New Pegasus spying cases found in Eastern Europe

CitizenLab and Access Now have found traces of the infamous Pegasus spyware on the phones of seven Russian and Belarusian independent journalists and activists across Europe.

In the investigation summary, both organizations say that the journalists and opposition activists were all targeted and/or infected with NSO Group’s Pegasus mercenary spyware between August 2020 and January 2023.

In November 2023, an initial investigation revealed that Galina Timchenko, a co-founder and CEO of Meduza, a prominent Russian independent media outlet based in Latvia, had her iPhone infected with the spyware.

Back then, Apple sent Timchenko a notification saying that “state-sponsored attackers” may have targeted the device with the NSO Group’s zero-click tool. Researchers tested the smartphone and found Pegasus lurking inside.

Now, after expanding the investigation, Access Now and CitizenLab identified seven more members of civil society and journalists living outside of Belarus and Russia who were targeted.

The targets publicly criticized the Kremlin, including Russia’s invasion of Ukraine, and have faced threats from Russian and Belarusian security services. Three of them are based in Latvia, two are living in Warsaw, the capital of Poland, and another two are based in Lithuania.

“The targeting timeframe, victim profiles, and overlap of operator Apple IDs suggest (but do not prove) the possibility that a single government operator is responsible for these five attacks,” say the researchers in the report.

Apple IDs found on Pegasus-targeted devices. Courtesy of CitizenLab.

Access Now and CitizenLab say they’re choosing not to name a “specific operator” publicly. But it’s actually interesting because, according to CitizenLab, there is no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers.

Poland had used Pegasus earlier but stopped in 2021 after the former ruling party was pushed into opposition after the parliamentary election last year. It’s now probing the use of Pegasus by the previous government.

That leaves Latvia and Estonia. Latvia, says CitizenLab, appears to use Pegasus but is not known for targeting individuals outside the country – but Estonia “does appear to use Pegasus extensively outside their borders, including within multiple European countries.”

Researchers are advising members of civil society to follow digital security recommendations, which include updating their devices’ software or implementing Apple Lockdown Mode.