More Russian journalists investigating possible spyware infections
More Russian journalists have come forward this week expressing concern that they too may have been targeted with spyware, following the news that the prominent media figure Galina Timchenko was hacked with Pegasus.
On Thursday, three Russian-speaking journalists reported that they have also recently received notifications from Apple warning them that their phones are potential targets for state-sponsored hackers.
Apple notified two of the journalists — Maria Epifanova, the CEO of Novaya Gazeta Europe, and Evgeniy Pavlov, a correspondent for Novaya Gazeta Baltia — in August. The third, Evgeny Erlich, a journalist-in-exile at the Russian-language outlet Current Time, did not say when he was notified.
Back in June, Timchenko, the co-founder and executive editor of the Russian independent media outlet Meduza, received a similar notification. A subsequent investigation by researchers at Access Now and Citizen Lab discovered that her phone had been compromised by Pegasus while she was in Germany meeting with other journalists.
The notorious spying software was developed by the Israeli company NSO Group and has been used across the globe, often by governments, to target journalists, activists, and scholars. For example, Pegasus has been deployed to target assassinated Saudi journalist Jamal Khashoggi.
Timchenko was the first Russian journalist to speak publicly about being infected with the tool, but, according to Natalia Krapiva, tech and legal counsel at Access Now, more such incidents could come to light soon.
"We've received many requests from Russian journalists who might be potential Pegasus targets," Krapiva told Recorded Future News. Some of them were alerted by Apple that their phones may have been hacked, while others just wanted to check if they had been infected, she added.
Access Now couldn't disclose the names of the people who had reached out to them about Pegasus due to privacy concerns.
"It looks like it’s a larger problem than we thought,” she said. “Galina's case just opened the floodgates.”
New potential victims
Erlich wrote in a Facebook post that he received a notification from Apple warning that "state-sponsored attackers are trying to remotely compromise" his iPhone.
Apple's message, as quoted by Erlich,said that these attackers were likely specifically targeting him "because of who he is or what he does."
Like Timchenko, Erlich uses a Latvian SIM card. He also noticed that his iPhone had been running warmer than usual recently, which is one of the visible signs of a potential spyware infection. As a precaution, he asked his friends and colleagues not to share any confidential information with him until his device could be checked.
Novaya Gazeta published an article on Thursday about the suspected hacks of Epifanova and Pavlov, who were warned in August by Apple of suspicious activity on their devices. In September, Epifanova also received a Telegram alert about her account being accessed from a Huawei device in Cairo, Egypt.
Similar to Timchenko, Epifanova and Pavlov also reside in Latvia and use Latvian SIM cards. They both contacted Access Now to check their devices.
Who was behind the attack on Timchenko remains something of a mystery. NSO Group claims that Pegasus is exclusively sold to government agencies but Russia is not known to be a Pegasus customer.
However, it's possible that countries with ties to Russia, like Azerbaijan, Kazakhstan, or Uzbekistan, may have hacked Meduza on behalf of the Kremlin.
Additionally, the researchers said Latvia or Germany, both of which have signed Pegasus contracts, could have been involved, as they are respectively where Meduza is located and where Timchenko’s phone became infected.
Latvia's state security service told Meduza that it "does not have information about a possible attack on Galina Tymchenko's phone.
Multiple human rights organizations expressed concerns regarding the use of Pegasus against journalists. The Committee to Protect Journalists (CPJ) said that it is deeply disturbed by Timchenko’s case.
“Journalists and their sources are not free and safe if they are spied on,” said CPJ’s statement. “Governments must implement an immediate moratorium on the development, sale, and use of spyware technologies.”
The nonprofit organization Reporters Without Borders (RWB), which has arranged several meetings with exiled Russian journalists and editors, said that “it is deeply shocked to learn that numerous Russian journalists and, potentially, its own staff may have been affected by spyware.”
Given that Timchenko was infected with spyware during a conference in Berlin, RWB has called on the German government to “thoroughly investigate this shocking case.”
“When journalists can no longer meet and exchange information without fear of surveillance, it has a direct impact on their work,” RWB said in a statement.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.