We confirm that two members of Serbian civil society were targeted by spyware earlier this year. Both have publicly criticized the Serbian government. We are not naming the individuals at this time at their request. The Citizen Lab's technical analysis of forensic artifacts was conducted in support of a study led by Access Now in collaboration with the SHARE Foundation. Researchers from Amnesty International have independently analyzed the cases and their conclusions are consistent with our findings. Click here to read the full post on Access Now. Device Analysis Our analysis of forensic artifacts confirms that on or around August 16, 2023, attackers attempted to exploit and infect the devices of these unnamed individuals by leveraging the iPhone's HomeKit functionality. The attacks occurred within about a minute of each other and the HomeKit vector matches several exploits used by NSO Group's Pegasus spyware. However, given the limited indicators available in this case, we cannot confirm which specific spyware was used in this attack. Mercenary Surveillance Technology and Concerns About Russian Influence in Serbia Ten years of Citizen Lab research has shown that Serbia is a regular user of mercenary spyware and other troubling surveillance technologies. Some of our previous findings have identified the Serbian Security Information Agency (BIA) as the suspected operator. The BIA engages in secret data collection and the control center that oversees it is located at the BIA headquarters. The most recent director of the BIA (until his resignation in November 2023) was Aleksandar Vulin. In July 2023, the US Treasury Department placed BIA head Vulin on a sanctions list for his support of Moscow. Specifically, the designation was based on the fact that Vulin “used his political positions to build public support for Russia's malign activities while promoting ethno-nationalist narratives that fuel instability in Serbia and the region.” The US also alleges that Vulin “has maintained a mutually beneficial relationship” with a US-sanctioned Serbian arms dealer. While we are not naming a suspected operator or spyware used in the August 2023 targeting at this time, we note that Vulin headed the BIA during this period. Predator Mercenary Spyware In 2021, we conducted internet scans for Predator spyware servers and found a likely Predator customer in Serbia. An independent follow-up study by Google's Threat Analysis Group confirmed these findings. Geolocation and Interception of Circles Using internet scans, we found a unique signature in 2020 associated with firewalls used in the implementation of Circles technology. Circles is a provider of global geolocation and interception services. This scan allowed us to identify Circles deployments in at least 25 countries, one of which was operated by the Serbian BIA. Cyberbit Mercenary Spyware A report we published in 2017 found that Cyberbit spyware was used by Ethiopia to mount a global espionage campaign against dissidents. During that investigation, we found evidence that Cyberbit was marketing its spyware to Serbia. Finfisher Mercenary Spyware Previous research from the Citizen Lab revealed that Finfisher spyware was used by the Serbian BIA. In 2013, we discovered a Serbian customer as part of an investigation into the widespread use of the Finfisher spyware worldwide. Acknowledgments We are grateful to the targets of this attack for their gracious permission to analyze forensic artifacts from their devices. Without their willingness to be analyzed and have their cases discussed, rent mirror investigations would be infinitely more difficult and accountability would be elusive. We also thank Access Now and the SHARE Foundation for their cooperation, and Amnesty International's Security Lab for their independent forensic analysis of this case. Special thanks to Snigdha Basu and Adam Senft for editing support, feedback and review.