Full Report
Two investigative journalists in Serbia were targeted with advanced commercial spyware last month, Amnesty International said Thursday.
Analysis Summary
# Incident Report: Pegasus Spyware Targeting Serbian Journalists
## Executive Summary
Two investigative journalists working for the Balkan Investigative Reporting Network (BIRN) in Serbia were targeted last month with the NSO Group’s Pegasus spyware. The attack utilized a one-click exploit delivered via suspicious text messages linked to a state telecommunications operator. Amnesty International confirmed the deployment, raising concerns about state-sponsored surveillance against civil society members.
## Incident Details
- Discovery Date: Last month (date specific to the report publication, implied shortly before March 2025)
- Incident Date: Last month
- Affected Organization: Balkan Investigative Reporting Network (BIRN) journalists
- Sector: Media/Journalism, Civil Society
- Geography: Serbia
## Timeline of Events
### Initial Access
- Date/Time: Last month
- Vector: Spear-phishing via SMS (one-click attack)
- Details: Journalists received unusual messages on the Viber messaging app from an unknown number linked to a state-telecommunications operator. The messages contained hyperlinks, one appearing as a link to a news article associated with a story the reporter was covering regarding a state-linked corruption case.
### Lateral Movement
- Attack Methodology indicates the successful deployment of Pegasus, suggesting full device compromise, although specific lateral movement details within the victim's network environment were not detailed in the summary.
### Data Exfiltration/Impact
- The impact stems from the deployment of Pegasus spyware, which typically allows for comprehensive access to device data, communications, and tracking capabilities. The specific data exfiltrated is not detailed, but the implied impact is severe surveillance.
### Detection & Response
- Detection: Journalists brought their phones to the Amnesty International Security Lab for analysis.
- Response actions taken: Amnesty International Security Lab confirmed the deployment of Pegasus spyware.
## Attack Methodology
- Initial Access: One-click exploit delivered via SMS/Viber containing a malicious link.
- Persistence: Pegasus maintains persistence on the device post-exploitation.
- Privilege Escalation: N/A (Pegasus exploits often grant root/highest privileges immediately upon successful infection).
- Defense Evasion: Pegasus is highly sophisticated, designed to operate stealthily.
- Credential Access: Not explicitly stated, but capability exists via spyware.
- Discovery: Not explicitly stated, but context suggests targeting was related to professional work (corruption reporting, contact with sources).
- Lateral Movement: Not detailed in the initial infection phase.
- Collection: Comprehensive data collection capabilities inherent to Pegasus.
- Exfiltration: Data exfiltration capabilities inherent to Pegasus.
- Impact: Complete compromise and surveillance of the targeted mobile devices.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Implied compromise of sensitive journalistic materials, source communications, and personal data through device monitoring.
- Operational: Potential chilling effect on journalistic independence and activities covering sensitive topics.
- Reputational: Damage to the reputation of any implicated state actors due to confirmed surveillance activities.
## Indicators of Compromise
- Network indicators: Hyperlinks pointing to a domain name high-confidently associated with Pegasus activity (Specific domains defanged per policy).
- File indicators: N/A for summary purposes.
- Behavioral indicators: Receipt of unusual Viber messages containing external links from an unknown sender potentially linked to a state operator.
## Response Actions
- Containment measures: Victims submitted devices to Amnesty International Security Lab for forensic analysis and potential remediation (specific remediation actions by the victims themselves are not explicitly listed, but involve removing the spyware).
- Eradication steps: Removal of the Pegasus malware found on the devices.
- Recovery actions: Unknown if further organizational remediation steps were taken beyond phone analysis.
## Lessons Learned
- Sophisticated nation-state level tooling (Pegasus) continues to be deployed against journalists and civil society members in Serbia.
- Attackers are leveraging social engineering tactics tailored to the victim’s professional context (e.g., linking to ongoing corruption stories).
- This incident is part of a pattern in Serbia, indicating consistent targeting methodology.
## Recommendations
- Implement rigorous security training for journalists regarding suspicious messages, especially concerning sensitive ongoing investigations.
- Conduct regular, specialized forensic analysis (e.g., through organizations like Amnesty Security Lab) for high-risk targets.
- Enhance communication security protocols to minimize reliance on potentially compromised channels like Viber for sensitive exchanges until security posture is confirmed.