Apple warns Armenians of state-sponsored hacking attempts


Apple has sent alerts to people in Armenia in recent weeks that their phones are being targeted by state-sponsored hackers, with several cybersecurity experts warning that it is likely tied to Pegasus spyware.

CyberHUB, an Armenian digital rights organization that is investigating the incidents, said the number of spyware infections in the country has been steadily increasing over the last two years. Many infections are linked to the government of Azerbaijan, which has had a history of conflict with Armenia especially concerning the disputed Nagorno-Karabakh region.

“In the case of Armenia, these warnings mean that the phone was infected with Pegasus spyware,” said CyberHUB co-founder Samvel Martirosyan, referring to the surveillance tool developed by Israeli firm NSO Group and sold to governments around the world.

Although Apple’s notifications did not specify the spyware used or identify who was responsible for the hack, there is some evidence that the latest wave of infections used Pegasus, according to Natalia Krapiva, tech and legal counsel at digital rights nonprofit Access Now. However, she said it is hard to know for certain while the investigation is still being carried out.

NSO Group did not respond to a request for comment.

Martirosyan said the spyware was likely installed on the orders of the Azerbaijani government — during the war between Armenia and Azerbaijan in 2020, Pegasus spyware was used to target Armenian journalists, activists, government officials, and civilians. While the identity of the hackers behind the attacks remained unclear, researchers suggested that Azerbaijan was one of the potential suspects.

The University of Toronto’s Citizen Lab identified at least two suspected Pegasus operators in Azerbaijan who have targeted individuals within the country as well as abroad.

Krapiva agreed that “the likely suspect is Azerbaijan,” because of its history with Pegasus and its close ties to Israel.

Tensions have been high between Armenia and Azerbaijan, and reached a tipping point in September when Azerbaijan launched a large-scale military offensive in Nagorno-Karabakh, violating a 2020 ceasefire agreement.

CyberHUB, which has been investigating Pegasus infections for two years, said that the number of hacks is growing in Armenia. However, the true extent of these hacks is hard to determine, as many victims prefer not to make their cases public, according to Krapiva. Android users do not receive such notifications at all, she added.

Most of the infections occur during escalations between Armenia and Azerbaijan, researchers said. Targets in Armenia have included high-ranking politicians, civil society representatives, activists, journalists, and editors.

Pegasus has recently been used to target activists, politicians, and journalists in Poland, Spain, Greece, and Russia.

In September, the Parliamentary Assembly of the Council of Europe called the use of Pegasus spyware by several countries in the region potentially illegal.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Apple warns Armenians of state-sponsored hacking attempts

Next Post

UK agency warns post-quantum cryptography migration will be ‘very complicated’

Related Posts

New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks

Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top"). "Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six
Read More