Access Now, a nonprofit that defends digital rights, and the University of Toronto’s Citizen Lab say they confirmed the Pegasus infection after Timchenko received an alert this summer from Apple that spyware may have been planted on her phone.
Pegasus, a creation of the Israeli company NSO Group, can be installed on a phone remotely without the phone’s owner clicking a link or taking other action. Once installed, Pegasus can access everything including a phone’s contact list and its internal microphone and camera. It’s been been used against American diplomats, human rights activists, journalists and dissidents across the globe. The Biden administration in 2021 said NSO’s operations were contrary to U.S. interests and added the group to the Commerce Department’s entity list, prohibiting American companies from doing business with it without a special license.
NSO has long said it sells licenses for Pegasus only to governments for legitimate law enforcement purposes. A person familiar with NSO operations, who spoke on the condition of anonymity to discuss the matter, said the Russian government is not a client.
Researchers said they couldn’t determine who was behind the infection after analyzing Timchenko’s phone. Leading suspects include Russia and a number of its neighbors, they say.
That mystery points to a disturbing trend, said David Kaye, a former U.N. special rapporteur who investigated the proliferation of commercial spyware during his time there from 2014 to 2020.
“When we see cases like this, at some level we need to, want to, know who the perpetrator is,” said Kaye, now a professor at the University of California at Irvine’s School of Law who did not play a role in analyzing Timchenko’s phone. “But at the same time, when you have such a globally unregulated tool, it’s just going to become part of the norm — that human rights defenders, activists, journalists, opposition figures and so forth are going to be regular targets.”
Apple notified Meduza in June about the possible hack.
The date of the suspected infection was Feb. 10, when Timchenko was visiting Germany for a Feb. 11 meeting with other Russian journalists in exile to discuss new restrictions that their home country had imposed on the internet and the media.
The month before, Moscow had labeled Meduza — which claims more than 10 million monthly readers, most inside Russia — an “undesirable organization,” effectively outlawing the publication.
Timchenko said she had been accustomed to harassment on the streets of Russia from “propagandists” before relocating Meduza to Riga, Latvia’s capital, in 2014. But this was different. “I never expected to be a target for spyware.”
“I decided that maybe I did something wrong. Maybe I didn’t follow security protocols,” she said. “And it was approximately half an hour of a nightmare. But then when I realized that this is not my fault at all, that it just happens, I became angry.”
Timchenko was most worried that whoever planted the spyware on her phone obtained her contact lists.
“To know that your vast network of contacts can be targeted even when you’ve done all that you should professionally in order to protect yourself and your sources, it’s really, to my mind, pretty frightening,” Kaye said. “It’s absolutely essential for journalists to be protected so that governments and their publics get access to information.”
Also worrisome is the possibility that the perpetrators might have activated the microphone on Timchenko’s device to listen in on what the Russian journalists were discussing at their February meeting, said Natalia Krapiva, tech legal counsel at Access Now.
Spyware poses a particular threat to democracy when it hits journalists, said John Scott-Railton, senior researcher at Citizen Lab.
“In a democracy, it is very important that journalists be able to do their jobs, and the only way you get people comfortable saying true things is if they can sometimes tell them to journalists discreetly with a degree of privacy,” he said. “Pegasus rips that source protection apart and makes it impossible for careful journalists to really be sure that they’re able to do what their ethics require.”
Spyware also poses a direct risk to journalists themselves. The widow of murdered Washington Post Jamal Khashoggi has filed a lawsuit against NSO Group, alleging that the firm’s technology spied on him in the months leading up to his demise.
Each of the top suspects have their own mix of capabilities and motivations for eavesdropping on Timchenko.
Meduza, as an independent news outlet that reaches readers in Russia, is a “big target” for the Russian government, Timchenko said. At the same time, researchers have seen no evidence that Russia is an NSO Group client.
The Israeli Defense Ministry approves export licenses for Pegasus that have reportedly ended up in the hands of repressive regimes like Saudi Arabia. But Russia may be too risky for Israel to approve a Pegasus license for, Krapiva said.
Access Now named Latvia another suspect as the headquarters of Meduza, citing a recent hostile turn toward another exiled Russian outlet, TV Rain, whose Latvian government license was canceled after it was labeled a national security threat. Citizen Lab has suspected Estonia, a Latvian ally, of conducting cross-border spyware infections before.
Other possible suspects include Russian-allied nations Azerbaijan, Kazakhstan and Uzbekistan. Timchenko theorized that a Russia-friendly nation could have infected her phone on Moscow’s behalf.
The Latvian Embassy declined to comment.
“NSO only sells its technologies to allies of the US and Israel and always investigates credible allegations of misuse, taking prompt action if warranted,” the company said in a statement.
Germany only acknowledged its use of Pegasus after its purchase of the spyware was exposed in a 2021 news investigation, sparking widespread criticism from rights groups.
German officials have insisted that investigators in its police and intelligence agencies only use a version of the software that is adapted to comply with the limits of the country’s legal system, without giving details of how that is ensured. Rulings by Germany’s Federal Constitutional Court enshrine the right to confidentiality on electronic devices and restrict state hacking to cases where there are “extremely important legal interests” such as a threat to life or the security of the state.
Spyware opponents worry what it means for Timchenko’s phone to have been infected while she was in Germany, a member of the European Union.
“Democracy is under threat by big actors like Russia,” Scott-Railton said. “And Europe has served as a tremendous countervailing force to the invasion in Ukraine. It is especially troubling to see techniques that one would expect to be used by anti-democratic powers showing up within the borders of the E.U.”
Access Now flagged Germany as a possible suspect in the infection of Timchenko’s phone, but a German member of the European parliament who sat on a committee that conducted oversight of spyware cast doubt on that idea given the limited form of Pegasus the government obtained, among other reasons.
“I would be very surprised that they would use it on an anti-regime Russian journalist inside Germany,” said the member, Hannah Neumann. Still, she said a German legislative panel with oversight of German intelligence agencies should look into what happened, because Timchenko is “the kind of person who should be able to find refuge and be protected in Germany. And apparently, because this stupid technology exists, and because there is not much willingness on an international level to regulate it, we can’t.”
Germany’s government press office referred questions to the interior ministry, which declined to comment.
Germany notably did not sign a U.S.-led joint statement in March among nations vowing to take specific steps to combat the proliferation of spyware.
The Biden administration has won plaudits from activists over what it has done to fight spyware, especially an executive order committing to limit the federal government’s own use of spyware following criticism of the FBI for flirting with an NSO Group contract.
Rep. Jim Himes (Conn.), the top Democrat on the House Intelligence Committee who has championed legislation signed into law to restrict U.S. intelligence agencies’ use of spyware, said stories like Timchenko’s are a “dispiriting” example of the ongoing problem.
“If it turns out to be the Russians, surprise, surprise, put that on the list of dictatorial things Russia does,” Himes said. “I would be particularly concerned, however, if it turned out to be one of our NATO allies, one of the democracies.”
In Europe, a parliamentary committee that wrapped up its investigation of Pegasus this summer said several member nations did not cooperate with its probe. The Parliamentary Assembly of the Council of Europe said last week that five nations, including Azerbaijan, must investigate spyware abuses and also called on Israel to explain how it ensures Pegasus won’t violate human rights.
Citizen Lab assessed with “moderate confidence” that the offenders got into Timchenko’s phone via a zero-click exploit that the lab highlighted in April that targeted Apple’s HomeKit and iMessage.
Apple says it doesn’t share the number of spyware notifications it has sent out to users. But it did file a lawsuit against NSO Group in 2021 to block the company from using any Apple products or services “to prevent further abuse and harm to its users.”
Access Now is contemplating additional legal action against NSO Group in response to the infection of Timchenko’s phone.
But the full answer to spyware can’t come from Apple or Timchenko, Scott-Railton said.
“This is not really a user behavior problem,” he said. “It’s why it’s not just an Apple problem. It has to be a policy problem and a government problem, because this stuff is very dangerous, very effective, is not going away and isn’t easy to mitigate the effects of in any other approach.”
The widespread use of technology in daily life means spyware poses a risk to everyone, Krapiva said.
“The general public following these infections might think, ‘This is all interesting, but really I have nothing to hide,’” she said. “‘Why will the government be interested in me?’ And I think the more and more revelations that we have, we also see all kinds of all kinds of constituencies being affected — media, journalists, politicians, but also university professors, some individuals that you would think have nothing sensitive.”
Access Now is investigating other hacking incidents in Eastern European that it said it doesn’t have permission to discuss. “I do hope that once this goes public that more victims would want to come forward because I think it is important,” Krapiva said.
Loveday Morris in Berlin contributed to this report.