Exiled Russian journalist had phone hacked with Pegasus spyware

The phone of a prominent Russian journalist and critic of the Kremlin was infected with Pegasus spyware, according to new research.

The notorious spying software developed by the Israeli company NSO Group was reportedly installed on the iPhone of Galina Timchenko, owner of the Russian independent media outlet Meduza, while she was in Berlin for a private conference with other Russian independent journalists living in exile. It is the first documented case of a Pegasus infection targeting a Russian citizen, according to Access Now, one of the nonprofits that investigated the hack.

The attack took place in February, two weeks after the Russian government outlawed Meduza for its critical coverage of Vladimir Putin’s regime and the war in Ukraine, the researchers said.

Meduza relocated its office to Latvia in 2014, and people living in Russia today can only access its website through a VPN. Meduza markets itself as one of the few Russian independent media outlets whose coverage remains free from control or censorship by the Kremlin.

Earlier in June, Timchenko received a notification from Apple that her phone might be a target for state-sponsored hackers. Timchenko didn't give this warning much thought, as, according to a Meduza report, the Russian authorities have been trying to hack or disrupt her newsroom's infrastructure for years.

Yet, Access Now, a nonprofit advocating for digital rights, and the University of Toronto's Citizen Lab discovered that Timchenko's iPhone had been infected with Pegasus spyware. This spyware can access calls, messages, and photos, activate the device's camera and microphone, and track the phone's location.

“I am not sure what those behind the Pegasus hacking could have found on my device,” Timchenko told Access Now. “I have set very strict boundaries for my digital and regular life a long time ago.”

Timchenko said she is mainly worried that those who hacked her phone might now have her contact list, which is especially risky if the attackers were from Russia, “where any citizen can be persecuted for cooperating with 'undesirable' organizations.”

Who's behind the hack?

Pegasus is exclusively sold to government agencies, but the researchers said they couldn’t determine who was behind the attack. NSO Group did not immediately respond to a request for comment.

According to Citizen Lab, there's no evidence that the Russian government uses Pegasus. However, it's possible that countries with ties to Russia, like Azerbaijan, Kazakhstan, or Uzbekistan, may have hacked Meduza on behalf of the Kremlin. Additionally, the researchers said Latvia or Germany could have been involved, as they are respectively where Meduza is located and where Timchenko’s phone became infected.

Access Now's earlier research uncovered that Pegasus was used to target Armenian journalists, activists, government officials, and civilians during the war between Armenia and Azerbaijan in the contested Nagorno-Karabakh region. There is no evidence of Azerbaijan or Kazakhstan targeting people in Germany, Latvia, or other E.U. states, according to Citizen Lab.

Meduza’s response

After confirming the Pegasus infection on Timchenko's phone, Meduza's leadership held an emergency meeting in its offices. "We were all terrified but pretended we weren’t," said the head of Meduza's technical division, whose name is being kept confidential for safety reasons.

Meduza reported that Timchenko tried to "laugh it off," but eventually, she burst into tears.

“I already felt like I’d been stripped naked in the town square. Like someone had reached into my pocket. Like I was dirty somehow. I wanted to wash my hands,” she said.

According to researchers, it's extremely difficult to stop Pegasus from infecting any targeted device running a single vulnerable application, even those pre-installed by Apple itself. Citizen Lab's analysis suggests that the attackers probably got into Timchenko's iPhone through a zero-click exploit in HomeKit and iMessage. A zero-click exploit allows an attacker to compromise a device or system without any interaction or action required from the user.

Timchenko had no reason to suspect anything was wrong with her iPhone, except for moments when it seemed warmer than usual, which she attributed to her new charger, according to Meduza.

On Wednesday, Meduza’s chief editor, Ivan Kolpakov, released a statement in Russian, saying that Timchenko's phone hack demonstrates that Russian exiled journalists “can't feel safe even in Europe.”

“Independent journalists from Russia and other nations might feel trapped, facing pressure from both their own governments and their formidable security systems, as well as the intelligence agencies in the countries where they seek refuge,” Kolpakov said.

According to Kolpakov, Meduza, and its reporters are under constant threat from attackers in both the physical world and the digital space. Since Meduza’s first days, Russian state-sponsored hackers consistently targeted it with DDoS attacks, phishing emails, and cyberattacks aimed at its mobile application.

"They intimidate us and try to make us think only about our safety and not about our work," he said.