Comment on this storyComment
The iPhone of a prominent Russian journalist, whose news agency was effectively banned by President Vladimir Putin, was infected with the Pegasus spyware this year, researchers say. This was the first known case in which the powerful interception tool was used against a key Russian target.
The spyware appears to have been installed when the phone’s owner, Galina Timchenko, owner of the Meduza news agency, was in Germany in February for a meeting with other Russian journalists – raising questions about who hacked her phone in a Western democracy.
Access Now, a nonprofit organization that advocates for digital rights, and the University of Toronto’s Citizen Lab say they confirmed the Pegasus infection after Timchenko received a warning from Apple this summer that there might be spyware on her phone was installed.
Pegasus, a creation of Israeli company NSO Group, can be installed on a phone remotely without the phone’s owner having to click on a link or take any other action. Once installed, Pegasus can access everything, including a phone’s contact list as well as its internal microphone and camera. It has been used against American diplomats, human rights activists, journalists and dissidents around the world. The Biden administration declared in 2021 that NSO’s activities were contrary to U.S. interests and added the group to the Commerce Department’s Entity List, barring American companies from doing business with it without a special license.
NSO has long stated that it only sells licenses for Pegasus to governments for legitimate law enforcement purposes. A person familiar with NSO operations, who spoke on condition of anonymity to discuss the matter, said the Russian government was not a customer.
Researchers said they could not determine who was behind the infection after analyzing Timchenko’s phone. The main suspects include Russia and a number of its neighbors, it is said.
This mystery points to a troubling trend, said David Kaye, a former U.N. special rapporteur who investigated the spread of commercial spyware during his time there from 2014 to 2020.
“When we see cases like this, at some level we need and want to know who the perpetrator is,” said Kaye, now a professor at the University of California at Irvine School of Law, who had no role in the analysis of Timchenko’s case played telephone. “But at the same time, with such a globally unregulated instrument, it will simply become the norm – that human rights defenders, activists, journalists, opposition figures, etc. will be regularly targeted.”
Apple notified Meduza of the possible hack in June.
The date of suspected infection was February 10, when Timchenko visited Germany on February 11 for a meeting with other Russian journalists in exile to discuss new restrictions her home country had imposed on the internet and media.
A month earlier, Moscow had labeled Meduza – which has more than 10 million monthly readers, most of them within Russia – an “undesirable organization,” effectively banning its publication.
Why cybersecurity experts say you should update your iPhone as soon as possible
Timchenko said she was used to being harassed by “propagandists” on the streets of Russia before moving Meduza to Riga, the capital of Latvia, in 2014. But that was different. “I never expected to be a target for spyware.”
“I came to the conclusion that maybe I had done something wrong. Maybe I didn’t follow the safety protocols,” she said. “And it was like a nightmare for about half an hour. But when I realized that it wasn’t my fault at all, it just happened, I got angry.”
Timchenko was most concerned about whoever installed the spyware on her phone getting access to her contact lists.
“Knowing that your vast network of contacts can be targeted, even if you’ve professionally done everything you’re supposed to do to protect yourself and your sources, I think is really quite frightening,” Kaye said. “It is absolutely essential that journalists are protected so that governments and their public have access to information.”
Also concerning is the possibility that the perpetrators may have activated the microphone on Timchenko’s device to listen in on what the Russian journalists were discussing at their meeting in February, said Natalia Krapiva, technical legal advisor at Access Now.
Apple unveils new security feature to block government spyware
Spyware poses a particular threat to democracy when it hits journalists, said John Scott-Railton, senior researcher at Citizen Lab.
“In a democracy it is very important that journalists can do their jobs, and the only way to get people to say true things is to tell them to journalists, sometimes discreetly and with a degree of privacy,” said he. “Pegasus tears apart this source protection and makes it impossible for careful journalists to be truly confident that they are able to do what their ethics demand.”
Spyware also poses a direct threat to journalists themselves. The widow of murdered Washington Post man Jamal Khashoggi has filed a lawsuit against the NSO Group, claiming the company’s technology spied on him in the months before his death.
Each of the main suspects has their own abilities and motivations for wiretapping Timchenko.
Meduza is a “big goal” for the Russian government as an independent news agency that reaches readers in Russia, Timchenko said. At the same time, researchers have not seen any evidence that Russia is a client of the NSO Group.
Israel’s Defense Ministry approves export licenses for Pegasus, which has reportedly fallen into the hands of repressive regimes such as Saudi Arabia. But Russia may be too risky for Israel to approve a Pegasus license, Krapiva said.
Access Now named Latvia as another suspect as Meduza’s headquarters, citing a recent hostile turn toward another exiled Russian broadcaster, TV Rain, whose license was revoked by the Latvian government after it was deemed a national security threat. Citizen Lab has previously suspected Estonia, an ally of Latvia, of carrying out cross-border spyware infections.
Other possible suspects include the Russian-allied countries of Azerbaijan, Kazakhstan and Uzbekistan. Timchenko suspected that a Russia-friendly country might have infected her phone on behalf of Moscow.
The Latvian embassy declined to comment.
“NSO sells its technologies only to U.S. and Israeli allies and always investigates credible allegations of abuse and takes prompt action when necessary,” the company said in a statement.
Germany only admitted its use of Pegasus after its purchase of the spyware was revealed in a news investigation in 2021, sparking widespread criticism from human rights groups.
German officials insist that police and intelligence investigators only use a version of the software adapted to the limitations of the country’s legal system, without providing details on how this is ensured. Judgments by the Federal Constitutional Court enshrine the right to confidentiality of electronic devices and limit state hacking to cases in which there are “extremely important legal interests” such as a threat to life or the security of the state.
Spyware opponents worry about what it means if Timchenko’s phone was infected while she was in Germany, a member state of the European Union.
“Democracy is threatened by major players like Russia,” Scott-Railton said. “And Europe has served as a tremendous counterforce to the invasion of Ukraine. It is particularly worrying to see techniques emerging within the EU’s borders that one would expect to be used by anti-democratic powers.”
Access Now has identified Germany as a possible suspect in the infection of Timchenko’s phone, but a German member of the European Parliament who sat on a committee monitoring spyware cast doubt on that idea, given, among other things, the limited form of Pegasus the government had received Reasons.
“I would be very surprised if they used it against an anti-regime Russian journalist in Germany,” said member Hannah Neumann. Still, she said that a German legislative panel overseen by German intelligence services should investigate what happened because Timchenko is “the kind of person who should be given refuge and protected in Germany.” And because this stupid technology exists and it There isn’t much willingness at the international level to regulate them, we obviously can’t.”
The federal government’s press office forwarded the questions to the Interior Ministry, which declined to comment.
Notably, Germany did not sign a U.S.-led joint declaration of nations in March pledging to take concrete steps to combat the spread of spyware.
The Biden administration has received praise from activists for its actions to combat spyware, particularly an executive order that commits to restricting the federal government’s own use of spyware after the FBI was criticized for contracting with the NSO Group had flirted.
Rep. Jim Himes (Conn.), the top Democrat on the House Intelligence Committee who has pushed for legislation to limit the use of spyware by U.S. intelligence agencies, said stories like Timchenko’s are a “disheartening” example of that persistent problem.
“If it turns out it’s the Russians, surprise, surprise, put that on the list of dictatorial things Russia does,” Himes said. “However, I would be particularly concerned if it were one of our NATO allies, one of the democracies.”
In Europe, a parliamentary committee that concluded its investigation into Pegasus this summer said several member states had not cooperated with its investigation. The Council of Europe’s Parliamentary Assembly said last week that five nations, including Azerbaijan, must investigate spyware abuse and also called on Israel to explain how it ensures Pegasus does not violate human rights.
Citizen Lab concluded with “moderate certainty” that the perpetrators got into Timchenko’s phone via a zero-click exploit the lab highlighted in April that targeted Apple’s HomeKit and iMessage.
Apple says it does not report the number of spyware notifications it has sent to users. However, the company filed a lawsuit against NSO Group in 2021 to ban the company from using Apple products or services “to prevent further abuse and harm to its users.”
Access Now is considering further legal action against NSO Group in response to the infection of Timchenko’s phone.
But the full answer to spyware can’t come from Apple or Timchenko, Scott-Railton said.
“This isn’t really a user behavior issue,” he said. “That’s why it’s not just an Apple problem. It has to be a political problem and a government problem because this stuff is very dangerous, very effective, it’s not going away, and the effects are not easily mitigated with any other approach.”
The widespread use of technology in daily life means that spyware poses a threat to everyone, Krapiva said.
“The general public tracking these infections might think, ‘This is all interesting, but I really have nothing to hide,'” she said. “‘Why should the government care about me?’ And I think the more revelations we have, the more affected are all sorts of constituencies – media, journalists, politicians, but also university professors, some people who you would assume have nothing sensitive.”
Access Now is investigating additional hacking incidents in Eastern Europe that the company says it does not have permission to discuss. “I hope that once this becomes public, more victims will want to come forward because I think it’s important,” Krapiva said.
Loveday Morris in Berlin contributed to this report.