Full Report
The comprehensive report showed how Serbian law enforcement combined Cellebrite’s tech with a novel Android-focused spyware program. The post Amnesty International exposes Serbian police’s use of spyware on journalists, activists appeared first on CyberScoop.
Analysis Summary
# Incident Report: Serbian Government Deployment of NoviSpy and Cellebrite Against Journalists
## Executive Summary
Serbian police and the Security Intelligence Agency (BIA) systematically used a combination of Cellebrite phone-cracking technology and a newly discovered Android spyware, "NoviSpy," to surveil journalists and activists. The primary vector involved physical access during detentions, which enabled the installation of the spyware to steal data and monitor communications, showcasing an escalating trend toward physical access tactics due to increasing remote security defenses.
## Incident Details
- **Discovery Date:** Monday (Date of Amnesty International report publication)
- **Incident Date:** At least February (Based on journalist Milanov's stop)
- **Affected Organization:** Various Serbian journalists and activists (e.g., Slaviša Milanov)
- **Sector:** Civil Society, Independent Media
- **Geography:** Serbia
## Timeline of Events
### Initial Access
- **Date/Time:** Specific date not clear for all cases, but journalist Milanov was stopped in **February**.
- **Vector:** **Physical seizure and forced access** during police stops framed as substance testing ("testing for psychoactive substances").
- **Details:** Authorities detained journalist Slaviša Milanov, held him for hours, and returned his phone after turning off mobile data/Wi-Fi, raising suspicion.
### Lateral Movement
- **Details:** The report focuses primarily on implanting surveillance software via physical access rather than network-based lateral movement. Once installed, NoviSpy allowed for data capture and remote activation of the phone’s microphone/camera.
### Data Exfiltration/Impact
- **Details:** The objective was to obtain information about the journalist's work, associates, and sources, as well as exert pressure on independent media. NoviSpy is capable of capturing personal data.
### Detection & Response
- **How it was discovered:** Amnesty International analyzed Milanov’s device after he became suspicious, leading to the discovery of the Cellebrite-NoviSpy cocktail.
- **Response actions taken:** Amnesty International published a detailed report documenting the findings and attributing the spyware to BIA. They also raised concerns with the donor, the Norwegian government, which pledged to investigate via UNOPS.
## Attack Methodology
- **Initial Access:** Physical access leveraged during police detentions; Cellebrite technology used to unlock or bypass security to install spyware.
- **Persistence:** NoviSpy spyware installed on target Android devices.
- **Privilege Escalation:** Not explicitly detailed, often bypassed by using forensic tools (Cellebrite) to gain direct OS-level access.
- **Defense Evasion:** The shift to physical access suggests an attempt to evade increasingly sophisticated *remote* security defenses (like those imposed by Google/Apple).
- **Credential Access:** Implied via data capture capabilities of NoviSpy.
- **Discovery:** Analysis of the compromised device by Amnesty Tech.
- **Lateral Movement:** Not the primary focus; reliance on device-level takeover.
- **Collection:** NoviSpy capable of capturing personal data, activating microphone/camera.
- **Exfiltration:** Implied via the spyware's data capture capabilities.
- **Impact:** Surveillance, information gathering on journalistic sources, and psychological pressure.
## Impact Assessment
- **Financial:** Not quantified, but potential costs related to forensic investigation and reputational damage for supporting entities (e.g., Norway).
- **Data Breach:** Personal data, communications, and source information from targeted journalists/activists.
- **Operational:** Undermining the operational ability and safety of independent investigative journalists working in critical areas.
- **Reputational:** Significant reputational damage to Serbian intelligence agencies (BIA) and questions surrounding the due diligence of the technology donor (Norway).
## Indicators of Compromise
- **Network indicators:** (Not detailed/defanged as the primary compromise was physical.)
- **File indicators:** Traces of **NoviSpy** spyware on Android devices.
- **Behavioral indicators:** Sudden deactivation of mobile data/Wi-Fi followed by reactivation upon return of the device; unexplained active applications on a supposedly secured phone.
## Response Actions
- **Containment measures:** (For the victims) Immediate securing/wiping of compromised devices and vigilance regarding subsequent communications.
- **Eradication steps:** Amnesty's main action was public disclosure and notification to the donor agency.
- **Recovery actions:** (For the victims) Dealing with the psychological and professional fallout of being monitored.
## Lessons Learned
- The increasing difficulty of remote exploitation is pushing state actors toward **physical access** tactics during targeted stops.
- Forensic/unlocking technology (like Cellebrite) is a key enabler for covert surveillance when combined with sophisticated spyware (NoviSpy).
- Donor nations (like Norway) must implement **stringent due diligence** to prevent human rights abuses when donating surveillance technology.
## Recommendations
- Increased technological defenses against physical tampering and forensic mirroring during unexpected police stops.
- Journalists and activists in high-risk environments should employ rigorous operational security (OPSEC), including leaving non-essential devices behind when traveling or preparing for high-risk meetings.
- Technology providers must enforce strict end-user licensing agreements and perform audits, especially concerning tools donated or sold to foreign governments.