Seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted or infected with NSO Group’s proprietary Pegasus spyware.
A joint investigation by Citizen Lab and Access Now detailed incidents from August 2020 to January 2023 and concluded that a single NSO Group customer might be responsible for at least five of these cases.
Threats Against Critics of Russian and Belarusian Regimes
In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists.
Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services.
Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations.
An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024.
Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections.
Investigation Confirmed Pegasus Spyware Targeting
The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent.
Access Now and Citizen Lab confirmed that five victims’ phones had Apple IDs used by Pegasus operators in hacking attempts. Exploits leveraging bugs in HomeKit can leave the attacker’s Apple ID email address on the victim’s device. Citizen Lab believes each Apple ID is tied to a single Pegasus operator, although one operator may use multiple IDs.
The same Apple ID was found on the phones of Pavlov, Radzina, and a second anonymous victim. A different email account targeted both Erlikh and Pavlov’s phones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another identical email. This indicates that a single Pegasus spyware operator may have targeted at least three of the victims, possibly all five.
The investigators could not attribute the attacks to a specific operator but certain trends pointed to Estonia’s involvement. Based on previous investigation, Poland, Russia, Belarus, Lithuania, and Latvia are all known to be customers of the NSO Group’s spyware, but the likeliness of their involvement is low as they do not target victims outside their borders, the investigators said. Estonia, however, is known to use Pegasus extensively beyond its borders, including in multiple European countries.
Concerns Over Digital Transnational Repression
This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations.
The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups.
“Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.”
Apple recently issued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term “state-sponsored” in its alerts with “mercenary spyware attacks,” drawing global attention. Previously, Apple used “state-sponsored” for malware threats, but now it highlights threats from hacker groups.
Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.