‘Let’s find out if they’re spies’ Pegasus spyware was used to target seven more journalists and activists in the E.U.
In September 2023, Meduza broke the news that unknown attackers had used Pegasus spyware to infect the iPhone of our co-founder and publisher, Galina Timchenko. Since then, experts at Access Now and Citizen Lab, with the help of security analyst Nikolai Kvantaliani, have tested dozens of devices belonging to Russian, Belarusian, Latvian, and Israeli journalists and activists living in the European Union, and found that at least seven of them were hacked, too. Meduza special correspondent Lilia Yapparova reports on this investigation’s findings.
At least seven Russian-speaking journalists and activists living in the European Union have been targeted with Pegasus, a powerful Israeli-made spyware sold exclusively to state clients. A new investigation from Access Now, Citizen Lab, and independent security analyst Nikolai Kvantaliani found that Pegasus was used to target citizens of Russia, Belarus, Latvia, and Israel in E.U. countries between 2020 and 2023.
At least three of these journalists live in Riga: Novaya Gazeta Europe general director Maria Epifanova, Baltiya reporter Evgeny Pavlov, and former Baltiya.Nedelya editor-in-chief Evgeny Erlikh. All three received Apple threat notifications and contacted Access Now for help in September 2023, after learning about the Pegasus hack targeting Meduza co-founder and publisher Galina Timchenko.
According to the investigation’s findings, Erlikh’s iPhone was infected on November 28 or 29, 2022, while he was visiting Austria with his wife. Pavlov’s smartphone was targeted around the same time and then again six months later, on April 24, 2023; he was in Latvia on both occasions.
Maria Epifanova’s phone was hacked much earlier, on August 18, 2020, marking the earliest known Pegasus attack on a Russian civil society figure, the investigation says. Epifanova was in Latvia at the time but traveled to Vilnius three days later for a press conference with exiled Belarusian opposition leader Sviatlana Tsikhanouskaya.
A fourth journalist, who moved to Vilnius, Lithuania shortly after Russia’s full-scale invasion of Ukraine, asked to remain anonymous. His device was hacked on June 15, 2023 — the day before he left Vilnius for an event in Riga attended by dozens of émigrés who left Russia because of the war. Natalia Krapiva, Access Now’s tech-legal counsel, said this person’s phone may have been infected “so it could be used as a wiretap.”
The three other hacking victims are citizens of Belarus. One Belarusian activist living in Vilnius, who also requested anonymity, had her phone hacked around March 25, 2021. That day, the Belarusian diaspora was observing Freedom Day, an unofficial holiday commemorating Belarus’s declaration of independence in 1918, which has become an important celebration for members of the anti-Lukashenko opposition.
The two other Belarusian civil society figures targeted with Pegasus live in Warsaw, Poland. Veteran opposition politician Andrei Sannikov’s phone was infected around September 7, 2021. Natallia Radzina, the editor-in-chief of the independent Belarusian media website Charter97, had her smartphone infected with Pegasus on December 2 and 7, 2022, and then again on January 16, 2023. The first attack on Radzina’s phone came immediately after she attended the Free Russia Forum, an annual Russian opposition conference in Vilnius.
“This is a violation of my privacy and the confidentiality of my correspondence and telephone conversations,” Radzina told Meduza.
“Previously, my phone was illegally tapped in Belarus, where I was persecuted for political reasons, subjected to criminal prosecution, and imprisoned by the KGB. I know that for many years now, my absolutely legal journalistic work can only be of interest to the Belarusian and Russian intelligence services. And my only fear is that current [Pegasus] operators, whoever they may be, cooperated with the KGB or the FSB in this matter.”
A single operator?
Access Now and Citizen Lab uncovered that the same Apple ID was used in several of the aforementioned attacks. Two different email addresses were created specifically for this purpose. Hackers used the same email address to target Evgeny Pavlov and Evgeny Erlikh in November 2022, while another email address was used to target Pavlov, the Russian journalist living in Lithuania, and Natallia Radzina between January and June 2023.
This suggests that the same operator was behind each series of attacks. “We believe that different states cannot attack people from a single email address,” Krapiva said. “But we can’t rule out that the same operator could have created two email addresses.”
According to Krapiva, this likely means that “one operator is behind the hacks on at least three people in Latvia, Lithuania, and Poland. [And later,] either the same operator or someone else simultaneously infected targets in Latvia and Austria.”
This type of geographic spread is not unprecedented, she added. Saudi Arabia and Morocco, for example, have used Pegasus to infect targets in various countries. As Krapiva told Meduza previously, Access Now believes that the company behind Pegasus, NSO Group, sells different types of licenses to its customers. “Some buy the rights to hack only within their country. Others buy the rights to infect a large number of countries. We still don’t understand a lot about these secret contracts, but infections outside a client’s state likely require special permission,” she explained.
Erlikh suspects that his and Pavlov’s devices were targeted simultaneously because they used to work together and both used SIM cards that were originally purchased by Mediaframe, a company registered in Erlikh’s name. “Perhaps they decided to infect all of our company’s phones at once just to be on the safe side,” Erlikh told Meduza. Pavlov also felt this was “the only explanation.”
Maria Epifanova is also the director of Novaya Gazeta Baltiya, an outlet both Pavlov and Erlikh have worked with. “Naturally, our outlet perceives this situation as an attack on our journalists,” Epifanova said.
“Pegasus is a program used not by ordinary hackers but by state intelligence agencies; no goal and no one’s interests can justify interference in one’s private life. This makes our work, which is already difficult and unsafe, even less simple and safe.”
‘I have nothing to hide’
Access Now and Citizen Lab have refrained from publicly connecting a specific operator to these Pegasus attacks. However, the results of their new investigation cast suspicion on the Baltic countries.
“All of the victims either live in the Baltic countries or were there on a trip, like the Belarusian journalist [Natallia Radzina], and many of them specifically covered the Baltic region in their work,” Krapiva observed. “Many of them had recently moved to Europe from Russia or Belarus. Clearly, they could have come under suspicion from the local intelligence services as potential spies.”
According to Citizen Lab, there is no evidence suggesting that Russia, Belarus, Austria, or Lithuania are Pegasus users. And Poland says it no longer uses the spyware. “The infections in Warsaw took place in 2022 and 2023, but Poland only had access to Pegasus until 2021. After the press wrote about the country’s use of spyware and a scandal broke out, NSO Group terminated their contract with [the previous Polish government],” Krapiva recalled.
Although Latvia is believed to use Pegasus, the country is not known for targeting people outside its borders. However, Estonia, which cooperates closely with Latvia and Lithuania on security matters, acquired Pegasus in 2019 and is believed to use the spyware extensively abroad, including in other E.U. countries.
* * *
“I’m not angry at the local government, if it really was them,” Evgeny Erlikh told Meduza. “The Latvian security forces get a lot of money to combat the threat from Russia, and they’re expected to produce results. And then some Russian journalists show up in [their] country claiming to oppose the annexation of Crimea. But do they really? Let’s find out if they're spies.”
Maria Epifanova said she plans to contact Latvia’s State Security Service directly. “At the time my phone was hacked, I was on Latvian territory; it’s my permanent place of residence. If Latvian agencies didn’t have anything to do with this hack, they should at least be interested in what other countries’ intelligence agencies are doing on their territory,” she explained.
In turn, Evgeny Pavlov said that he’s still “completely bewildered” by the fact that anyone would “spend so much money and effort” to spy on him. “Even if I’d known that my phone had been wiretapped all this time, I would have lived the same way,” he added. “Because I have nothing to hide.”
“Due to regulatory constraints, we cannot confirm or deny any alleged specific customers,” NSO Group’s press office told Meduza. “However, we would like to emphasize that NSO sells its products only to allies of Israel and the U.S.”
In response to questions, NSO Group’s deputy general counsel for compliance Chaim Gelfand said that the company would “immediately review” the information Meduza had provided and “initiate an investigation as warranted.”
“NSO Group is committed to upholding human rights and protecting vulnerable individuals and communities, including journalists,” Gelfand added. “However, it is important to note that holding a journalist credential does not grant automatic immunity from legal scrutiny or actions.”
Latvia’s State Security Service, Estonia’s Foreign Intelligence Service, Lithuania’s State Security Department and National Cyber Security Centre, and Poland’s Central Anticorruption Bureau did not respond to Meduza’s questions in time for publication.
Story by Lilia Yapparova
Abridged translation by Eilish Hart