Full Report
Two investigative journalists from Serbia have become the latest victims of targeted spyware attacks using NSO Group's Pegasus software, Amnesty International revealed in a report on Thursday. The Serbian journalists, who work for the Balkan Investigative Reporting Network (BIRN), were reportedly targeted last month through spyware delivered via messages on the Viber messaging app. The journalists, identified as Bogdana (not her real name) and Jelena Veljkovic, received unusual messages from an unknown Serbian number linked to Telekom Srbija, the state telecommunications operator. The messages contained hyperlinks to a domain that Amnesty International later identified with high confidence as being associated with Pegasus. Suspecting foul play, the journalists sought help from Amnesty International’s Security Lab, which conducted a forensic analysis of their devices. The lab confirmed that their smartphones were targeted with Pegasus spyware, known for its ability to infect devices without requiring the victim to click on any links. However, in this case, Amnesty determined that the attack was carried out through a one-click infection method, meaning the journalists had to click the malicious link for the spyware to activate. A Pattern of Digital Surveillance in Serbia The attack on the BIRN journalists is not an isolated incident. Amnesty International noted that this is the third time in two years that Pegasus spyware has been used against Serbian civil society members. In November 2023, a similar attack was uncovered, targeting two Serbian activists ahead of the national elections. Amnesty and other digital rights organizations, including Access Now, the SHARE Foundation, and Citizen Lab, documented how zero-click spyware was used to infiltrate the activists' devices without their interaction. Additionally, Amnesty discovered another Pegasus infection in July 2023, targeting a high-profile figure associated with Serbia’s growing protest movement. The recent attack on the journalists further highlights the ongoing use of invasive surveillance tools to monitor and intimidate civil society members in the country. Pegasus: A Global Cyberweapon Pegasus, developed by the Israeli company NSO Group, is one of the most advanced commercial spyware tools in existence. The software allows an attacker to remotely access a target's smartphone, granting full control over calls, messages, and photos, and even enabling the device's microphone and camera. NSO Group claims that its technology is sold only to vetted government entities to combat terrorism and crime. However, numerous investigations have revealed the spyware being used against journalists, activists, and political opponents worldwide. In response to Amnesty International’s findings, NSO Group stated, “All sales of our systems are to vetted government end-users.” However, Amnesty believes the continued use of Pegasus in Serbia suggests that state authorities are behind these attacks. The Serbian Journalists Speak Out The targeted journalists expressed concern over the implications of the spyware attack. Bogdana, who was working on a sensitive report about foreign investments and state-linked corruption at the time of the attack, shared her distress upon discovering that her phone had been compromised. “When I found out that the link on my phone was Pegasus, I was absolutely furious. This was the phone registered to my name, and I felt as if I had an intruder in my own home. This is an unnerving feeling… I was extremely concerned about my sources who could be at risk because they communicated with me,” Bogdana said. Jelena Veljkovic, who received a similar Viber message but deleted it without clicking, also reflected on the incident. “When I found out that I was a target of a Pegasus attack, I was not particularly scared but found it quite unsettling. This was my private telephone, which I also use for work, and a virus like Pegasus, which is not selective at all and can access everything on one’s phone, can have repercussions on my family too,” she said. Both journalists believe the attack was an attempt to silence investigative reporting in Serbia. Increasing Repression and the Use of Spyware in Serbia Serbia has been under increasing scrutiny for its crackdown on journalists, activists, and protestors. A major anti-government rally in Belgrade on March 15 further exposed tensions between civil society and authorities. Protestors have accused the government of deploying illegal surveillance and even using sonic weapons to disperse crowds. In December 2023, Amnesty International also revealed that Serbian authorities had used Cellebrite software to secretly unlock civilians’ phones. This allowed them to install a homegrown spyware tool, further expanding state surveillance capabilities. BIRN, the journalists’ employer, has faced numerous threats, harassment, and legal actions, including Strategic Lawsuits Against Public Participation (SLAPPs) from high-ranking government officials. The organization is currently fighting four such lawsuits, including one from the mayor of Belgrade. Calls for Accountability and Action The targeting of journalists and activists threatens press freedom, human rights, and democracy itself. Until concrete actions are taken to hold those responsible accountable, journalists like Bogdana and Jelena will continue to operate under the looming threat of digital surveillance. “These findings provide further evidence that Serbian authorities are abusing highly invasive spyware products and other digital surveillance technologies to target journalists, activists, and other members of civil society,” Amnesty International stated. As digital surveillance becomes an increasingly common tool for governments worldwide, the need for stronger legal protections and transparency around spyware use remains urgent.
Analysis Summary
# Incident Report: Targeting of Serbian Journalists with Pegasus Spyware
## Executive Summary
Investigative journalists in Serbia were targeted and infected with Pegasus spyware, indicating a politically motivated attack likely originating from state actors aiming to silence critical reporting. The incident involved the clandestine deployment of highly invasive surveillance technology against members of civil society. The primary outcome is a severe threat to press freedom, requiring immediate calls for international accountability and stronger digital protection measures.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the reporting surfaces around March 28, 2025, referencing prior activities up to December 2023.
- **Incident Date:** The specific infection dates are not given, but the context implies ongoing surveillance activity leading up to the public reporting.
- **Affected Organization:** Investigative Journalists (e.g., journalists employed by BIRN).
- **Sector:** Media/Journalism, Civil Society.
- **Geography:** Serbia (specifically mentioning Belgrade).
## Timeline of Events
### Initial Access
- **Date/Time:** Details unspecified, but implied to be recent or ongoing.
- **Vector:** Advanced spyware deployment, likely leveraging zero-click or spear-phishing techniques associated with Pegasus deployment methods against high-value targets. Context suggests state-sponsored infrastructure may have been involved.
- **Details:** The goal was the deployment of highly invasive spyware (Pegasus) onto the devices of investigative reporters. Prior activity mentioned involves the use of Cellebrite software by Serbian authorities to unlock civilian phones, suggesting a governmental capacity for advanced surveillance.
### Lateral Movement
- Not detailed, but the nature of Pegasus implies significant access to the device's functions, including microphones, cameras, and messages, effectively compromising the endpoint completely.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Complete access to the target's digital life was achieved, allowing for the monitoring of communications, extraction of sensitive investigation materials, and real-time surveillance. This primarily impacts the ability of journalists to conduct their work freely and securely.
### Detection & Response
- **How it was discovered:** The information came to light through public reporting/investigation, potentially stemming from international monitoring groups (like Amnesty International referencing prior surveillance actions).
- **Response actions taken:** Amnesty International issued statements calling for accountability. The organization employing the journalists (BIRN) is engaged in fighting SLAPPs from government officials.
## Attack Methodology
- **Initial Access:** Advanced mobile exploitation (implied to be Pegasus, known for zero-click delivery, though specific mechanism unknown).
- **Persistence:** Maintained via the installed spyware framework (Pegasus).
- **Privilege Escalation:** Not detailed, but Pegasus typically achieves kernel-level access automatically upon successful compromise.
- **Defense Evasion:** Inherent to Pegasus capabilities, designed to operate covertly without user knowledge.
- **Credential Access:** Not detailed, but easily achieved via spyware monitoring.
- **Discovery:** Likely targeted reconnaissance on individuals associated with critical reporting against the government.
- **Lateral Movement:** Focus appears to have been vertical exploitation of the target device rather than network lateral movement.
- **Collection:** Comprehensive gathering of all digital data, communications, and real-time monitoring.
- **Exfiltration:** Secure channeling of collected data back to the operator.
- **Impact:** Silencing investigative reporting, chilling effect on press freedom, and violation of human rights.
## Impact Assessment
- **Financial:** Not quantified, but significant legal costs associated with fighting SLAPPs faced by the organization (BIRN).
- **Data Breach:** Highly sensitive investigative information and private communications belonging to journalists.
- **Operational:** Severe degradation of operational security and the ability for journalists to conduct confidential work without government monitoring.
- **Reputational:** Damage to the credibility and safety of the targeted journalists and media organizations; negative international perception of Serbian authorities regarding civil liberties.
## Indicators of Compromise
- *(Note: Specific IoCs for Pegasus are typically obfuscated or constantly changing. Standard practice is to rely on advanced mobile forensic analysis, which is not detailed here.)*
- **Network indicators:** *(None provided in text)*
- **File indicators:** *(None provided in text)*
- **Behavioral indicators:** Unusual battery drain, high data usage, or unexpected device behavior (typical indicators if forensics were performed).
## Response Actions
- **Containment measures:** *(Not detailed, but would involve device isolation and digital forensics engagement.)*
- **Eradication steps:** *(Likely involved wiping and rebuilding compromised devices.)*
- **Recovery actions:** Re-establishing secure communication channels and rebuilding trust/confidence among journalists.
## Lessons Learned
- The use of highly sophisticated, state-grade surveillance tools (like Pegasus) represents an extreme threat vector against journalistic integrity and democracy when deployed domestically against civil society.
- Existing legal frameworks appear insufficient to deter authorities from deploying illegal surveillance technology, as evidenced by ongoing harassment (SLAPPs).
- Previous instances of state use of surveillance technology (e.g., Cellebrite unlocking) should serve as high-priority warnings for future attacks.
## Recommendations
- Implement stringent mobile security policies for all personnel involved in sensitive investigations, including mandatory separation of personal and work devices.
- Conduct regular, proactive threat modeling focusing specifically on state-sponsored actors utilizing mobile exploitation frameworks (e.g., zero-click exploits).
- Advocate for international legal oversight and transparency regarding the acquisition and use of surveillance spyware by national governments.
- Adopt advanced security measures (like trusted execution environments) to protect sensitive source material from end-point compromise.