by Jochen Dreier
An email from Apple ripped politician Davit Khazhakyan from his everyday life in May 2021 with a chilling warning: “Alert: State-sponsored hackers may be targeting your iPhone.” The notification proved accurate—Khazhakyan had been targeted by Pegasus spyware.
Though small in size, Armenia draws the attention of many major and regional powers. The country’s civil society has repeatedly suffered Pegasus attacks in recent years, with the spyware identified on the smartphones of journalists, activists and political figures. While proven in a few dozen cases, it is believed that thousands of people may have been targeted.
Pegasus is spyware from the Israeli company NSO Group. The manufacturer advertises the software as a tool that can be used to combat terrorism and protect children from sexual abuse. The software is sold exclusively to governments, meaning states, enabling them to fight against crime. This is the claim, at least so far.
Full control over the phone
Artur Papyan, once a journalist, is now a cybersecurity consultant and co-founder of CyberHUB-AM, an NGO that helps journalists and other members of civil society to defend against and uncover cyberattacks. When describing the capabilities of Pegasus, Papyan is both impressed by the software’s technical finesse and deeply concerned about its invasive nature.
“You can activate the microphone and camera, turn them off, upload live recordings, download them. So you have full control of the phone from a desktop interface, using specific menu items. Literally, anything you can do when physically using your phone, the operators would be able to do remotely through this controlled interface.”
The perfidious and, unfortunately, ingenious thing about Pegasus is that the spyware is not installed in the operating system, but instead hides in the RAM memory. From there, it hacks into the main applications. Pegasus remains virtually invisible; without a deeper technical analysis of devices, victims have no chance of detecting the attack.
Invisible and ingenious
This typically happens when users receive an Apple threat notification, as was the case with Davit Khazhakyan. Apple stores a lot of log files and backs them up in the cloud. These diagnostic files reveal certain technical processes on the devices, and sometimes something conspicuous can be spotted in them, requiring a deeper analysis.
Most documented Pegasus cases involve Apple devices. However, this does not mean that they are less secure; rather, Android phones store fewer diagnostic files, making infections nearly impossible to detect.
Davit Khazhakyan, who is now the deputy chairman of the Bright Armenia Party (a party from the liberal spectrum), organized the 2021 election campaign for the upcoming parliamentary elections. Almost a year later, he received the warning from Apple.
Through Artur Papyan’s CyberHUB and his own skills as a trained programmer, he used an analysis tool to examine the diagnostic data of his phone. “I was able to see when the hack had occurred and all the following actions. They had accessed my Messenger, Facebook, Signal, Telegram – everything. At that moment I realized that with Pegasus no application is safe; whatever you can do with your phone, they can do with Pegasus.”
Anyone could be a target
To this day, Davit Khazhakyan does not know who attacked him. It could have been Azerbaijan or even his own government, he suspects. It can only be assumed that through him the attackers likely wanted to get access to higher positions within his party. As the campaign manager, he had connections with everyone. This is also a typical approach, explains expert Artur Papyan. “When Pegasus targets an important politician, it also goes after anyone within this politician’s immediate circle. Armenia’s Prime Minister has confirmed at a press conference to have received threat notifications from Apple, as did his wife and his daughters.”
The discovery of Pegasus on his phone was an eye-opener for politician Davit Khazhakyan. He realized he could no longer trust his devices. At that time, he had only one phone for both private and professional matters; today he separates them.
No personal information on your most personal device
These are just some of the measures he takes to protect not only his political activities, but also his privacy. His smartphones are restarted every day; as Pegasus hides in the RAM, it will be deleted through a restart, and the device will have to be re-infected afterwards. He also avoids taking any devices into rooms where important conversations take place. And above all, he regularly deletes everything, he explains.
“I delete all my chats within one day, because you never know when you will be hacked. At least that way, they can only access a single day’s data. So I don’t keep anything on my phone—no personal photos or anything that I could consider a threat if someone tries to expose it. My main messengers are Telegram and Signal, but again, I’m sure that encryption isn’t a guarantee of safety. The only real defense is removing data and making sure they have as little information as possible.”
All victims, including Davit Khazhakyan, are left with the uncomfortable feeling that the smart devices we rely on daily are no longer safe. The psychological impact also runs deep, as it is virtually impossible to identify who is behind it. As a result, the perpetrators are never held accountable, and the stolen data stays in the hands of the attackers.
No evidence, no accountability
Cyberattacks are often extremely hard to trace, with only indications and probabilities to rely on. In Armenia’s case, an attack from Azerbaijan therefore seems likely, but there is no hard proof.
Armenia has been in a warlike conflict with its neighbor, Azerbaijan, for over 30 years—a struggle that began when both were Soviet republics. In the early 1920s, Stalin placed the Nagorno-Karabakh region under the control of the Soviet Republic of Azerbaijan, despite the fact that its population was predominantly Armenian. Stalin’s decision, however, was motivated by the desire to gain Azerbaijan’s favor, as the republic was rich in oil and gas.
After the collapse of the Soviet Union, a war broke out over Nagorno-Karabakh in 1991, with Armenia seeking to reclaim the region. The result was three years of intense fighting that led to tens of thousands of deaths and the self-proclaimed independence of the Republic of Nagorno-Karabakh, which was not recognized by any country, including Armenia. The situation remained relatively calm until September 2020, when Azerbaijan launched a new military offensive. With heavy losses on the Nagorno-Karabakh side, Russia brokered a ceasefire between Azerbaijan and Armenia, deploying its peacekeeping contingent in the region.
In September 2023, however, Azerbaijan violated the ceasefire, initiating a large-scale military attack and forcing the Karabakh Armenian self-defense army to surrender within just one day. The Russian peacekeeping troops did not intervene, a move Armenians view as betrayal, particularly since it then led to a mass exodus of all Armenians from the region.
The majority of Pegasus attacks in Armenia took place during the period of the last two wars. And Azerbaijan’s possession of Pegasus is at least well-documented, since the country’s authoritarian regime has also used the spyware against its own citizens and opposition figures. Reports from organizations like the Organized Crime and Corruption Reporting Project (OCCRP) and Citizen Lab, a Canadian NGO, confirm the presence of Pegasus operators in Azerbaijan.
In light of this, it is reasonable to suspect that Azerbaijan is using Pegasus against Armenia to gain political and military benefits. If confirmed, this would also be the first recorded use of Pegasus in an interstate war.
Cooperation and dependencies with an autocratic state
The Israeli NSO Group, the manufacturer of Pegasus, avoids confirming whether they sold the spyware to Azerbaijan and does not publish customer lists. While they claim to ensure their software is not used illegally, various cases in countries such as Mexico, Poland and Hungary show the opposite, with journalists among the targets.
In this context, it is also important to consider the relationship between Israel and Azerbaijan. Israel, in fact, is Azerbaijan’s largest arms supplier, with Israeli drones having played a crucial role in recent wars over Nagorno-Karabakh. Azerbaijan, on the other hand, is Israel’s largest hydrocarbon supplier, creating strong cooperation and mutual dependence that shape their close ties.
Meanwhile, Europe abandoned Russian energy resources in response to Russia’s full-scale invasion of Ukraine in 2022 and began searching for alternative partners. In the same year, Azerbaijan concluded a gas deal with the EU, committing to supply up to 18 percent of the EU’s annual gas demand from 2027. Could this be a reason why Brussels remained relatively quiet after Azerbaijan’s attack in 2023?
This article was published within the frames of “Correspondents in Conflict” Project,
implemented by Yerevan Press Club and Deutsche Gesellschaft e. V. The Project is
funded by the German Federal Foreign Office within the “Eastern Partnership Program”.
The contents of this article are the sole responsibility of the implementing partners and can in
no way be taken to reflect the views of the Federal Foreign Office. #civilsocietycooperation
Jochen Dreier studied history and audio journalism and he has been working as a journalist and podcast producer for several years now. His work focuses on topics about disinformation, information wars and geo- and security politics for media outlets like Deutschlandradio, ZDF and bpb.
