Two civil society activists in Serbia have been targeted by what are believed to be state-sponsored technical attacks, NGOs Access Now and the SHARE Foundation announced on November 28. 

The two activists, who have not been named, were reportedly critics of Serbia’s government. The attacks took place during the summer, when the authorities faced a series of mass protests under the ‘Serbia against violence’ banner. 

“Both targeted civil society members have been openly critical of Serbia’s government, which has a track record of deploying spyware and other digital surveillance tools,” a statement from Access Now said. 

The two individuals were notified by Apple of their potential exposure to the attacks on October 30, and reached out to Serbian digital rights NGO the SHARE Foundation seeking an assessment of the allegations and a determination of whether their devices had been subjected to known spyware attacks.

After Apple representatives confirmed the authenticity of the alerts, the SHARE Foundation team, in collaboration with Internews, conducted a thorough analysis of the mobile devices to identify traces of spyware infection, including well-known variants such as Pegasus and Predator. To corroborate the diagnostic and analytic data obtained, as well as secure encrypted backups of crucial device data, the SHARE Foundation engaged with international organisations Access Now and Amnesty International, known for their expertise in digital forensics.

Following a comprehensive review of the data, both organisations independently confirmed the presence of traces from a failed attack attempt that occurred on August 16, on both mobile devices. Their analysis converged on the initial phase of the attack, which targeted a device vulnerability known as ‘PWNYOURHOME’, previously associated with the Pegasus spyware, the SHARE Foundation said. This vulnerability has since been addressed through patches.

“The SHARE Foundation warns that spyware attacks on representatives of the critical public have a disastrous impact on democracy and human rights, especially in the pre-election period. The use of spyware is illegal and incompatible with democratic values,” the organisation said. 

“We remind the public that these and similar tools for technical attacks on mobile devices are used by non-democratic regimes around the world to spy on members of the opposition, civil society, independent media, dissidents and other actors working in the public interest. Such activities threaten the freedom of expression and association, as well as the right to privacy and secrecy of communication guaranteed by domestic and international law.” 

Access Now pointed out that the Citizen Lab had previously identified the Serbian Information Security Agency (BIA) as a user of FinFisher's spyware in 2014 and, in 2020, as a user of Circles' tools for mobile phone geolocation and call interception. Leaked emails from 2012 revealed that the BIA had received a demonstration of Hacking Team's RCS spyware. 

The head of the BIA, Aleksandar Vulin, recently resigned. A prominent pro-Russian figure within the Serbian establishment, Vulin was placed on the United States Treasury’s sanctions list because of his support for Moscow earlier this year. 

In the past year, both Citizen Lab and Google's Threat Analysis Group (TAG) also pointed to the Serbian government as a probable operator of Cytrox's Predator spyware. Furthermore, Citizen Lab's research suggests that Serbia has been using Pegasus spyware since at least December 2021.

Serbia is due to hold a snap general election in December. The campaign ahead of the election is “highly polarised” with an “unprecedented level of negative campaigning and fearmongering”, a report from the Parliamentary Assembly of the Council of Europe (PACE) warned on November 27. 

A PACE observer team expressed concern about unprecedented levels of negative campaigning, fearmongering, attacks on the opposition and journalists, and media-related issues. The team criticised inflammatory rhetoric, hate speech, and pressure on opposition members and journalists, stressing the need for fact-based information for voters.