Exiled Russian, Belarusian opposition journalists targeted with Pegasus spyware

Researchers have found that at least seven Russian and Belarusian-speaking independent journalists and opposition activists were targeted or infected with the infamous spying malware called Pegasus.

All of the newly identified victims live in Europe in exile and had previously “faced intense threats” from Russia or Belarus for criticizing their government policies, including Moscow’s invasion of Ukraine, according to a new investigation by the digital rights groups Access Now and Citizen Lab.

Earlier in September, they discovered traces of Pegasus on the phone of Galina Timchenko, a prominent Russian media figure and the owner of the independent media outlet Meduza. Her phone was infected while she was in Berlin for a private conference with other Russian independent journalists living in exile.

Pegasus is advanced commercial spyware sold to governments worldwide by the Israel-based NSO Group. Researchers said that they couldn’t attribute the recent infections to a specific state but allege that at least five of the identified cases may be the result of targeting by a single customer.

The hacking of Russian and Belarusian opposition journalists and activists took place between August 2020 and January 2023 while they were living abroad — in Latvia, Poland and Lithuania.

Most of them left Russia or Belarus either after Russia invaded Ukraine or before that, as they faced threats from local law enforcement inside their home country, or were declared “foreign agents” and could not do business there.

According to Citizen Lab, there is no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers. Another possible suspect, Latvia, appears to use Pegasus, but the country is not known for targeting victims outside its borders. 

Estonia is another Baltic state that cooperates closely with Latvia and Lithuania on security matters, including those regarding Russia and Belarus. Researchers say that Estonia does appear to use Pegasus extensively outside its borders, including within multiple European countries.

The vice president of NSO Group responsible for compliance said in a comment to Meduza that he cannot disclose information about Pegasus’ specific clients but noted that the company only sells its products to countries allied with Israel and the U.S.

“We will immediately review the information in your request and initiate an investigation if necessary... A number of NSO investigations have resulted in the suspension and, in some cases, termination of customer service,” the company said.

Latest victims

Pegasus’ recent targets include Maria Epifanova, the CEO of Novaya Gazeta Europe, and Evgeniy Pavlov, a correspondent for Novaya Gazeta Baltia, who previously said that they received notifications from Apple warning about the potential spyware infection.

Epifanova’s iPhone was infected in around August 2020 — the earliest known use of Pegasus to target Russian civil society, according to Access Now. The attack occurred shortly after she received accreditation to attend exiled Belarusian democratic opposition leader Svetlana Tikhanovskaya’s first press conference in Vilnius.

In an interview with Meduza, Epifanova said that spyware attacks make the journalists' work, “which is already difficult and unsafe, even less easy and safe.”

“Pegasus is a program used not by ordinary hackers, but by government intelligence agencies; no goal and no one's interests can justify interference with privacy,” she said.

Another Pegasus victim, Belarusian journalist Natallia Radzina, who was previously persecuted for her journalistic activities in Belarus, imprisoned, and forced to flee the country, was targeted by Pegasus operators three times.

“I know that for many years my absolutely legal journalistic activity has only been of interest to the Belarusian and Russian special services. And I only fear possible cooperation in this matter between the current operators of the Pegasus attack, whoever they are, with the KGB or the FSB,” she told Meduza.

Working in exile may increase certain digital risks for journalists, as they are forced to rely almost exclusively on third-party platforms and tools to communicate and spread information, according to Citizen Lab.

Latvia-based Meduza, for example, said recently that it is witnessing increasing attacks on its website. The news organization said it doesn’t know for sure who could be behind the attacks but pointed to the Kremlin.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.