programme infiltrates devices, capturing an array of screenshots showing sensitive information such as the contents of email accounts, Signal and WhatsApp conversations as well as social media interactions.

[Screengrab/Amnesty]

In another incident reported by Amnesty International involving the NoviSpy software in October, Serbian authorities summoned an activist from the Belgrade-based NGO Krokodil, a nonpartisan civil society organisation that focuses on culture, literature and social activism, to the BIA office.

While the activist was in the interview room, the activist’s Android phone was left unattended outside. A subsequent forensic examination conducted by Amnesty International’s Security Lab revealed that during this time, NoviSpy spyware had been covertly installed on the device.

Why are journalists and activists being targeted?

Amnesty International and other human rights organisations say spyware attacks are used to curb the freedom of the news media and exert wider control over communications within countries.

“This is an incredibly effective way to completely discourage communication between people. Anything that you say could be used against you, which is paralysing at both personal and professional levels,” said an activist targeted with Pegasus spyware and who was referred to in the report as “Branko”. Amnesty said it had changed some names to protect individuals’ identities.

“Goran” (whose name was also changed), an activist also targeted with Pegasus spyware, said: “We are all in the form of a digital prison, a digital gulag. We have an illusion of freedom, but in reality, we have no freedom at all. This has two effects: you either opt for self-censorship, which profoundly affects your ability to do work, or you choose to speak up regardless, in which case, you have to be ready to face the consequences.”

Spyware might also be used to intimidate or deter journalists and activists from reporting information about people in authority, Amnesty said.

In February, Human Rights Watch (HRW) published findings that from 2019 to 2023, Pegasus spyware was used to target at least 33 individuals in Jordan, including journalists, activists and politicians. HRW drew on a report by Access Now, a US-based nonprofit organisation focusing on online privacy, freedom of speech and data protection.

That report, which was based on a collaborative forensic investigation with Citizen Lab, a Canadian academic research centre, uncovered evidence of Pegasus spyware on mobile devices. Some devices were found to have been infected multiple times.

However, the investigation was unable to pinpoint which specific organisations or countries were responsible for orchestrating these attacks.

“Surveillance technologies and cyberweapons such as NSO Group’s Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against other targets,” that report stated.

“The targeted surveillance of individuals violates their right to privacy, freedom of expression, association and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal.”

Is the use of spyware legal?

That depends on the laws of each country.

Article 41 of Serbia’s Constitution guarantees individuals’ confidentiality of correspondence and other forms of communication to protect individual privacy. Like in other countries, retrieval of data from devices is allowed under Serbia’s Criminal Procedure Code but is subject to restrictions – such as being ordered by a court.

The Amnesty International report stated: “Serbia’s Criminal Procedure Code does not use the term ‘digital evidence’, but it considers computer data which could be used as evidence in criminal proceedings as a document (“isprava”).

“Surveillance of communications, including digital data, could be obtained through general evidentiary measures, such as inspection and searches of mobile devices or other equipment which store digital records. These measures are typically not secret and are conducted with the knowledge of and in the presence of a suspect.”

The BIA and police are also entitled to secretly monitor communications to gather evidence for criminal investigations, but this type of surveillance is also governed under the Criminal Procedure Code.

Due to the complexity of different countries’ laws, it can be difficult to definitively prove whether data has been extracted illegally, experts said.

There is an international precedent related to how spyware can be used. Article 17 of the International Covenant on Civil and Political Rights states:

• No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, nor to unlawful attacks on his honour and reputation.
• Everyone has the right to the protection of the law against such interference or attacks.

As of June, 174 countries, including Serbia, had ratified the covenant, making it one of the most widely adopted human rights treaties.

Who else has been targeted by spyware in recent years?

• In October, 2023, Amnesty International’s Security Lab revealed that two prominent journalists had been targeted via their iPhones with Pegasus spyware. The victims were Siddharth Varadarajan, founding editor of The Wire, and Anand Mangnale, South Asia editor at the Organised Crime and Corruption Report Project. It is not known who was responsible.
• In 2022, HRW reported that Lama Fakih, a senior staff member and director of HRW’s Beirut office, was subjected to multiple cyberattacks using Pegasus spyware in 2021. Pegasus allegedly infiltrated Fakih’s phone on five occasions from April to August that year. Fakih, who oversees HRW’s crisis response in countries that include Afghanistan, Ethiopia, Israel, Myanmar, the occupied Palestinian territory, Syria and the US, was targeted for unknown reasons by an unidentified party.
• In 2020, a collaborative investigation by human rights group Access Now, the University of Toronto’s Citizen Lab and independent researcher Nikolai Kvantaliani from Georgia found that journalists and activists from Russia, Belarus, Latvia and Israel as well as several living in exile in Europe had been targeted with Pegasus spyware. These attacks began as early as 2020 and intensified after Russia’s full-scale invasion of Ukraine in 2022. Citizen Lab also identified a series of attacks on journalists and activists in El Salvador. It is not known who was responsible for the spyware attacks.
• In 2018, Jamal Khashoggi, a prominent Saudi journalist, columnist for The Washington Post and an outspoken critic of Saudi Arabia’s government, was murdered and dismembered inside the Saudi consulate in Istanbul, Turkiye. A subsequent investigation revealed that Pegasus spyware had been deployed to surveil several people close to Khashoggi.