By Arzu Geybulla*
Azerbaijani reporter Sevinc Vagifgizi was terrified after discovering that her mobile phone had been infected by Pegasus, a controversial spyware whose latest variant can be invisible to its victims.
The knowledge that all activity on her mobile could have been viewed by the state security services was deeply disturbing, she said.
“I was always aware that they could listen to our phone calls, but I never imagined that they could access anything through the internet and can record voices, take videos, and listen to everything I say,” she told the Committee to Protect Journalists.
Researchers and journalists working on the Pegasus Project, a global investigation into smartphone spying, have identified more than 1,000 phone numbers from Azerbaijan, indicating that they were potential targets for state spying.
For activists and independent journalists like Vagifgizi in Azerbaijan, this appears to be just the latest tool used in a long-running and ongoing campaign of digital surveillance and intimidation.
So far, a quarter of the phone numbers identified belong to political activists, lawyers, journalists and human rights defenders, according to the Organized Crime and Corruption Reporting Project (OCCRP) which is leading the Azerbaijan chapter of the investigation.
Pegasus is a form of spyware which infects a user’s smartphone; the user is unaware of this, which means that photos, text messages, passwords, location, and call logs can all be accessed and copied. It can activate a phone’s microphone and camera without the user’s knowledge.
The latest version of Pegasus allows zero-click attacks to infect a device without the target even reading the message through which the virus is sent.
Etienne Maynier, a technologist at Amnesty International’s Security Lab, said that they had found evidence of Pegasus intrusive software since the targeting of Emirati human rights activist Ahmed Mansoor in 2016. Researchers also knew that iPhone operating system security issues for which supposed security updates need to be issued had been used since attacks against Uyghurs in 2019.
The problem was that very little could be done about it, she continued.
“There are very limited solutions to be protected against the Pegasus infection, especially as it can bypass most protections recommended in security trainings for civil society representatives,” Maynier said.
Pegasus was developed by an Israeli tech firm, NSO Group, which claims that it “helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the world”.
The firm don’t put their prices online, but according to a 2016 investigation by the New York Times, setting up a Pegasus basic plan would cost a client more than a million US dollars, with extra charges to follow: to spy on ten iPhone or Android users would cost an extra 650,000 dollars, for example. Customers include countries with a poor human rights record, including Saudi Arabia, UAE, Bahrain, Kazakstan, and Rwanda.
According to the OCCRP, of 1,000 numbers analysed in Azerbaijan, 250 were identified, with the majority belonging to journalists, activists, rights defenders, lawyers and their family members. While being on the list does not necessarily indicate that the phone was compromised, it suggests that these individuals were of interest to the client.
Khadija Ismayilova, one of the journalists whose device was compromised, told OCCRP that none of the people identified so far posed a threat to national security.
“There is no reasonable cause for watching them. These people have no access to state secrets. It is for blackmail purposes only,” she said.
There is ample evidence showing the extent of surveillance in Azerbaijan. SMS interceptions and phone tapping were followed by the “black boxes” installed within Azercell, one of the country’s three mobile operators, in 2008. These enabled the security services to monitor the internet traffic, phone calls and location data of mobile users. Black boxes also allowed interception of passwords, triggered through reset requests for users who had recovery connected to a mobile number operated by a local provider.
This technology allowed the state access to the full data package on specific users based on their IP addresses, internet service providers and mobile operators. It also allowed state security services to collect all the telecom provider’s data.
Then in 2015, Bakcell, one of three mobile operators in Azerbaijan, purchased ‘deep packet inspection technology from Canada-based networking company Sandvine. By 2017 this technology was being used to block access to several independent and opposition news websites and the Electronic Security Center at the Ministry of Communications instructed upstream providers to block access to websites like Azadliq.info, Azadliq.org, meydan.tv, and abzas.net.
The same year, Azerbaijan passed legal amendments that granted the authorities wide powers to block access to websites allegedly featuring vaguely-defined, so-called prohibited information.
A presidential decree from June 2001 already required operators and providers to install specialist equipment that provides access to information for search operations, effectively making state spying compulsory.
And in a country where government control over mobile operators and internet service providers, and the use of intrusive surveillance equipment has been well established over several years, stolen data is used as a tool of harassment.
The case of Fatima Movlamli is an example; a fierce government critic, she made headlines in Azerbaijan in 2018, when she reportedly disappeared after attending an opposition-led protest in March.
When Movlamli’s relatives called the ministry of internal affairs they were told they had no information about her whereabouts. In fact, Movlamli had been arrested by the ministry’s anti-trafficking department and kept incommunicado for five days. During that time, she was physically assaulted and threatened with rape unless she signed a confession conceding she was involved in prostitution. She was 17 at the time.
The attempts to damage her reputation included intimate pictures shared on social media. This was not the last time she was targeted. In 2019, a fake Facebook profile created in her name was used to share personal photos and videos of Movlamli. In July 2020, Movlamli’s Facebook profile was compromised, and in 2021, multiple channels on Telegram shared intimate pictures and videos of Movlamli and other feminist activists. A fake page on Facebook advertised Movlamli’s phone number for escort services.
Her details appeared amongst more than 1,000 phone numbers identified by the OCCRP. Whilst her name and number appeared on the target list, her device did not indicate signs of infection.
Maynier stressed that even given the invisible nature of Pegasus attacks, journalists and activists still needed to implement digital security measures to prevent less sophisticated threats.
“Traditional digital security recommendations such as using end to end encrypted communication applications, Tor browser, and two-step verification are still important, because the vast majority of attacks are less advanced than Pegasus,” she said.
“What it means in the bigger picture, is that digital security trainers must adapt their content to include Pegasus and similar viruses…[those at risk] must take into account that their devices may be hacked, and that they should try and limit and compartmentalise the data on their devices.
*About the author: Arzu Geybulla is an Azerbaijani journalist currently based in Istanbul.
Source: This article was published at IWPR and prepared under the “Amplify, Verify, Engage (AVE) Project” implemented with the financial support of the Foreign Ministry of Norway.