The Israeli-made Pegasus cyberweapon was used in hacking attempts on at least seven journalists and activists in the EU.
According to a new report by security researchers, at least seven journalists and activists who have been outspoken critics of the Kremlin and its allies have been targeted within the EU by a state using Pegasus, the hacking spyware developed by Israel’s NSO Group.
The targets, who were first alerted to the attempted cyber-intrusions by Apple threat notifications on their iPhones, include Russian, Belarusian, Latvian, and Israeli journalists and activists within the EU.
Pegasus is regarded as one of the most sophisticated cyberweapons globally and is used by countries that acquire the technology from NSO. The company asserts that it is intended for legitimate purposes, such as combating crime. However, researchers have documented hundreds of cases where operators of the spyware, including states within the EU, have allegedly misused it for other purposes, including spying on political opponents and journalists.
Researchers stated that they could not definitively identify the state or state agency behind the recent hacking attempts. However, technical indicators suggested that the attempts might have been carried out by the same NSO client. These developments follow a similar report from last year, which found that Pegasus spyware had been used by an operator within the EU to target Galina Timchenko, the award-winning Russian journalist and co-founder of the news website Meduza.
The company was blacklisted by the Biden administration in 2021 and is currently being sued by WhatsApp and Apple, cases it disputes and which are being litigated in US courts.
Although Russia might seem a likely candidate behind the recent attacks, researchers have concentrated their attention within the EU and believe that neither Russia nor Belarus are NSO customers. While Latvia has access to Pegasus, it is not known for targeting individuals outside its borders. Estonia, another known user of Pegasus, reportedly uses the spyware “extensively” outside its borders, including within Europe.
One Russian target, a journalist living in exile in Vilnius who wishes to remain anonymous for personal safety reasons, received two Apple threat notifications, with the latest on 10 April 2024, according to researchers. An analysis of the journalist’s mobile phone confirmed an attempted infection on 15 June 2023. The journalist had attended a conference for Russian journalists in exile in Riga, Latvia, the next day, focusing on the vulnerabilities facing journalists in the region.
Two Belarusian civil society members living in Warsaw also received Apple notifications on 31 October 2023. Opposition politician and activist Andrei Sannikov, who ran for the presidency of Belarus in 2010 and was subsequently arrested and detained by the Belarusian KGB, had his phone infected around 7 September 2021. This infection was not discovered for two years, he said.
“Even if it is Estonia, Lithuania, Latvia, or Poland, it does not exclude the possibility that the FSB or KGB is behind it,” Sannikov said. When asked whether the spate of attacks indicated that an intelligence or law enforcement agency within the EU had been infiltrated by Russia or its allies, he added, “Yes, of course. It is, I think, common knowledge that Western institutions are heavily infiltrated, as are opposition circles as well.
