In an investigative collaboration with Access Now, the Citizen Lab has analyzed forensic artifacts from the iPhone of award-winning exiled Russian investigative journalist Galina Timchenko and found with high confidence that on or around February 10th, 2023 it was infected with NSO Group’s Pegasus spyware.
Click here to read Access Now’s full investigation on the case.
During the infection her device was localized to the GMT+1 timezone, and she reports being in Berlin, Germany. The day following the infection she was scheduled to attend a private meeting with other heads of Russian independent media exiled in Europe to discuss how to manage threats and censorship by Putin’s regime.
We believe the infection could have lasted from days up to weeks after the initial exploitation. The infection was conducted via a zero-click exploit, and forensic traces lead us to assess with moderate confidence that it was achieved via the PWNYOURHOME exploit targeting Apple’s HomeKit and iMessage.
Timchenko is co-founder, CEO, and publisher of Meduza, a prominent Russian independent media outlet exiled in Europe, which has been labeled “an undesirable organization” by the Russian government. Timchenko is the recipient of the Committee To Protect Journalists Gwen Ifill Press Freedom Award.
While there are several possible hypotheses for which government client of NSO Group may have been responsible for this hacking (see Access Now’s investigation for discussion), we are unable to make a conclusive technical determination on attribution at this time.
Think You Are At Risk? Take Action
We urge anyone who may be at risk of hacking because of who they are or what they do to seek expert support, and take steps to increase the security of their phones.
Enable Lockdown Mode
As in many recent cases, we believe that Apple’s Lockdown Mode would have blunted this attack. Click for instructions on how to enable Lockdown Mode.
Be Vigilant for Apple Notifications
Apple continues to notify victims targeted with certain types of mercenary spyware, including NSO’s Pegasus. If you or someone you know has received such a notification, take it seriously.
We strongly recommend that you make contact with organizations such as the Citizen Lab or Access Now’s Digital Security Helpline if you are within their mandate (i.e., members of civil society likely to be at high risk of such targeting) so that you may get further clarity and potentially help protect others.
Seek Expert Assistance
While Lockdown Mode is an example of a powerful security step, and some users may receive notifications, we can’t be sure Lockdown Mode will always work, or that you’ll be notified. We strongly recommend that you seek expert assistance if you or your organization faces increased risks. A number of NGOs, including Access Now, maintain helplines that can assist high risk users in civil society.