An outlawed Russian journalist in exile has learned her iPhone is infected with Pegasus spyware. Many are left worrying about privacy and security as the same zero-click tool is used both by dictators and democratic countries, and there may be no way around it.
Galina Timchenko is a co-founder, CEO, and publisher of Meduza, a prominent Russian independent media outlet based in Latvia. And she found her iPhone had been infected with Israeli firm NSO Group’s Pegasus spyware while on a trip in Germany, a joint investigation by Access Now and Citizen Lab revealed.
The fact was brought to light by Apple, as it sent a notification to Timchenko’s device “that state-sponsored attackers may be targeting her iPhone.”
Researchers tested the device and discovered that Pegasus spyware had been lurking since around mid-February. At the time of infection, Timchenko was in Berlin, attending a private gathering with other members of Russian independent media living in exile.
“I already felt like I’d been stripped naked in the town square. Like someone had reached into my pocket. Like I was dirty somehow,” Timchenko said.
The disturbing news sent shockwaves across social media: cybersecurity researchers doubt that targeted users can avoid such intrusions into their privacy and security.
It is not even clear who is behind this Pegasus attack, as many countries are suspected of using the spyware, including European states Latvia, Estonia, Germany, and also Russia and its allies such as Azerbaijan, Kazakhstan, and Uzbekistan.
The journalist Timchenko was attacked two weeks after the Russian government declared Meduza an “undesirable organization” for its critical coverage of Vladimir Putin’s regime and the war in Ukraine. At the same time, European politicians were arguing for increased surveillance on Russians in exile, the investigation found.
Other journalists received alerts
Another journalist, Yevgeny Erlich, the former editor-in-chief of TV program Baltiya at the Russian independent media outlet Current Time (Настоящее Время), announced on Thursday that he had also received the notification from Apple.
He warned readers that prior communications with him might have been breached, and he is unable to maintain private conversations.
The Apple warning reads: “ALERT: State-sponsored attackers may be targeting your iPhone. Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID ***@gmail.com. These attackers are likely targeting you individually because of who you are or what you do.”
Like Timchenko, Erlich also is using a Latvian SIM card. He hopes “intelligence agencies will recover from disappointment,” as he has nothing to hide.
“And yes, my iPhone sometimes acts weird, at least it keeps heating up intermittently in a flat spot. And my messenger suddenly within a day on its own (but on my behalf) started to form some abstract groups of my friends and offer them to collectively chat with me,” he added.
The same notifications were also received by the staff of Novaya Gazeta, an independent Russian newspaper also published in Latvia.
“They threaten the very foundation of free speech”
Mantas Sasnauskas, the head of the Cybernews research team, warns that the very essence of privacy is under siege as surveillance tools evolve and become more sophisticated.
“The recent revelations surrounding the Pegasus spyware, particularly its alleged use on Galina Timchenko’s device, shed light on the increasingly complex digital espionage landscape we’re navigating,” he said. “Journalists, who are instrumental in upholding democratic values by scrutinizing those in power, find themselves in an increasingly vulnerable position.”
The implications extend beyond mere breaches of individual privacy. Sasnauskas worries that they threaten the very foundation of free speech and can cast a shadow over the realm of investigative journalism.
“If journalists are constantly anxious about their safety and the protection of their sources, it could stifle in-depth investigative work. As we venture deeper into this digital age, it's crucial for international communities to implement rigorous regulations and oversight on spyware usage, ensuring that the bedrock principles of democracy, such as a free press, remain intact,” he added.
Block ads now, researchers urge
John Scott-Railton, senior researcher at Citizen Lab, shared worrying findings about Pegasus on X.
“Block ads on your networks now. The system designed to follow us around the net with ads is now a blinking national security and human rights threat. Once, the capability was limited to governments. Now, mercenary spyware companies are selling it in a predictable step,” he writes.
He compared the vulnerability to a devastating and unfixable backdoor that chases users around the internet, adding that the security vulnerabilities are interwoven with the web’s very digital fabric.
“The incentives are simple: ad companies will do everything they can to make sure you get tracked and shown ads. So do their customers,” Scott-Railton said.
While helpful, adblocker is a “leaky band-aid at best,” and tricky to use on phones, especially when many apps incorporate ads.
“Any network, government to corporate, university to nonprofit, should block all ads and tracking at the gateway,” Scott-Railton urges.
What else do we know about the hack?
Sophisticated spyware, Pegasus bypasses encryption and completely controls the victim’s phone, including access to photos, messages, contacts, camera, and microphone, with zero user input required to trigger the attack.
“Pegasus is designed to obfuscate which government is behind a particular attack, making it difficult for us to attribute. However, based on NSO Group’s assertion that Pegasus is only sold to state agencies and the available technical and circumstantial evidence, there are several theories of which state is likely behind the attack,” Access Now and Citizen Lab researchers said.
They provided only speculations without any assurance about where the attack could have arisen.
Latvia, where Meduza resides, was mentioned amongst 45 countries suspected to be NSO Pegasus users. But Citizen Lab doesn’t believe Latvia would use spyware outside its borders. The police agency of Germany, where Timchenko was staying at the time of her phone’s infection, is also mentioned amongst potential Pegasus customers.
“Two other reported European Pegasus customers, the Netherlands’ General Intelligence and Security Service (AIVD) and an unnamed Estonian government agency, appear to use Pegasus extensively outside their borders, including within multiple European countries,” said Citizen Lab.
Other possibilities include that states with ties to Russia that are suspected Pegasus users may have hacked Meduza on behalf of Moscow. Russia could have also been directly involved, but experts on the Kremlin’s intelligence services, like journalist Andrei Soldatov, are not convinced that Russia has been using Pegasus.
Access Now and Citizen Lab call for action to implement an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until human rights safeguards are put in place to regulate such practices, and also want to see a ban on vendors and spyware that facilitates or enables human rights abuses.
The crackdown on Russian media left many journalists in exile, risking persecution domestically. Timchenko founded Meduza in 2014 after the owner of Russian news website Lenta.ru removed her as the chief editor for publishing an interview with the head of a Ukrainian nationalist group. Putin’s regime officially outlawed Meduza in January 2023.
Apple’s to-do list
Apple is known for resisting any efforts to tamper with its devices. The company recently unveiled a new security feature to block government spyware and warned users in 150 countries that their devices may have been hacked. Apple has filed a lawsuit against Israeli cyber firm NSO Group and its parent company OSY Technologies for allegedly targeting US Apple users with its Pegasus spyware.
Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. The support page explains that such threat actors are well-funded and sophisticated, and their attacks evolve over time.
“Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete,” said Apple. “It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”
All users should continue to protect themselves from cybercriminals and consumer malware by following best practices for security:
- Update devices to the latest software, as that includes the latest security fixes
- Protect devices with a passcode
- Use two-factor authentication and a strong password for Apple ID
- Install apps from the App Store
- Use strong and unique passwords online
- Don’t click on links or attachments from unknown senders
Pegasus: a shady history
Now notorious, Pegasus spyware has been found to be involved in many political incidents, as oppressive regimes often use such tools for nefarious purposes.
The European Union has recently found evidence that smartphones used by some of its staff were compromised. At least 14 EU countries, including Hungary and Poland, have been accused of using Israeli firm NSO Group’s notorious spyware for various purposes that include stifling dissent and silencing journalists.
Pegasus spyware’s ugly head has also reared in the context of a protracted border dispute between Armenia and Azerbaijan.
In the US, the government declared the spyware to be a threat to national security, banned its use, and blacklisted NSO Group in 2021.
Nonprofit organization Access Now is known for its mission to defend and extend digital civil rights. Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy in the University of Toronto.
More from Cybernews:
Subscribe to our newsletter