Full Report
Security researchers found evidence that Cellebrite was used by Serbian police to hack into the cellphones of a local journalist and an activist. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Alleged Misuse of Cellebrite Forensics Tools by Serbian Authorities
## Executive Summary
This incident involves allegations, reported by Amnesty International, that Serbian police used Cellebrite's forensic tools to gain access to the mobile phones of a journalist and an activist. Following access, authorities allegedly planted 'Novispy' Android spyware on the devices to maintain surveillance. In response, Cellebrite conducted a review and suspended Serbia as a customer due to non-compliance with their policies.
## Incident Details
- Discovery Date: December 2024 (Amnesty International report publication)
- Incident Date: Occurred prior to December 2024 investigation findings. The suspension was announced on Tuesday, February 25, 2025 (based on article date).
- Affected Organization: Serbia (through its police/intelligence agencies)
- Sector: Government/Law Enforcement Technology Use
- Geography: Serbia
## Timeline of Events
### Initial Access
- Date/Time: Prior to December 2024
- Vector: Use of Cellebrite forensics tools to unlock targeted mobile phones.
- Details: Serbian police allegedly used Cellebrite tools to unlock phones belonging to a local journalist and an activist.
### Lateral Movement
- Date/Time: Following initial access.
- Details: After unlocking the phones, Serbian authorities installed the 'Novispy' Android spyware to maintain persistent surveillance.
### Data Exfiltration/Impact
- Details: The immediate impact was unauthorized access and surveillance of journalists and activists via planted spyware. The *type* of data collected via the planted spyware is not specified, though the implication is surveillance data.
### Detection & Response
- Date/Time: December 2024
- Details: Amnesty International published a report detailing the allegations against Serbian police/intelligence.
- Response actions taken: Cellebrite conducted a review of the allegations according to its ethics policies and subsequently stopped the use of its products by the relevant Serbian customer(s).
## Attack Methodology
This incident involves the alleged misuse of legitimate forensic tools by a state actor acting as the attacker against internal targets.
- Initial Access: Exploitation/Unlocking of target mobile devices using Cellebrite forensic technology.
- Persistence: Installation of 'Novispy' Android spyware after initial access was achieved.
- Privilege Escalation: Not explicitly detailed, but successfully bypassing device security measures (unlocking phones) enabled subsequent persistence.
- Defense Evasion: N/A (Attacking activity relies on tool capabilities and operational security failure of the target devices).
- Credential Access: N/A (Focus was on device access).
- Discovery: N/A (Investigation stemmed from external reporting/auditing by Amnesty International).
- Lateral Movement: Not explicitly detailed beyond the initial device compromise, followed by secondary malware installation.
- Collection: Surveillance conducted via the planted 'Novispy' spyware.
- Exfiltration: Not specified.
- Impact: Unauthorized ongoing surveillance and compromise of personal communication devices.
## Impact Assessment
- Financial: Not disclosed. (Cellebrite incurred internal review costs and customer loss).
- Data Breach: Compromise of mobile device data belonging to a journalist and an activist; scope and volume unknown, but involved surveillance.
- Operational: Disruption and potential chilling effect on the communications of the targeted journalist and activist.
- Reputational: Significant negative impact on Cellebrite's reputation regarding customer vetting and ethics adherence.
## Indicators of Compromise
* **Network indicators:** Defanged due to relying on proprietary intelligence/third-party reporting: [Not Provided]
* **File indicators:** 'Novispy' Android spyware.
* **Behavioral indicators:** Use of Cellebrite forensic tools by state actors followed by installation of secondary zero-click type spyware ('Novispy').
## Response Actions
- Containment measures: Cellebrite stopped the use of its products by the relevant Serbian customers.
- Eradication steps: Not applicable to the incident response team directly, as the primary action was cutting off the source of the toolkit (Cellebrite). The targets would need to eradicate the Novispy spyware.
- Recovery actions: Not detailed, but implied that the targeted individuals needed to secure/replace their devices.
## Lessons Learned
- Vendor oversight is critical: The incident highlights the necessity for technology vendors (like Cellebrite) to rigorously enforce and monitor their usage and ethics policies, especially when dealing with foreign government clients.
- Policy enforcement impact: Prompt action following credible investigation (Amnesty report) can mitigate further abuse associated with proprietary tools.
- Potential for misuse: Tools intended for lawful forensics can be leveraged directly for, or succeeded by, illegal/unethical surveillance operations.
## Recommendations
- Strengthen Know-Your-Customer (KYC) and End-Use Monitoring: Cellebrite must enhance auditing capabilities to ensure customers are not using acquired technology to facilitate post-access surveillance operations (like planting Novispy).
- Enhanced Vetting Procedures: Review and tighten export/usage agreements to specifically prohibit the planting of secondary surveillance software following forensic data extraction.
- Proactive Disclosure: Establish clearer escalation paths for external auditors (NGOs) to report suspected violations directly to the vendor's ethics monitoring team.