The public has known for years that governments around the world use software developed by an Israeli cyber-arms company to spy on journalists, opposition politicians, and activists. Investigative journalists published a series of bombshell reports in July 2021 about the widespread abuse of Pegasus, a powerful tool marketed exclusively to state clients for use against only the grisliest criminals. Earlier this summer, Meduza learned that the iPhone of our co-founder and publisher, Galina Timchenko, was infected with Pegasus mere hours before she joined a private conference in Berlin attended by colleagues in the exiled Russian independent media. This is the first confirmed case of a Pegasus attack against a Russian journalist. With help from experts at Access Now and Citizen Lab, Meduza reports what we know about this notorious spyware, how it’s been used in Europe, and which states might have spent millions of dollars to hijack Ms. Timchenko’s phone.
Galina Timchenko hurried to Meduza’s Riga newsroom on June 23. She’d just gotten a call from Alexey, the head of Meduza’s technical division, telling her to come in immediately. His voice was unusually stern, and he didn’t explain the urgency. “He simply spoke in such a way that I understood it as an order,” Timchenko later recalled. “It was clear that something had happened.”
En route to the office, Timchenko wondered if one of her passwords wasn’t secure or if she’d clicked on any suspicious hyperlinks. “I thought I’d done something wrong,” she says.
Alexey was waiting for her at the doorstep. He silently pointed at her bag, which held her phone and computer. “I can’t say anything just yet,” he informed her. “We’re looking into it.” He then took Timchenko’s iPhone and MacBook.
A day earlier, Timchenko had received a curious text message from Apple and forwarded it to Meduza’s tech division. The message was one of Apple’s “threat notifications” about “state-sponsored attackers” — something the company sends to users who are “individually targeted because of who they are or what they do.” “State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life,” Apple explains on its website.
The notification sent to Timchenko did not identify the state in question.
She says she put the message out of her mind after sharing it with Meduza’s technical team. Galina Timchenko has grown accustomed to such warnings. The Russian authorities have tried to hack or destroy her newsroom’s infrastructure for years. Meduza has weathered denial-of-service attacks and countless phishing attempts. Russia’s federal censor now even blocks the website outright.
To understand what Apple’s message didn’t explain, Meduza’s technical director turned to outside help to find out who these hackers were. First, he contacted human rights activists at Access Now, a nonprofit organization committed to “defending and extending” the digital civil rights of people worldwide and helping improve digital security practices. Access Now has also alerted the public to the collateral damage of tech sanctions on civil rights activists, journalists, and dissidents from authoritarian countries, highlighting how targeted sanctions, mass corporate pullouts, and over-compliance in Russia have helped the Kremlin to silence its critics.
Alexey also reached out to researchers at Citizen Lab, an interdisciplinary laboratory at the University of Toronto that investigates digital espionage against civil society, among many other things.
Experts at Access Now and Citizen Lab collected the data from Timchenko’s devices and performed what they call “a rapid COVID test.” The results were quick indeed, revealing that her smartphone was infected with the spyware Pegasus on February 10, 2023. This gave the hackers total access to Timchenko’s iPhone: its microphone, cameras, and memory. The attackers could see the device’s entire contents, including Timchenko’s home address, her scheduled meetings, her photographs, and even her correspondence in encrypted instant messengers. Pegasus lets you see a device’s screen directly, reading messages as they are written. It lets you download every email, text, image, and file.
Pegasus and NSO Group
NSO Group, the Israeli entity responsible for Pegasus, insists that it designed the product exclusively for the surveillance of “terrorists, criminals, and pedophiles.” The firm’s co-founders include veterans of Israel’s military intelligence and the Mossad, and the company sells Pegasus only to state clients.
Despite its claims about “rigorous” human rights policies, NSO Group does big business with governments around the world that have regularly used Pegasus to target critics and political adversaries, from reform-minded bishops and priests in Togo and women’s rights activists in Saudi Arabia to journalists in India and human rights defenders in Palestine. Reporters and activists tracked by NSO Group’s spyware are often arrested and sometimes even killed. For example, Saudi operatives in Istanbul murdered and dismembered Washington Post columnist Jamal Khashoggi in 2018 after numerous members of his close entourage were selected for surveillance by NSO Group customers, while the Israeli firm denies that its technology was used “to listen, monitor, track, or collect information regarding [Khashoggi] or his family members.”
States pay “tens of millions of dollars, if not more,” for access to Pegasus, Citizen Lab senior researcher John Scott-Railton told Meduza.
The Mexican government alone has spent at least $61 million on the technology, which it has used to spy on dangerous criminals and civil society members alike, including journalist Cecilio Pineda, who was assassinated in 2017, just a few weeks after his phone was infected with Pegasus.
Even researchers in this field aren’t sure what it costs to hack a single device using Pegasus. The spyware is more a service than anything; each NSO Group contract permits so many “simultaneous infections,” says Natalia Krapiva, Access Now’s tech-legal counsel. “For example, a client state can buy a package with 20 infections, which means it can have 20 people under surveillance at one time.”
Speaking to The Washington Post in July 2021, NSO Group co-founder Omri Lavie said attacks on journalists by his clients are “horrible,” but he argued that the main problem is a lack of regulation. “This is the price of doing business,” he explained. “Somebody has to do the dirty work.”
A kind of regulation arrived in November 2021, albeit not what Omri Lavie and his colleagues wanted. Months after an investigation by the Pegasus Project consortium exposed the spyware’s rampant, global abuse, the Biden administration added NSO Group to a federal blacklist that bans the company from receiving American technologies. NSO spokespeople expressed “dismay” and said the firm would lobby to reverse the White House’s decision.
‘I felt dirty’
As soon as the Pegasus infection was confirmed, Meduza’s management locked itself in Timchenko’s office for an emergency meeting. “We were all terrified,” Alexey recalls, “but we pretended we weren’t.”
Meduza editor-in-chief Ivan Kolpakov, who was traveling then, joined the meeting by teleconference. He was visibly at a loss and kept listing aloud what could have leaked: corporate passwords and correspondence, bank account balances, the names of Meduza staff, and — most dangerously — the identities of Meduza’s collaborators inside Russia.
It was soon clear, however, that it was impossible to assess what had been compromised. “They got everything,” Kolpakov recalls. “Everything they wanted.”
Those at the meeting say Meduza’s technical director was the only one who remained calm, but he remembers it differently: “I sat there, plugging my ears, and I tried to write out a checklist for Galya: new password, new device, new Apple ID, new SIM card.” Timchenko tried at first to “laugh it off,” says Alexey, but eventually she burst into tears:
The most unpleasant questions came from Ivan: “What documents were you working with on your iPhone? Did you activate two-factor authentication everywhere?” I already felt like I’d been stripped naked in the town square. Like someone had reached into my pocket. Like I was dirty somehow. I wanted to wash my hands! And then my partner and best friend starts interrogating me as if I’d put everyone at risk. It really hurt… But I’d have demanded the same if I were in his shoes. Ivan was just very nervous.
It is virtually impossible to prevent infection by Pegasus; it can hack any gadget running a single application vulnerable to the software, including apps preinstalled by Apple itself. A device hijacked by Pegasus isn’t easy to spot, either. For instance, Timchenko had no reason to suspect anything was amiss with her iPhone, except for moments when it seemed warmer than usual, which she attributed to her new charger.
Citizen Lab’s analysis shows attackers likely infiltrated Timchenko’s iPhone through HomeKit and iMessage. Senior researcher John Scott-Railton says his team found digital footprints unique to Pegasus. “No other spyware would have left this,” he told Meduza. Researchers believe Timchenko’s hackers used the so-called “PWNYOURHOME” vulnerability, which targets iPhones’ built-in HomeKit functionality and exploits iMessage to install the spyware. Scott-Railton says this hack is possible even on devices where HomeKit was never activated.
Citizen Lab collected “forensic artifacts” from Timchenko’s iPhone showing that the device was infected with Pegasus on February 10, 2023.
Wild timing
As managers crowded into Galina Timchenko’s office and scrambled to assess the worst intrusion in Meduza’s history, another event back in Russia suddenly demanded the newsroom’s complete attention: a mercenary leader shot down several helicopters, seized a military base, and announced a “march on Moscow.” It was June 23, 2023, and the Pegasus hack silently took a backseat to Yevgeny Prigozhin’s mutiny as Meduza mobilized its newsroom to cover the breaking story.
When the senior staff could later contemplate the possible reasons for Timchenko’s Pegasus infection, the date of the infiltration (February 10, 2023) wasn’t immediately significant to managers. But it should have been.
On February 11, one day after Pegasus hijacked Timchenko’s iPhone, she and Kolpakov joined other representatives of Russia’s exiled independent media in Berlin at a confidential seminar organized by the Redkollegia journalistic prize committee. Media managers and lawyers attended the private conference to discuss the legal aspects of operating in Russia under the conditions of total state censorship and the mass persecution of journalists and activists. Just two weeks earlier, Russia’s Prosecutor General formally outlawed Meduza’s reporting, designating the outlet an “undesirable organization.” Timchenko recalls that colleagues meeting in Germany expected the same thing would happen to them before long.
Pegasus was already running on Timchenko’s phone when she joined the meeting in Berlin. Whoever hacked the device could have used it as a wiretap, remotely activating the microphone to record anything said within earshot. The hackers might have turned on the camera just as easily. “They could have used Galina’s phone like a bug to listen in on what the Russian journalists were planning,” says Access Now’s Natalia Krapiva.
“My first thought was the Russian state and the Russian intelligence agencies, of course,” recalls Timchenko. “Who else cares about me?”
The first Russian journalist
The attack against Galina Timchenko is the first confirmed case of Pegasus being used against a Russian journalist. Natalia Krapiva at Access Now confessed to Meduza that she’s actually somewhat comforted to see the spyware surface here because researchers have tested the phones of nearly two dozen journalists and activists from Russia and found all manner of malware but never Pegasus. “I was afraid that [they] were being tracked by something we couldn’t detect,” she explained. “The first confirmed case was shocking, thrilling, and a relief all at once. Now, at least, we have a thread to pull.”
Identifying Pegasus infections is challenging work, even for technical experts. “These spyware programs are capable of hiding logfiles and concealing traces of their own presence on a device,” explains John Scott-Railton at Citizen Lab. “It’s a constant technological race.”
In 2016, it was researchers at Citizen Lab and Lookout Security who first uncovered traces of the existence of Pegasus, revealing in a bombshell report that NSO Group’s “remote monitoring solution” was used to spy on Ahmed Mansoor, an internationally recognized human rights defender based in the United Arab Emirates. In the years since this discovery, experts have tracked Pegasus’s digital footprints and learned which states are NSO Group’s clients.
Much of Citizen Lab’s work is devoted to searching for the servers needed to run Pegasus. “It’s a service, and NSO Group sells access to it,” says Krapiva. “When it signs a contract, the company sends a whole team to the client state to organize training sessions on how to run the tool. All this requires technical infrastructure, and Citizen Lab is constantly trying to monitor it.”
Scott-Railton told Meduza that his team looks not just for the infrastructure used in attacks but also for what’s needed to extract data. “In other words,” he explained, “[we look for] all the servers where the information collected from infected devices ends up.”
The no-no list
NSO Group says it sells its spyware only to vetted state agencies, but Israeli geopolitical interests often influence the company’s decision to work with particular partners. For these reasons, the firm reportedly refuses to use Pegasus against either American or Russian telephone numbers.
“Infected phones cannot even be physically located in the United States; if one does find itself within American borders, the Pegasus software is supposed to self-destruct,” the spyware’s designers said in 2020. A year earlier, when the Estonian government bought access to Pegasus, NSO Group informed its new client that using the spyware against Russian targets is prohibited. Israel has also reportedly blocked Ukraine from acquiring Pegasus, fearing Moscow’s wrath. “According to people close to NSO and the Israeli government, they don’t approve such infections because it will disrupt relations with these countries,” says Natalia Krapiva.
The company has also claimed that Russia and China are among the nations that will “never be customers,” citing internal due diligence that scrutinizes potential clients’ track records on human rights, corruption, safety, finance, and abuse. NSO Group chief executive Yaron Shohat told The Wall Street Journal in January 2023 that the firm was “committed to its core business of supplying governments around the world who are allies of the U.S. and Israel,” despite downsizing after losing clients because of the Biden administration’s measures.
Moscow possibly has its own reasons for refusing to do business with NSO Group. Investigative journalist Andrey Soldatov has argued that Russia’s intelligence community “is a seller, not a buyer,” on the world market for espionage technology. Soldatov says this is due both to the high quality of Russian spying tech and to the authorities’ “extreme paranoia about foreign spyware.” Revelations about Pegasus, moreover, have corroborated these concerns, showing that the data stolen from targets are transferred to servers in NSO Group’s ecosystem, meaning that Russian agencies would have to share this “information goldmine” with outsiders if they were to sign up as clients. Russia’s Federal Security Service did not respond to Meduza’s questions about Pegasus.
“We do not see evidence of Russia using NSO’s product, but that doesn’t mean we know everything,” says John Scott-Railton at Citizen Lab.
A spokesperson for NSO Group told Meduza that the company’s technologies “are only sold to allies of the U.S. and Israel, particularly in Western Europe, for the sole purpose of fighting crime and terror, aligned with the global interests of U.S. national security and governmental law enforcement agencies.”
“Pegasus systems log every attack in case there is a complaint, and — with the client’s permission — NSO can perform an after-the-fact forensic analysis,” The New York Times reported in January 2022. Six months later, NSO Group general counsel and chief compliance officer Chaim Gelfand told a European Parliament committee that these internal investigations have led to the termination of contracts in eight cases.
A year earlier, however, when The Washington Post reported forensic data indicating multiple Pegasus intrusion attempts against Jamal Khashoggi’s wife in the months before his murder, NSO Group’s chief executive said a “thorough check of the firm’s client records” revealed no evidence of Pegasus used against Khashoggi or his loved ones.
“After hundreds of victims, we have concluded that the internal review process either doesn’t exist or exists only for show,” says Natalia Krapiva at Access Now. “When a Human Rights Watch employee was infected, NSO responded to all the questions in just a few lines: ‘Thank you, we found nothing with our current customers. Goodbye.’ Of course, they said nothing about what their past clients could have done. It’s all gaslighting.”
Kazakhstan and Azerbaijan
In its study of Galina Timchenko’s phone infection, Access Now notes that either Kazakhstan or Azerbaijan — two suspected Pegasus clients — could have carried out the attack at Moscow’s request. (According to Access Now, Uzbekistan is not believed to have been a Pegasus customer during the period in question.) “There’s a provisional theory that Russia might have asked its partners,” says Krapiva. “Kazakhstan, for example, has already blocked Meduza twice without any requests.”
As far as researchers know, however, neither Kazakhstan nor Azerbaijan has ever executed a Pegasus attack in Europe, and Timchenko was in Germany when the infection occurred.
Moreover, evidence collected by Citizen Lab shows that Kazakhstan does not use Pegasus beyond its borders. Scott-Railton told Meduza that Azerbaijan does use the spyware abroad, but researchers have recorded these attacks in no other country except Armenia, which could explain how the phone numbers of Armenian human rights activists have been infected.
Natalia Krapiva says clients need a bonus package to use Pegasus beyond their borders: “We believe that different NSO customers can purchase different types of licenses. Some buy the rights to hack only within their country. Others buy the rights to infect a large number of countries. We still don’t understand a lot about these secret contracts, but infections outside a client’s state likely require special permission.”
Latvia, Estonia, and Germany
Timchenko’s hacked iPhone had a Latvian SIM card. Citizen Lab recorded the first Pegasus-related activity in Latvia in 2018, and experts believe Riga still uses NSO Group’s products today, says Scott-Railton.
Access Now also does not rule out that the Latvian intelligence community carried out the attack on Meduza’s co-founder. Just two months before Timchenko’s phone was infected, Latvia declared another Russian media organization in exile — TV Rain — to be “a threat to the national security and public order” and canceled its local broadcasting license. “Because of the invasion of Ukraine, there’s distrust of all Russians without exception,” says Natalia Krapiva. “If such surveillance is taking place, it’s very consistent with remarks by the president of the Czech Republic, Petr Pavel, who said intelligence agencies should place all Russians living in the West under ‘strict surveillance’ as the price of Russia’s war against Ukraine.”
However, experts at Citizen Lab have never observed Riga using Pegasus against targets outside Latvia’s borders, and Galina Timchenko was in Berlin when her phone was compromised. (Whom exactly Riga has infected with Pegasus remains unknown.)
Ivars Ijabs, a European Parliament member from Latvia who participates in a committee investigating Pegasus in Europe, told The Baltic Times in January 2023 that his home country is not among the E.U. members using the “famous Israeli spyware.” But NGOs that monitor Pegasus attacks treat such statements with skepticism. “He’s not the first official to say such things, even in the face of evidence,” notes Krapiva.
Latvia’s State Security Service told Meduza that it “does not possess information related to possible attack against Galina Timchenko’s smartphone.” The agency declined to answer Meduza’s other questions (including questions about whether the country uses Pegasus against journalists, Russian citizens, or targets on the territories of other European countries), citing the classified nature of information about its operations.
While there’s no proof that Lithuania has used Pegasus, researchers have confirmed that the Estonian authorities bought access to the spyware in 2019. Citizen Lab has corroborated these findings. More importantly, says Scott-Railton, his team has tracked Estonia “infecting targets beyond its borders in many E.U. countries, including in Germany.”
Acting under the “utmost secrecy,” the German Federal Criminal Police Office procured its own Pegasus access in 2019 but acknowledged the purchase only two years later. Natalia Krapiva says Germany has tried, albeit unconvincingly, to defend its actions as in step with European laws and democratic values:
The report by the European Data Protection Supervisor states explicitly that Pegasus in its original form is fundamentally incompatible with E.U. laws, so Germany, in its own words, is using a “special version that doesn’t violate privacy rights” — some kind of “Pegasus Lite.” But we’ve received no evidence of this, not even an idea of what a “lite” version might be. Also, the European Data Protection Supervisor concludes that Pegasus in any form is fundamentally incompatible with E.U. law.
Germany’s Pegasus access reportedly came with “certain functions blocked to prevent abuse,” sources in security circles told journalists, but officials have not explained how this works practically.
John Scott-Railton at Citizen Lab says the infection of Timchenko’s phone in Berlin “is a reminder that Europe has an unresolved problem with Pegasus.” “Why Germany isn’t interested in solving this is a mystery to me,” he told Meduza. “For example, why hasn’t Berlin signed the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware? It’s been signed by 11 countries, including Denmark, France, and Sweden.”
Access Now points out that the four E.U. members that have become new centers of Russian anti-war emigration — Latvia, Estonia, Germany, and the Netherlands — are all suspected Pegasus users. In fact, the E.U. PEGA Committee revealed at least 14 E.U. states and 22 operators of Pegasus in the European Union, and only NSO Group’s contracts with Hungary and Poland are no more. Access Now considers the attack on Galina Timchenko to be at least the fourth in a series of similar cases across Europe in the past year. (Meduza knows the details of these other attacks, but the victims have asked for privacy.)
The growing tendency in Europe to treat journalists as a threat has also started manifesting in E.U. laws, says Krapiva. The European Commission recently adopted new rules intended to protect reporters against malware, but some member states — mainly France and Sweden — watered down the language in the European Media Freedom Act in such a way that the law actually legitimizes the surveillance of journalists on national security grounds, Krapiva warns.
The road ahead
“I’m absolutely shocked we’re seriously discussing that a European state could have done this,” says Ivan Kolpakov, Meduza’s editor-in-chief. “I’m probably naive, but this seemed impossible to me. The consequences could be devastating, and this concerns not just the news media in exile but the media in Europe generally. If such software could be installed on the phone of a journalist from Russia, who knows what’s stopping European intelligence agencies from infecting any journalist at all.”
“I can’t reconstruct the logic of European intelligence agencies that might have installed Pegasus, and I don’t want to make assumptions,” says Galina Timchenko. “Moving forward, we’ll act in accordance with what our lawyers advise. I won’t be silent.”
NSO Group declined to answer Meduza’s questions about whether it knew of the attack on Timchenko and which of its clients might have staged the intrusion. The company’s spokesperson also did not say if it is aware of cases in which Pegasus has been used against journalists in European countries or against Russian nationals, or if NSO Group knows of situations where one E.U. member state spied on a target in another E.U. member state.
In any case, NSO Group admits no responsibility for the attack on Timchenko. The company’s spokesperson stressed that the firm “investigates all credible allegations of misuse” but did not say if NSO is prepared to conduct an internal investigation into the use of Pegasus against Meduza’s co-founder and publisher.
Today, Ms. Timchenko carries two phones: a new one she bought after the intrusion and the formerly infected gadget (Citizen Lab confirmed that Pegasus is no longer installed on the device). She says she decided to keep it as a souvenir. “There’s nothing on it except messages with my hairdresser and manicurist,” she says. “Let it be. It will remind me to keep looking over my shoulder.”
Given the enormous cost of using Pegasus, Timchenko is still confounded that someone infected her with the spyware. “Just what were they planning to find? They put me under a magnifying glass, hoping to catch something… Go ahead and watch, you creeps! Feast your eyes.”
Whatever happens with Timchenko’s case, NSO Group currently faces multiple lawsuits, including one from Apple, which accuses the Israeli firm’s employees of being “amoral 21st-century mercenaries.” Amnesty International, members of the European Parliament, former U.N. Freedom of Expression Special Rapporteur David Kaye, and others have endorsed a global moratorium on the sale of all such surveillance technology until more rigorous rules and regulations can be implemented internationally.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of software engineering.
NSO Group has turned to lobbying as these pressures mount, especially in America. “They’re making a big effort to lift the U.S. sanctions,” Krapiva told Meduza. “Recently, Robert Simonds, a Hollywood producer who’s worked with Adam Sandler, was eyeing an investment in NSO Group. So, they’re staying the course.”
Since June 2023, experts have analyzed the phones of several dozen Meduza employees. It’s still unknown what specific information Timchenko’s attackers were after. This ambiguity worries Meduza’s technical director, Alexey, more than anyone.
“Until I know the motive, I have to expect the worst,” says Alexey. “I deal with our security not just in a technical but in the broadest sense of the word: every day, I think through how they’re going to kill us and bring us down. Surveillance, harassment, threats — I’ve already considered all these scenarios and experienced them myself, in a sense. As for Pegasus, until we have more details, we can’t rule out that Russia could have ordered the infection and that this spying could have the most serious consequences, right up to somebody being eliminated.”
Timchenko, meanwhile, says she hasn’t yet contemplated such consequences of being watched through Pegasus. “I already look back wherever I go and watch for anyone following me in a car. Meduza’s founders have always lived like this,” she says. “If they want to do it, they’ll do it.”
CREDITS
This article was originally published on September 13, 2023. It has been reposted here with the appropriate permission of Meduza’s team. Meduza is a co-founder of NEMO.
YOU MAY WANT TO READ
Meduza faced the most intense cyberattack campaign in its history
In February 2024, the Russian authorities launched a series of cyberattacks against Meduza, which have been more intense than ever. This is how it all happened.