Israeli-made Pegasus cyberweapon employed in hacking EU journalists and activists
A new report by security researchers reveals that at least seven journalists and activists critical of the Kremlin and its allies have been targeted inside the EU by a state using Pegasus, the hacking spyware developed by Israel’s NSO Group.
The targets, who were alerted to the cyber-intrusions by threat notifications from Apple on their iPhones, include journalists and activists from Russia, Belarus, Latvia, and Israel who are based in the EU.
Pegasus is renowned as one of the world’s most advanced cyberweapons, utilized by countries that procure the technology from NSO. The company asserts that Pegasus is intended for legitimate purposes, such as combating crime. However, researchers have documented numerous instances in which operators of the spyware, including states within the EU, purportedly employed it for other motives, such as surveillance of political adversaries and journalists.
Researchers stated that while they could not definitively attribute the latest hacking attempts to a specific state or state agency, technical indicators pointed to the possibility that they were conducted by the same NSO client. This development echoes a previous report from last year, which revealed the use of Pegasus spyware by an operator within the EU to target Galina Timchenko, the acclaimed Russian journalist and co-founder of the news website Meduza.
The inquiry into the recent attempted cyber-attacks was conducted by digital civil rights advocates Access Now, the Citizen Lab at the University of Toronto’s Munk School, and Nikolai Kvantaliani, an independent security analyst.
When successfully deployed, Pegasus can infiltrate any phone, gaining access to photos and mobile phone calls, tracking a person’s location, and activating the device’s recorder to function as a listening device.
In 2021, the Biden administration placed the company on a blacklist. Additionally, NSO Group is facing lawsuits from WhatsApp and Apple, cases that the company has contested and that are currently in litigation in US courts.
Despite Russia appearing as a likely candidate for the recent attacks, researchers have shifted their focus to the EU, stating that they do not think Russia or Belarus are customers of NSO. While Latvia seems to have access to Pegasus, it is not known to target individuals beyond its borders. Estonia, another known Pegasus user, reportedly uses the spyware extensively outside its borders, including in Europe.
A Russian journalist, living in exile in Vilnius and choosing to remain anonymous for safety reasons, received two Apple threat notifications, with the latest on April 10, 2024, according to researchers. An examination of the journalist’s mobile phone confirmed an attempted infection on June 15, 2023. The journalist attended a conference for Russian journalists in exile in Riga, Latvia, the following day, focusing on the vulnerabilities faced by journalists in the region.
Two members of Belarusian civil society living in Warsaw also received Apple notifications on October 31, 2023. Opposition politician and activist Andrei Sannikov, who ran for the Belarusian presidency in 2010 and was subsequently arrested and detained by the Belarusian KGB, had his phone infected on or around September 7, 2021. He stated that it was not discovered for two years.
Sannikov remarked, “Even if it is Estonia, Lithuania, Latvia, or Poland, it does not exclude the possibility that it is the FSB or KGB behind it.” When asked if the recent attacks suggested that an intelligence or law enforcement agency within the EU had been compromised by Russia or its allies, he replied, “Yes, of course. It is, I think, common knowledge that Western institutions are heavily infiltrated, as are opposition circles.”
Natalia Radzina, editor-in-chief of the independent Belarusian media website Charter97.org and recipient of the international press freedom award from the Committee to Protect Journalists, was targeted with Pegasus twice, first in late 2022 and then in early 2023.
Radzina described the infections as a violation of privacy reminiscent of past intrusions in Belarus, where she faced political persecution and imprisonment by the KGB.
“I am aware that my completely legal journalistic activities could only be of interest to the Belarusian and Russian special services for many years. I am concerned about the potential collaboration in this matter between current operators, whoever they may be, with the KGB or the FSB,” she stated.
Additionally, three other journalists residing in Riga received Apple threat notifications: Evgeny Erlikh, an Israeli-Russian journalist; Evgeny Pavlov, a Latvian journalist; and Maria Epifanova, the general director of Novaya Gazeta Europe.
NSO, overseen by Israel’s Ministry of Defence, states that it sells its spyware to vetted law enforcement agencies solely for preventing crime and terror attacks. The company neither confirms nor denies the identities of any alleged customers but emphasizes that it only sells its products to “allies of Israel and the US.”
In response to a letter from Ivan Kolpakov, the editor-in-chief of Meduza, NSO provided The Guardian with a copy of a letter from its deputy general counsel, Chaim Gelfand. Gelfand expressed deep concern about any potential misuse of their system and committed to reviewing information provided by Kolpakov to initiate an investigation if necessary. He stated that without additional information, the company could neither confirm nor refute any allegations.
Gelfand further stated, “NSO Group is committed to upholding human rights and protecting vulnerable individuals and communities, including journalists who play a crucial role in promoting and protecting these rights.”
