Two Serbian journalists reportedly targeted with Pegasus spyware

Two investigative journalists in Serbia were targeted with advanced commercial spyware last month, Amnesty International said Thursday.

The journalists, who work for the Balkan Investigative Reporting Network (BIRN), were targeted with the NSO Group’s Pegasus spyware, according to a press release.

Both received unusual messages on the Viber messaging app from a number they didn’t know and was later determined to be tied to the state-telecommunications operator, Amnesty said. 

The journalists brought their phones to the Amnesty International Security Lab, which says it confirmed they were targeted with spyware. 

Pegasus — which often infects user devices without their needing to click on any links — in this case appears to have been deployed as a one-click attack, Amnesty said.

The text messages contained hyperlinks to a domain name which Amnesty has determined with “high confidence” is associated with Pegasus, Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, said in a statement.

Serbia has in recent years intensified its crackdown on protestors and others in civil society. 

A massive March 15 anti-government rally in the Serbian capital, Belgrade, highlights how tense the conflict between civil society and the authorities has become recently. Peaceful protestors at that rally alleged that Serbian authorities deployed an illegal sonic weapon.

The recent targeting of two journalists marks the third time in two years that Amnesty has found Pegasus deployed against Serbian civil society,

In November 2023, Amnesty International and other digital freedom groups diagnosed a zero-click spyware attack on two Serbian civil society members on the eve of national elections.

Amnesty later found an additional Pegasus attack targeting a “high-profile individual involved in the wide-scale Serbian protest movement,” it said.

Serbian authorities also recently used Cellebrite software to secretly unlock civilians’ phones so they could install another brand of homegrown spyware, Amnesty announced in December.

The text message sent to one of the journalists targeted last month linked to a news article and contained a message saying: “Do you have info that he is next? I heard something completely different,” Amnesty said. 

The reporter was working on a story about a state-linked corruption case at the time. The day before the message was sent, she met with sources close to the government, Amnesty said.

NSO Group did not immediately respond to a request for comment but told Amnesty that “all sales of our systems are to vetted government end-users.” 

Amnesty International said in a statement that it “believes that the continued use of Serbian language Pegasus infection domain names, and the targeting of Serbian civil society with a consistent methodology are indicative of these attacks being carried out by a Serbian state entity.”