IPI and its global network demand a swift investigation by German authorities into the use of Pegasus spyware against IPI member Galina Timchenko, the executive editor and founder of Meduza, a major independent Russian media outlet based in Latvia. IPI also demands the urgent adoption of a European ban on the use of spyware technologies against journalists, civil society actors and all other citizens.

According to a report published on September 15 by NGO Access Now, Timchenko’s iPhone was infected with the zero-click spyware designed by the Israeli NSO Group and commonly known as Pegasus. The attack took place on February 10, when Timchenko was traveling in Germany, just two weeks after Russian authorities designated Meduza as an “undesirable organization”, effectively banning the outlet’s operations in Russia.

Experts believe Timchenko’s phone was infected for a period ranging from a few days to a few weeks. During this period, hackers had real-time access to her phone’s screen, to the device’s camera and microphone, as well as to all other files, applications and photos. Based on the timing of the hack, Timchenko has speculated that the spyware could have been used to surveil a closed meeting of independent Russian journalists in Berlin, which took place on February 11, 2023.

Traces of the hack on Timchenko’s phone emerged months later, when on June 23 Meduza’s executive editor and CEO received a standard notification from Apple stating that her phone could have been attacked by “pro-government hackers”. The following day, Meduza’s technical director contacted Access Now to have the device checked, the media outlet reported.

Over the past week, three more Russian exiled journalists reported having received Apple’s notification on “pro-government hackers” in recent months. However, these incidents have not yet been verified or investigated and there is also no confirmation of Pegasus spyware being used against the victims. The hacking of Timchenko’s phone using Pegasus is the first confirmed spyware attack on a Russian journalist.

According to the research commissioned by Access Now and conducted by Citizen Lab, there are several theories about who could be behind the infection attack against Timchenko.

While the research is for now not conclusive, Russian authorities are not understood to have access to Pegasus spyware under new Israeli export rules. However, researchers could not exclude the theory that Russia had worked with allies to organize the hack. The joint investigation also casts suspicions on both Latvia, where Timchenko lives in exile, and Germany, where the attack was carried out.

Researchers also highlight the Netherlands and Estonia as possible culprits, given that both countries have reportedly extensively used Pegasus spyware abroad.

However, the list of potential organizers of the attack does not end there, as previous cases investigated by Access Now have shown that Pegasus has been used by at least 14 countries and 22 state institutions within the European Union.

After multiple scandals, NSO has repeatedly claimed that its spyware technology is sold exclusively to state intelligence and law enforcement authorities for the investigation of serious crimes such as terrorism.

“IPI firmly denounces the use of Pegasus spyware against our member Galina Timchenko”, said IPI Deputy Director Scott Griffen. “The use of this tool against journalists is a flagrant violation of press freedom, and the international expansion of its application is deeply worrying and calls for urgent action.”

He added: “While it is unclear who is responsible for this spyware attack against a leading exiled Russian journalist, it is worrying that the list of possibilities includes European governments that have denounced media freedom violations in authoritarian states such as Russia. Situations such as that faced by Galina Timchenko show the need for a ban on the use of spyware against journalists in Europe.”

The European Union is due to adopt the Media Freedom Act before the end of the year, in which IPI and a broad coalition of journalists, media freedom groups and civil society organizations are calling for the strengthening of Article 4 to ensure a total prohibition on the use of spyware technology against journalists.  

IPI has reported extensively on the growing use of Pegasus spyware in Europe, including in Hungary and Greece, as well as in the course of the 2020 Armenia-Azerbaijan war over Nagorno-Karabakh.