Head of the independent Russian news website Meduza falls victim to Pegasus spyware

Investigation finds that Galina Timchenko, the head of the independent Russian news website Meduza, had her iPhone infected by Pegasus spyware.

Phone security and data privacy concept

A Meduza report and a joint investigation led by the digital rights non-profit organisation Access Now and the research organisation Citizen Lab revealed that Galina Timchenko, the head of the independent Russian news website Meduza, had Pegasus spyware installed on her iPhone. This spyware was developed by the Israeli company NSO Group, which previously stated to the Committee to Protect Journalists (CPJ) that Pegasus is licensed to fight terrorism and crime and that it looks into ‘all credible claims of misuse and take[s] appropriate action.’

It was found that the incident occurred while Timchenko was in Berlin around 10 February. Investigators found that the infection happened soon after Meduza was declared an ‘undesirable’ entity by the Prosecutor General of Russia, thereby banning its activities within Russian territory. The duration of this infection was several days or weeks. According to Access Now, this is the first known case of Pegasus monitoring targeting a Russian journalist. The investigation reported that the attack could have originated from Russia or even an EU member state.

Gulnoza Said, the Europe and Central Asia program coordinator at CPJ, expressed deep concern over the revelations that assailants utilised Pegasus spyware to compromise the mobile device of Galina Timchenko, a highly prominent figure in the realm of Russian media who currently resides in exile.

Why does this matter?

The NSO Group’s Pegasus spyware has come under scrutiny in recent years due to allegations of misuse by various states for surveillance purposes. Poland’s Senate Commission recently ruled the government’s use of Pegasus spyware as unlawful, adding to the growing list of concerns about the unchecked use of this powerful surveillance tool.

Furthermore, Apple has taken steps to address the threats of Pegasus spyware. It has released a security fix to address zero-day vulnerabilities that the Pegasus malware had been exploiting. This development highlights the ongoing battle between surveillance technology developers and tech companies striving to protect user privacy and security.

The timing of the attack against Galina Timchenko, the head of Meduza, is particularly troubling. It occurred after Meduza was designated as an undesirable organisation within Russia. This incident raises critical questions about the motives behind such surveillance and its implications for press freedom.