NSO Group’s notorious Pegasus spyware is now being used against exiled Russian media critical of Putin’s regime and the war in Ukraine.
A new joint investigation by Access Now and the Citizen Lab uncovers that the iPhone of Galina Timchenko, co-founder, CEO, and publisher of Latvia-based Russian independent media organization Meduza, was infected with NSO Group’s Pegasus spyware while on a trip to Berlin, Germany around February 10, 2023. While the covert use of spyware takes place in the dark, the attack comes two weeks after the Russian government declared Meduza an “undesirable organization” for their critical coverage of Putin’s regime and the war in Ukraine, and amidst E.U. governments’ suspicion of Russian civil society in exile.
While Pegasus is designed to obfuscate which customer is behind a particular attack, making it difficult for investigators to attribute, there are three main theories of which state is likely behind the attack:
- E.U. states — primarily Estonia, Germany, or Latvia, who are suspected Pegasus users;
- Russia-allied states that are also suspected Pegasus users — primarily Azerbaijan, Kazakhstan, or Uzbekistan; and
The investigation began after Apple warned Galina Timchenko and other targets in June, 2023, that they may have been targeted with spyware. Meduza’s Chief Technology Officer contacted Access Now to check Timchenko’s device, which was confirmed to have been infected on or around February 10, 2023 with the infection likely lasting several days or weeks after that.
This new analysis includes recommendations for states.