Security researchers and digital rights organizations believe the government of Azerbaijan used spyware produced by NSO Group to target a government worker, journalists, activists and the human rights ombudsperson in Armenia as part of a years long conflict that has at times broken out into an all-out war.

The cyberattacks may be the first public cases where commercial spyware was used in the context of a war, according to Access Now, a digital rights group that investigated some of the cases. The hacks happened between November 2021 and December 2022. The skirmish between Armenia and Azerbaijan — known as the Nagorno-Karabakh conflict — has been going on for years, and it flared up again in May 2021, when Azerbaijani soldiers crossed into Armenia and occupied parts of its territory.

“While a number of infected individuals are also members of the Armenian opposition or are otherwise critical of the current government, the infections took place at critical times in the Nagorno Karabakh conflict and a deep political crisis caused by the conflict, which resulted in a significant uncertainty over the future of the country’s leadership and its position on Karabakh,” Natalia Krapiva, the tech legal counsel at Access Now, told TechCrunch. “Some of the victims worked closely in or with [Armenia’s] Nikol Pashinyan’s administration and were directly involved in the negotiations or investigation of human rights abuses committed by Azerbaijan in the conflict.”

The Azerbaijani embassy in Washington, D.C. did not respond to a request for comment.

NSO Group did not respond to a request for comment.

Access Now was aided by Citizen Lab, another digital rights organization specialized in investigating spyware; Amnesty International; CyberHUB-AM, an Armenian cybersecurity organization that helps civil society; and local cybersecurity researchers.

According to Access Now, the victims include Kristinne Grigoryan, the top human rights defender in Armenia; Karlen Aslanyan and Astghik Bedevyan, two Radio Free Europe/Radio Liberty’s (RFE/RL) Armenian Service journalists; two unnamed United Nations officials; Anna Naghdalyan, a former spokesperson of Armenia’s Foreign Ministry (now an NGO worker); as well as activists, media owners and academics.

Samvel Farmanyan, the former co-founder and host of an opposition television in Armenia, told TechCrunch that the hack he suffered “is a form of terror.”

“It is not only a clear violation of human rights, my rights of privacy and private communication, but it had [an] enormous psychological effect,” he said in an online chat. “It is difficult what you feel when you are sure that you are illegally under surveillance with no knowledge which government may stand behind and what the real purposes are behind that illegal intervention.”

Farmanyan, as well as other victims, realized they were victims of a hack when Apple sent them a notification that they may have been targeted with government spyware, as the company did with several other victims in other countries. They then reached out to Access Now, Citizen Lab or Amnesty International to get their phones checked.

In the case of Armenia’s top human rights defender Grigoryan, Access Now said that her phone “was infected not long after she shared her phone number with her Azerbaijani counterpart.”

Over the last few years, there have been countless cases of abuse of NSO spying tools in Mexico, Saudi Arabia, Bahrain and many other countries, but Access Now considers this a special case.

“Providing Pegasus spyware to either of the sides in the context of a violent conflict carries a substantial risk of potentially contributing to and facilitating serious human rights violations and even war crimes,” the organization wrote in its press release.

There isn’t conclusive evidence that the Azerbaijan government is behind these attacks, but a coalition of media organizations known as the Pegasus Project showed that the country is one of NSO’s customers. Yet, Ruben Muradyan, a mobile security researcher who analyzed the phones of five victims in Armenia, said that some of them believe the government of Armenia could be behind the hacks, since they were being critical of the local government at the time.

The Armenian embassy in Washington, D.C. did not respond to a request for comment.

In any case, it’s unclear whether using spyware such as Pegasus in the context of an armed conflict constitutes a violation of international law, according to Anna Pagnacco, a cybersecurity policy researcher at Oxford Information Labs.

“International law is silent on the topic of peacetime espionage, which is broadly criminalized at the national level; yet all states still conduct espionage. Intelligence activities carried out by members of a belligerent party’s armed forces in uniform during international armed conflict are legitimate — i.e. spying is not a war crime,” Pagnacco told TechCrunch.

Do you have more information about NSO Group? Or another surveillance tech provider? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email [email protected]. You can also contact TechCrunch via SecureDrop.