Spyware used against Serbian civil society ahead of snap parliamentary elections

Advanced spyware, likely Pegasus, has been used against Serbian civil society just weeks before snap parliamentary elections, human rights organisation Amnesty International confirmed on Tuesday (28 November).

“This is the first known case of spyware use in Serbia,” a spokesperson of SHARE Foundation, a Serbian digital rights group, which checked the iPhone devices of the victims, told Euractiv. 

In recent months, separate research by Amnesty International independently verified that Serbian civil society has become the target of military spyware, Pegasus. 

While it is unknown who is behind the attempt, “it is very dangerous to use such tools against civil society and social activists, as the consequences for democracy and human rights are severe,” the SHARE spokesperson added. 

In August, two civil society representatives who remained anonymous for security reasons received a notification from Apple indicating they had likely been targeted by spyware and should seek expert help.

In 2021, Apple announced it would notify users when they have been targeted by FORCEDENTRY, an exploit that breaks into Apple devices and installs the latest version of Pegasus.

The notification, seen by Euractiv, informs the iPhone owner about state-sponsored attackers related to their background. “These attacks are likely targeting you individually because of who you are or what you do.”

The civil society individuals approached the Share Foundation and their devices were then checked for spyware by Amnesty International’s Security Lab and Access Now’s Digital Security Helpline.

Test results also indicated that the attempted spyware attacks are consistent with NSO Group’s military spyware, Pegasus. However, Access Now stated they cannot confirm the type of spyware used in the failed attack.

In 2021, a consortium of investigative journalists revealed that the Israeli cyber-war company NSO sold its military spyware Pegasus to governments worldwide to track politicians, journalists and other public figures illegally.

In mid-December, Serbs will head to the polls in a snap parliamentary election to appoint a new government, although the ruling SNS party, led by President Aleksander Vučić, is set to win another mandate, amid growing criticism about the muzzling of independent media and harassment of opposition politicians.

According to the Dutch MEP Sophie in ‘t Veld, who spearheaded the work of the European Parliament’s PEGA (Pegasus and other Equivalent Spyware) inquiry committee, abuse of spyware threatens the integrity of elections.

“How can elections be fair if journalists are unable to scrutinise government and report on what the government has done well and what it has done wrong?” in ‘t Veld asked in a Parliamentary Q&A in June.

The call for action has been echoed by Access Now.

“European states should urgently get off the sidelines and curb the rapid proliferation of commercial spyware before it’s too late,” Natalia Krapiva, tech-legal counsel at Access Now, told Euractiv.

Serbia and spyware

“If it’s confirmed that Serbia is using spyware against civil society and critical voices, then it needs a lot of more work to do because invasive spyware is incompatible with EU democratic values,“ Krapiva said, referring to the remarks on spyware by the European Union’s independent data protection authority, EDPS.

According to José Javier Olivas Osuna, an LSE research associate, spyware is a double-edged sword as it is also a means of security.

“Spyware is used to fight terrorism, human and drug trafficking, fiscal evasion, foreign interference and child abuse. Spyware is illegal only if used outside a court mandate or outside a criminal investigation,” Osuna told Euractiv.

The researcher noted that countries that cannot develop their own spyware need to rely on commercial spyware such as Predator or Pegasus. He also suggested that many scandals regarding the illicit use of some of these spyware have been manufactured without solid evidence of abuse.

Spyware in the EU

Last week, the European Parliament adopted a resolution condemning the lack of follow-up to the work of the PEGA committee, the Parliament’s inquiry group set up to investigate the use of spyware.

In June, PEGA suggested legislative changes and recommendations to Hungary, Poland, Greece, Cyprus and Spain to respond to the use of spyware in Europe. However, the European Commission has not instated the corresponding enforcement measures. 

“Laws are useless if no one is policing their application. The refusal of the EU Commission to enforce EU laws and tackle the abuse and illicit exports of spyware has turned Europe into a gangsters paradise where impunity rules,” the Dutch MEP in ‘t Veld said on X.

The parliamentary committee has repeatedly asked the Commission to assess the continued use of spyware in EU countries where cases are known, but the EU executive has so far refrained from doing so, considering it to be a national issue.

The Commission and the Serbian government did not respond to Euractiv’s request for comment.

[Edited by Luca Bertuzzi/Nathalie Weatherald/Alice Tayor]

Read more with EURACTIV