Access nowa digital rights nonprofit organization, and University of Toronto Citizen Lab After Timchenko received a warning from Apple this summer that her phone may have spyware, they announced they had confirmed the Pegasus infection.
Developed by the Israeli company NSO Group, Pegasus can be installed remotely on a phone without the phone owner having to click a link or take any other action. Once you install Pegasus, you’ll have access to everything on your phone, including your contact list and internal microphone and camera. The term has been used around the world against American diplomats, human rights activists, journalists, and dissidents. In 2021, the Biden administration added the group to the Commerce Department’s Entity List, barring U.S. companies from doing business with NSO without a special license, saying NSO’s operations were contrary to U.S. interests.
NSO has long said it only sells Pegasus licenses to governments for legitimate law enforcement purposes. A person familiar with NSO’s operations, who spoke on condition of anonymity to discuss the matter, said the Russian government is not a client.
Researchers said they were unable to determine who was behind the infection after analyzing Timchenko’s phone. The main suspects include Russia and a number of neighboring countries.
The mystery points to a disturbing trend, said David Kaye, a former United Nations special rapporteur who investigated the prevalence of commercial spyware from 2014 to 2020.
“When you see a case like this, on some level you need and want to know who the perpetrator is,” said Kaye, now a professor at the University of California, Irvine School of Law. . phone. “But at the same time, when you have a globally unregulated tool like this, it just becomes part of the norm, and human rights defenders, activists, journalists, opposition figures, etc. are regularly targeted. It will become.”
Apple notified Meduza of the possible hack in June.
The date of his suspected infection was February 10, and Timchenko had traveled to Germany on February 11 to discuss new restrictions on the internet and media in his home country with exiled Russian journalists.
The previous month, the Russian government labeled Meduza (which claims more than 10 million monthly readers, most of them in Russia) an “undesirable entity,” effectively making its publication illegal.
Timchenko said he was used to being harassed by “propagandists” on the streets of Russia before moving Meduza to Latvia’s capital Riga in 2014. But this was different. “I never thought I would be targeted by spyware.”
“I decided I might have done something wrong. Maybe I wasn’t following security protocols,” she said. “And it was about 30 nightmarish minutes. But when I realized that this wasn’t my fault and that it just happened, I got angry.”
Timchenko’s biggest fear was that the person who had placed spyware on her phone had obtained her contact list.
“It’s really scary for me to know that even if I’ve done everything I should professionally do to protect myself and my sources, my vast network could be targeted. ”Kay said. “It is absolutely essential that journalists are protected so that governments and their citizens have access to information.”
Another concern is that the perpetrators may have activated the microphone on Timchenko’s device and eavesdropped on what Russian journalists were discussing at the February meeting, according to Access Now Technology Law. said advisor Natalia Krapiva.
John Scott Railton, a senior researcher at Citizen Lab, said spyware poses a particular threat to democracy if it hits journalists.
“In a democracy, it is vitally important that journalists be able to do their jobs, and the only way people can feel safe telling the truth is to protect some privacy and sometimes tell journalists discreetly. “The question is whether we can do it or not,” he said. “Pegasus rips apart the protections of its sources, making it impossible for careful journalists to truly be sure they can do what their ethics require.”
Spyware also poses a direct risk to journalists themselves. The widow of slain Washington Post reporter Jamal Khashoggi has filed a lawsuit against NSO Group, claiming the company’s technology spied on her in the months leading up to his death.
Each of the main suspects has a unique combination of abilities and motives for eavesdropping on Timchenko.
Meduza is a “big target” for the Russian government as an independent news outlet that reaches a Russian audience, Timchenko said. At the same time, researchers have not identified any evidence that Russia is a customer of NSO Group.
The Israeli Ministry of Defense approved an export license for the Pegasus, but it reportedly ended up in the hands of repressive regimes such as Saudi Arabia. But Krapiva said the risk may be too great for Israel to allow Russia to license Pegasus.
Access Now named Latvia as another suspect in Meduza’s base, citing recent hostile behavior towards another exiled Russian broadcaster, TV Reign. Latvian government license revoked After being deemed a national security threat. Citizen Lab previously suspected Latvia’s ally Estonia of carrying out cross-border spyware infections.
Other possible suspects include Russian allies Azerbaijan, Kazakhstan and Uzbekistan. Timchenko theorized that a country friendly to Russia may have infected her phone on Moscow’s behalf.
The Latvian embassy declined to comment.
“NSO sells its technology only to allies in the United States and Israel, and we always investigate credible allegations of abuse and take swift action when warranted,” the company said in a statement.
Germany confirmed its use of Pegasus after a 2021 media investigation revealed the purchase of spyware, sparking widespread criticism from rights groups.
German officials have insisted that police and intelligence agents will only use versions of the software that are adapted to comply with the restrictions of the country’s legal system, but did not provide details on how that would be ensured. was not made clear. The German Federal Constitutional Court’s ruling enshrines the right to secrecy of electronic devices and limits state hacking to cases where there is a “vital legal interest” such as a threat to life or national security.
Opponents of spyware are concerned about the implications of Timchenko’s phone being infected while in Germany, a member of the European Union.
“Democracy is threatened by great powers like Russia,” said Scott Railton. “And Europe has served as a tremendous countervailing force against the invasion of Ukraine. It is particularly worrying to see the emergence within the EU of the methods likely to be used by anti-democratic forces.”
Access Now issued a warning to Germany over the suspected infection of Timchenko’s mobile phone, but a German member of the European Parliament who was a member of the spyware monitoring committee said that the limited version of Pegasus that the government had obtained was Considering the shape and other factors, he cast doubt on that idea. reason.
“I would be very surprised if they would use this information against dissident Russian journalists in Germany,” said member Hanna Neumann. Still, she said, Mr. Timchenko “is a person who deserves refuge and protection in Germany, so the German Legislative Committee, which oversees Germany’s intelligence services, should investigate what happened.” And obviously we can’t regulate it because this stupid technology exists and there’s not a lot of appetite at the international level to regulate it. ”
The German government press office referred questions to the Interior Ministry, which did not respond to requests for comment.
Germany specifically did not sign the agreement. US-led joint statement A meeting was held in March between countries pledging to take concrete steps to combat the spread of spyware.
The Biden administration has vowed to limit the federal government’s own use of spyware in an executive order following criticism of what it has done to combat spyware, particularly the FBI, which has touted a contract with NSO Group. It has received praise from activists.
Rep. Jim Himes of Connecticut, the top Democrat on the House Intelligence Committee and a supporter of legislation to limit the use of spyware by U.S. intelligence agencies, said stories like Timchenko’s are an ongoing problem. He said it was an “alarming” example.
“If it turns out that it was done by Russians, surprise, surprise, add it to the list of Russian authoritarian acts,” Himes said. “But I would be particularly concerned if it turned out to be one of our NATO allies, one of our democracies.”
In Europe, a parliamentary committee that completed its investigation into Pegasus this summer said several member states were not cooperating with the investigation. The Council of Europe parliament said last week that five countries, including Azerbaijan, must investigate spyware misuse and called on Israel to explain how it will ensure Pegasus does not violate human rights.
Citizen Lab assessed with “moderate confidence” that the criminals gained access to Mr. Timchenko’s phone via a zero-click exploit deployed by the lab. Featured in April It targeted Apple’s HomeKit and iMessage.
Apple says it does not disclose the number of spyware notifications it sends to users. However, in 2021, the company filed a lawsuit against NSO Group to prevent the use of Apple products and services “to prevent further abuse or harm to users.”
Access Now is considering additional legal action against NSO Group following the infection of Timchenko’s mobile phone.
But the complete answer to spyware won’t come from Apple or Timchenko, said Scott Railton.
“This isn’t really a user behavior issue,” he said. “That’s why this isn’t just an Apple issue. This is a policy issue, and it has to be a government issue, because it’s very dangerous and it’s very effective. It’s not going away, and it’s not easy to reduce its impact with other approaches.”
The widespread use of technology in everyday life means spyware poses a risk to everyone, Krapiva said.
“The public who knows about these outbreaks might think, ‘This is all interesting, but we actually have nothing to hide,'” she says. “Why would the government be interested in me?” And the more information we expose, the more information we expose, not just the media, journalists, politicians, but university professors, who don’t seem to have any sensitivities. I think you’ll see all kinds of voters being affected, including people who are affected by the pandemic. ”
Access Now is investigating other hacking incidents in Eastern Europe, but said it was not authorized to discuss them. “I hope that once this becomes public, more victims will come forward, because I think it’s important,” Krapiva said.
Loveday Morris in Berlin contributed to this report.