In a First, Spyware Attack Targets Co-Founder of Largest Independent Russian Media Outlet

On September 13, Latvian-based independent Russian media outlet Meduza revealed that their co-founder and publisher’s phone had been infected with Israeli NSO Group’s Pegasus spyware on February 10 while she was in Berlin. Apple sent Meduza’s Galina Timchenko a message on June 22 explaining that state-sponsored attackers may have infiltrated her iPhone. A subsequent forensic analysis by digital rights group Access Now found evidence of a Pegasus infection. It is currently unclear which state is responsible for the attack, but NSO Group claims to only sell Pegasus to allies of Israel and the United States, making it unlikely that Russia is responsible. This is the first known case of a Russian journalist being targeted using Pegasus.

The Russian government declared Meduza an “undesirable organization” two weeks before the infection, banning it from operating within the country.  The day after her phone was compromised, Galina Timchenko met privately with representatives from other independent Russian media outlets to discuss increased censorship and legal challenges related to operating out of Russia. 

Attackers can install Pegasus remotely on devices without the victims’ action and grants complete access to infected devices, including their cameras, location, microphones, storage, and a live view of the screen. This allowed the government behind the attack on Galina Timchenko to not only listen in on this sensitive meeting but also access encrypted messages.

NSO Group says that Pegasus is only intended for use against high-level criminals, pedophiles, and terrorists. However, governments have used the spyware against activists, journalists, politicians, and even American diplomats in recent years. Its design hides the state behind each attack, making it difficult to hold bad actors accountable. However, Estonia, Germany, and Latvia are the most likely culprits.

Latvia is home to many exiled Russian independent media outlets, but has grown increasingly suspicious of them. It previously revoked the broadcasting license of TV Rain, the only Russian oppositional TV channel, which moved its operations to the country following Russia’s invasion of Ukraine. Latvia purchased access to Pegasus but has only used it domestically.

Estonia has been tracked using Pegasus in other EU countries, including Germany, making it another possible candidate.

The Federal Criminal Police of Germany reported to its parliament that it purchased access to Pegasus in 2021. The German authority refused to answer whether it had used the spyware when asked by Meduza.

The International Press Institute condemned the attack and called for Germany to launch an investigation. It also called for the EU to ban the use of spyware against journalists. The Latvian Association of Journalists asked the Latvian government to clarify its use of Pegasus and to answer whether it used the spyware against Timchenko.

Ivan Kolpakov, Meduza’s editor-in-chief, lamented in an official statement, “[even] in Europe, we are not safe.” He noted increased persecution of journalists on EU territory, including the poisoning of a Meduza correspondent in Germany, one of multiple such cases. According to Kolpakov, Meduza is the target of daily hacking and phishing attempts, but the Pegasus attack is the most significant breach of the organization’s privacy to date. Kolpakov warned European readers: “If governments that profess their commitment to democratic values allow themselves to persecute journalists in exile, what’s to prevent them from treating their own journalists, political activists, and citizens the same way?”