This report was prepared by Internews’ Internet Freedom & Resilience team under a stream of work that strengthens civil society organizations, journalists, and other human rights defenders’ ability to detect, analyze, and build resilience to digital attacks through localized expertise in threat analysis and incident response.

It is intended to provide an overview of the digital threats faced by civil society and media organizations in Armenia and provide guidance for digital safety experts supporting this community.

This report was written in close collaboration with CyberHub-AM, a Computer Emergency Response Team (CERT) for Armenian civil society, including NGOs, Human Rights Defenders, Activists, journalists, and independent media. They serve as a contact point and help desk for the above-mentioned groups in Armenia and collect, analyze, and anonymously and responsibly share incident data and indicators with the global threat intelligence community where appropriate.

The Armenian legislation quite clearly defines the surveillance of phone and electronic communication. Only a few structures, including the RA National Security Service, the Police, and the Anti-Corruption Committee, have extensive wiretapping capabilities.

On the other hand, there are no clear-cut mechanisms that would allow to make this sector transparent and accountable to the public.

The latest developments suggest that things are changing in the country, and apart from the traditional wiretapping of phones, more sophisticated, digital tools are emerging, making the control over citizens deeper and more comprehensive. This, in turn, raises concerns on whether these tools will be used within the law, in line with the requirements of democracy and civil liberties.

Legislative and institutional regulations

The main legislative regulation is carried out within the framework of the law ON OPERATIONAL INTELLIGENCE ACTIVITIES, which was adopted in 2007 and has been revised and supplemented several times since then[i].

The law determines the state bodies that have the right to monitor phone communication. According to Article 14 of the Law (Types of operational intelligence measures), these are the Police, National Security Bodies, and the Anti-Corruption Committee. Apart from that, the bodies of the penitentiary service have the right to conduct wiretapping, but only in the premises of the penitentiary institutions of the RA Ministry of Justice.

It should be noted that the RA Anti-Corruption Committee is a newly established structure in the law enforcement system: it was established and has been operating since October 23, 2021.

Until January 2020, the Police did not have either the opportunity to conduct wiretapping on their own. They used the capacities of the National Security Service, which made the NSS extremely influential in the field of wiretapping. Moreover, the data collected for the Police actually appeared at the disposal of the NSS as well. The RA National Assembly initiated changes in the Law “On Operational Intelligence Activity”, which turned the Police into an independent structure in this matter, creating some counterbalance to the NSS. However, during the discussions at the National Assembly it became clear that the Government had a completely different approach to this issue – to create a separate independent organization and transfer the right of wiretapping to it[ii].

According to Article 26 of the Law, digital, including telephone communication surveillance embraces the following:

1. in the case of a fixed or mobile telephone network the content of telephone conversation, text, image, audio, video and other messages, the subscriber’s incoming and outgoing calls, the telephone numbers indirectly related to the subscriber, the time of starting and ending the telephone communication, and in case of call forwarding or transferring, the phone number to which the call was transferred;

2. in the case of Internet communication, including telephone communication via Internet and electronic messages transferred via Internet, the content of the communication, incoming and outgoing calls via Internet (each data in such a form that allows or may allow to identify the communicator);

3. when implementing the operational intelligence measures envisaged by this Article, the telecommunication organizations are obliged, upon the request of competent authorities, to provide technical facilities and create other conditions necessary for the conduct of operational intelligence measures.

According to Article 9 of the Law, the implementation of digital, including operational intelligence measure of wiretapping is ensured only by the general operational technical department functioning within the system of the Republican National Security Body of the Republic of Armenia. That body is directly managed by the head of the NSS. And the head of the General Department is appointed and dismissed from the position by the Prime Minister.

The General Department ensures the necessary operational and technical conditions for telecommunication operator.

The surveillance of digital and telephone communication by the police, penitentiary service or the Anti-Corruption Committee is carried out by creating operational and technical conditions, including the provision of channels and resources by the General Department. At the same time, the law requires that the National Security Service excludes the supervision and corroboration of these data, information and reports, if the wiretapping party is not the NSS itself.

Wiretapping can be carried out only in cases where there are apparent grounds to suspect that the person to whom they are to be applied has committed a serious or particularly serious crime, and it is reasonably impossible for the body conducting the operational intelligence measure as assigned by the Law to obtain the necessary information in any other way.

It is noteworthy that the collection of such data is prohibited when the targeted person is communicating with his/her lawyer, representative or legal representative. If such data are obtained for any independent reason, then the information containing legal secret is subject to immediate destruction.

Article 32 of the Law states that wiretapping is carried out on the basis of a court decision. In cases when delay in implementing an operational intelligence measure such as digital, phone communication surveillance,  may result in an act of terrorism or in events or actions threatening the state, military or environmental security of the Republic of Armenia, the General Department ensures the implementation of these measures. However, the body that applies to the General Department must within 48 hours submit to the General Department the excerpt of the decision of the court on permitting or denying permission to undertake those measures.

Article 39 reads that the term for the decision to conduct an operational intelligence measure is calculated starting from the day of its adoption and cannot exceed 2 months. The decision period may be extended. Moreover, each court’s permission can be given for a period not exceeding two months. And the overall term cannot last more than 12 months.

The developments in Armenia

In recent years, along with the increase in the possibilities of digital surveillance, there has also been an increase in cases that may be considered as abuses of law.

In 2020, under the circumstances of the COVID-19 pandemic, the RA government made several attempts to oversee people’s social connections and movement through phones.

On March 31, 2020, the RA National Assembly adopted the proposal to amend the draft laws “On the Legal Regime of the State of Emergency” and “On Electronic Communications.”[iii] According to those amendments, the Government was awarded the right to receive from all mobile operators, collect and process in one place information on all the residents of the country, namely the metadata of phone calls and short messages and the location data collected by mobile operators. Based on those data, a system was created that was supposed to identify the possible circle of people infected with coronavirus. The NSS was appointed as the coordinator of the project, and the technical implementer was an undisclosed private company. On September 25, when the state of emergency was lifted, all collected data were destroyed in the presence of the mobile operators’ representatives.[iv]

A number of issues, however, lacked transparency:

a. No public oversight mechanism was created. No guarantee was given that the system had not been used for other purposes, such as identifying specific people and their connections.

b. It remained unclear who created the system.

c. According to the law, the data collected by the system were to be destroyed at the end of the state of emergency. Since there was no independent supervision over the system, there is no guarantee that the data were indeed fully destroyed, and moreover that the system is any longer functioning.

On November 24, 2021, several dozen people in Armenia received emails from Apple, which alerted that they had been allegedly attacked by a state-sponsored hacking group. CyberHUB-AM is aware of more than twenty such cases in Armenia. This was global in nature: the alert disseminated by Apple did not refer only to Armenia. It is worth reminding that a few hours before receiving the emails, Apple had announced that it was suing the Israeli NSO Group, which creates and sells spyware to government agencies for intelligence operations. The program’s name is Pegasus, and most probably the email was addressed to the potential victims of this program.

Some announced publicly that they had received similar emails. Artur Vanetsyan, former head of the National Security Service, currently one of the leaders of “With Honor” opposition parliamentary bloc, was one of them[v]. The other one was Davit Sanasaryan[vi]. Later, lawyer Anna Karapetyan informed about a similar thing[vii]. The Minister of High-Tech Industry Vahagn Khachatryan (currently the President of Armenia) also told journalists about receiving an email from Apple[viii]. According to cyber security expert Ruben Muradyan, he had discovered Pegasus on Vanetsyan’s and his relatives’ phones 2 months earlier[ix]. It should be noted that before that Armenia had never appeared on the list of countries that use Pegasus at the state level. There is also an assumption that it was used by the special services of a third country. Given the list of possible infected users and the fact that everyone received the email with an alert at the same time, it can be assumed that Apple could have included several waves of attacks in one phase of warning campaign. It is quite possible that we are dealing with several cases where the infections, for example, could be conditioned by external and internal political reasons, since all the users infected with the spyware could hardly be of interest to one party that carried out an attack.

If in the case of Pegasus there were doubts that some of those who received notifications could be a target of a domestic attack, but there were no real clues, the situation changed at the end of the year. On December 16, 2021, for the first time, Armenia as a state directly appeared on the list of countries that use spyware to infect and spy on people’s phones within the country. This was discovered by Facebook[x] and CitizenLab[xi]. The target were politicians and people related to media. Spyware for Android and iPhones produced by Macedonian company Cytrox was used. The virus was disseminated through fake links mimicking real websites, for example, youtu-be[.]net. There were also cases of infection attempts through SMS and messages sent via messengers. Later, Google, referring to this topic, clearly stated that, in their view, this had been carried out by the state structures of the Republic of Armenia: “Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.”[xii]

Of course, there is no clear evidence on the use of Pegasus by Armenian state structures. The beneficiary of the use of Predator is not clearly known either. On the other hand, according to Point 3 of Article 7 of the Law “On Operational Intelligence Activity”:

“The use of special technical and other means envisaged (developed, planned, adjusted) for obtaining confidential information and implementation of operational intelligence measures by state authorities, subdivisions or natural and legal persons not authorized under this Law shall be prohibited.” This implies that there has been published a report on a crime, on the basis of which a criminal case should have been initiated. Nevertheless, the Police or NSS have not disseminated such information.

It turns out that one of the major problems today is the lack of any mechanism of public oversight in this field. There is no possibility to oversee the activities of power structures, as all the work is basically a state secret. According to the Law ON OPERATIONAL AND INTELLIGENCE ACTIVITIES, during the entire implementation period of operational intelligence measures the information with regard to forces, means and resources, methods, plans, results of those measures, financing thereof, as well as secret staff members of bodies carrying out operational intelligence activity, including persons cooperating or having cooperated, on a confidential basis, is deemed to be a state secret. And Armenia, in fact, has no efficient public oversight mechanisms that would allow to make accountable those structures that operate under the umbrella of state secrecy. Thus, civil society has no toolkit to monitor the situation or influence it.

[i] https://www.arlis.am/documentView.aspx?docid=128809

[ii] The police have been allowed to tap phone conversations, https://www.irazek.am/hy/news/14110

[iii] Armenia: Parliament Passes Bills to Access Mobile Phone Data to Identify Covid-19 “Contact Circles”, https://hetq.am/en/article/115353

[iv] “Statement on destruction of information and storage devices [in Armenian],” Government of Armenia, September 25, 2020, https://www.gov.am/u_files/file/Haytararutyunner/Ardzanagrutyun.pdf

[v] Artur Vanetsyan’s post – https://www.facebook.com/avav111/posts/4128774197228456

[vi] Davit Sanasaryan’s post – https://www.facebook.com/sanasaryan/posts/10226843862500815

[vii] Anna Karapetyan’s post – https://www.facebook.com/anna.karapetyan.1238/posts/4762248813827737

[viii] The video of Vahagn Khachatryan’s statement – https://www.facebook.com/Yerkirmedia/videos/1328478160938430/

[ix] Ruben Muradyan’s post – https://www.facebook.com/ruben.muradyan/posts/4521469627973414

[x] Threat Report on the Surveillance-for-Hire Industry, December, 2021, https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf

[xi] Pegasus vs. Predator, 16 December, 2021, https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

[xii] Protecting Android users from 0-Day attacks, May 19, 2022, https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/

The level of Internet freedom in Armenia in 2020-2021 was seriously affected by three factors. The first is the constant and tough political confrontation between the current government under the leadership of Nikol Pashinyan, who ascended to power as a result of the 2018 revolution, and various political forces directly or indirectly associated with the ruling elites of past years. The second is the processes closely related to COVID-19. And the third factor is the second Karabakh war, whose active phase was in September-November 2020, while the conflict continues to smolder to this day, having an impact on the Internet environment as well.

Hacker attacks

Hacker attacks against Armenian Internet resources are a permanent phenomenon. Due to the ongoing tensions around Karabakh, for more than two decades Armenian and Azerbaijani hackers have been constantly competing in hacking the websites of the opposite side. Attacks on websites are routine and basically almost regular, with increased waves of attacks on special calendar days. Between March and November 2021, only the Azerbaijani hacker group Azerbaijan Cyber ​​Army reported around 70 hacked Armenian sites[i].

Hacker attacks also tend to intensify during escalations on the line of contact between the Armenian and Azerbaijani troops. During such an escalation of the situation on the line of contact in the south of Armenia, for example, massive attacks on news websites also began. Armtimes.com, previously edited by the incumbent Prime Minister of Armenia Nikol Pashinyan, announced to have been hacked on November 16, at the moment of the start of active hostilities on the border[ii]. Added to that, cybersecurity experts started reporting serious DDoS attacks on news sites, which also began immediately after the border escalation[iii].

State-sponsored hacking groups

Armenian journalists, activists, public and government organizations are increasingly being targeted by state-sponsored hacking groups. As noted above, Azerbaijani hacker groups constantly attack Armenian targets. In the case of Azerbaijan, it is even difficult to distinguish between patriotic groups and those that are directly under state control or are groups immediately in the civil service.

However, within the last few years there has been an increase in extremely complex, comprehensive attacks on Armenian targets, which are carried out by various hacker groups, most likely associated with other states.

Thus, on July 14, 2021, Google’s Threat Analysis Group announced that they had discovered three zero-day vulnerabilities that were used to attack browser users[iv]. Targeted attacks were carried out on users in Armenia. The attackers used domains mimicking the most popular Armenian news websites. Only first-level domains were replaced. The following fake websites were used: lragir[.]org, armradio[.]org, asbares[.]com, armtimes[.]net, armlur[.]org, armenpress[.]org, hraparak[.]org, armtimes[.]org, hetq[.]org. Links to the infected websites were sent to targets by e-mail. At Google they believe that state-sponsored hacking groups participated in the attacks on targets in Armenia.

In parallel, Microsoft also announced about uncovering an attack at the level of zero-day vulnerabilities. And the list of targets also included victims from Armenia[v]. An investigation into the matter by Citizen Lab revealed that the attacks were carried out through the use of a malware developed by Israeli company Candiru. This time Armenian targets received a link to a fake website mimicking Armenpress state news agency. The address of the infected website again represented a complete analogue of the real website with a replaced first-level domain: armenpress[.]net[vi].

On November 24, 2021, a number of users received an alert from Apple that they were victims of an attack by a state-sponsored hacking group. According to CyberHUB-AM group, there are more than ten known cases, although the real number may be higher. Among the potential victims of the attack, which is most likely related to the Pegasus mobile phone malware, there are both pro-government and opposition figures. Artur Vanetsyan, former head of the National Security Service, now the head of “With Honor” opposition parliamentary bloc, openly declared to have received such an email[vii].

Later, well-known cybersecurity expert Ruben Muradyan, referring to the post of Artur Vanetsyan, announced that he had discovered the popular mobile malware Pegasus on Vanetsyan’s phone two months before he received the email[viii].

And already at the end of the year, a particularly significant event took place: Armenia for the first time appeared on the list of countries that benefit from hacker services at the state level. On December 16, Facebook[ix], Citizen Lab[x] reported on the discovery of the activities of Cytrox, a company that, by the order of government agencies in a number of countries, carried out surveillance of various targets using Predator spyware. And the report lists Armenia as a client of the company, separately highlighting that journalists and politicians were among the targets of surveillance.

Content restrictions

The main content restrictions for journalists and social media users were in place in 2020. A state of emergency was initially declared in Armenia due to the COVID-19 pandemic in March 2020, which led to restrictions in the press. During 2020, dozens of online media and users were forced to delete publications or were fined[xi]. However, martial law, declared in the country with the start of the Karabakh war on September 27, 2020, was not lifted after the signing of the ceasefire agreement. Only on March 24, 2021 did the National Assembly lift martial law. Despite the fact that already in the post-war period censorship ended, nevertheless, a number of websites continued to face restrictions. During the war, websites belonging to the domain zone of Azerbaijan and Turkey were blocked in Armenia, and TikTok was also blocked for several weeks. At the same time, there was no official announcement on the blocking of sites. In the post-war period, many users were complaining about the inaccessibility of Azerbaijani and Turkish news portals, and some had also problems with TikTok. Armenian providers continued having problems with the accessibility of websites until March-April 2021[xii]. It is also noteworthy that the absence of any serious reaction by civil society towards the fact of blocking is a major concern. It should also be noted that in Armenia there are no traditions for blocking websites.

Persecutions of users

The authorities’ attempt to detect the administrator of the fake Facebook user “Gagik Soghomonyan” may be considered as the most serious incident. This account spreads highly negative information about government representatives, and he does so in an extremely abusive manner. On February 19, the National Security Service detained 4 persons who were suspected of running the fake account. Ex-deputy from the Republican Party of Armenia Karen Bekaryan, former chief of staff of the National Assembly Ara Saghatelyan, representative of “International Center on Development of Parliamentarism” public organization Mher Ayvazyan and citizen Aram Sargsyan[xiii] were detained. Saghatelyan was arrested for 2 months in this case. At the same time, according to the lawyer, the only evidence of his connection with the fake account was the fact of Saghatelyan’s using the same VPN service[xiv].

As a follow-up, in August 2021 the RA National Assembly adopted changes to the Criminal Code, criminalizing insults. Defamation had been decriminalized in the country as part of the fight for freedom of speech and freedom of the press back in 2010. Now, however, everything is going in the opposite direction.

“Grave insult”, that is, swearing, insulting a person in other ways, according to the new article, is punishable by a fine of 100,000 to one million AMD [about $205-2,050]. If the swearing was public or was published on the Internet, was related to the public activities of a person, then the fine will be from half a million to one million AMD [about $1,025-2,050]. And in case of a repeated insult against the same person, the punishment envisages not only a fine, which will be from one to three million AMD [about $2,050-6,150], but also imprisonment from one to three months[xv].

In general, it should be mentioned that in Armenia there have always been rarer restrictions on the Internet than “offline”. At the same time, the years 2020-2021 began to raise concerns that the situation with network freedoms is steadily deteriorating.

[i] Azerbaijan Cyber Army Telegram channel https://t.me/azcyberarmy

[ii] Facebook post of the media about a hacker attack (in Armenian) — https://www.facebook.com/armtimes/posts/2104467383034405

[iii] Warning about attacks by well-known cybersecurity expert Ruben Muradyan — https://twitter.com/RubenMuradyan/status/1460585479284346883

[iv] How we protect users from 0-day attacks, https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/

[v]  Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware, https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

[vi] https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/

[vii] Artur Vanetsyan’s Facebook post (in Armenian) — https://www.facebook.com/avav111/posts/4128774197228456

[viii] Ruben Muradyan’s post https://www.facebook.com/ruben.muradyan/posts/4521469627973414

[ix] Threat Report on the Surveillance-for-Hire Industry, 16 Dec 2021, https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf

[x] Pegasus vs. Predato, 16 Dec 2021 https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

[xi] Armenia: State of Emergency Press Restrictions Continue; 22 Media Outlets Told to Remove/Edit Coronavirus Content https://hetq.am/en/article/114899

[xii] Freedom on the Net, Armenia, 2021.   https://freedomhouse.org/country/armenia/freedom-net/2021

[xiii] The court arrested Ara Saghatelyan for two months in the case of “Gagik Soghomonyan” fake page, https://rus.azatutyun.am/a/31114995.html

[xiv]  Freedom on The Net, Armenia, 2021.   https://freedomhouse.org/country/armenia/freedom-net/2021

[xv] Freedom of speech in post-revolutionary Armenia is in doubt: what is happening? https://jam-news.net/ru/%D1%81%D0%B2%D0%BE%D0%B1%D0%BE%D0%B4%D0%B0-%D1%81%D0%BB%D0%BE%D0%B2%D0%B0-%D0%B2-%D0%BF%D0%BE%D1%81%D1%82%D1%80%D0%B5%D0%B2%D0%BE%D0%BB%D1%8E%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%BE%D0%B9-%D0%B0%D1%80/

The establishment of the independent Orthodox Church in Ukraine brings a fundamental change to Russian influence and soft power structure in post-Soviet countries.

It revises the status of Moscow as the leading ecclesiastical center of the Orthodox Church,which remained almost intact for more than 300 years.

This fundamental change is affecting all target countries, making it important to be aware of the latest developments of Russian propaganda in order to stay resilient in the face of hybrid threats.

Our analysts conducted cross-border monitoringof Russian propaganda messages in the local media outlets of Armenia, Georgia, Moldova and Ukraine in their reporting on the establishment of the independent Ukrainian Orthodox Church.

Media monitoring methodology consisted of two parts: quantitative andqualitative.

Quantitative media monitoring identifies numerical measures or indicators that can be counted and analyzed.

Qualitative media monitoring is used to assess the performance of the media against benchmarks, such as ethical or professional standards that cannot be easily quantified.Experts in each country selected 2 TV channelsand 2 online media outlets, which are among the most influential onesin covering international news and politics and have ratings figures.

Our approach was also to balancepro-Europeanand Eurosceptic, pro-governmentand pro-oppositionmedia outlets for each country.

Here is the lineup of media outlets we studied in Armenia:

TV: 1st channel (Public Television of Armenia), Kentron TV

Online media: news.am, lragir.am

Download the English version of the report in PDF format here.