"Exiled, then spied on: Civil society in Latvia, Lithuania, and Poland targeted with Pegasus spyware" 10 July 2024

Following last year’s joint investigation into the use of NSO Group’s Pegasus spyware against Galina Timchenko, co-founder, CEO, and publisher of Meduza, Access Now, the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto (“the Citizen Lab”), and independent digital security expert Nikolai Kvantiliani have uncovered how at least seven more Russian, Belarusian, Latvian, and Israeli journalists and activists have been targeted with NSO Group’s Pegasus spyware within the EU...

One victim, who has chosen to remain anonymous, is a member of Belarusian civil society currently based in Vilnius, Lithuania. After receiving an Apple threat notification on June 22, 2023, that their device had been targeted with a state-sponsored attack, they reached out to the Citizen Lab for digital security support, who analyzed the device and confirmed that it was infected with Pegasus spyware on or around March 25, 2021...

Another Russian journalist living in exile in Vilnius since Russia’s full-scale invasion of Ukraine, and who has also chosen to remain anonymous, received two Apple threat notifications on October 31, 2023, and on April 10, 2024. Access Now’s Digital Security Helpline, with the technical confirmation of the Citizen Lab, identified an attempt to infect the journalist’s device on or around June 15, 2023...

Three additional victims, all based in Riga, Latvia, received Apple threat notifications. Access Now’s Digital Security Helpline analyzed their devices, with the Citizen Lab reviewing our results:

• Evgeny Erlikh, an Israeli-Russian journalist and the author and former producer of Baltic Weekly, on Current Time, RFE RL’s 24/7 Russian-language TV network. Our analysis showed that Erlikh’s iPhone was infected with Pegasus spyware between November 28 and 29, 2022...
• Evgeny Pavlov, a Latvian journalist, former correspondent for Novaya Gazeta Baltija, an independent news media covering the Baltic countries, and former freelance journalist for Current Time’s Baltia program. Pavlov’s device was targeted with Pegasus on or around November 28, 2022, and on or around April 24, 2023; however, we were unable to confirm if the attempts were successful. 
• Maria Epifanova, general director of Novaya Gazeta Europe and director of Novaya Gazeta Baltija. Epifanova’s iPhone was infected on or around August 18, 2020 — the earliest known use of Pegasus to target Russian civil society. Epifanova was chief editor of Novaya Gazeta Baltija at the time, and the attack occurred shortly after she received accreditation to attend exiled Belarusian democratic opposition leader Svetlana Tikhanovskaya’s first press conference in Vilnius... 

Two Belarusian civil society members currently living in Warsaw, Poland, also received Apple notifications on October 31, 2023: 

• Andrei Sannikov is a prominent Belarusian opposition politician and activist, who ran for President of Belarus in 2010, receiving the second highest vote count after incumbent Alexander Lukashenko. After the election he was arrested by the Belarusian KGB and held as a prisoner of conscience. Authorities also threatened to take away his three-year old son. According to the Citizen Lab, Sannikov’s iPhone was infected with Pegasus on or around September 7, 2021. 
• Natallia Radzina is editor-in-chief of independent Belarusian media website Charter97.org and a recipient of the Committee to Protect Journalists (CPJ) International Press Freedom Award. Radzina was persecuted for journalistic activities in Belarus, imprisoned, and forced to flee the country. Access Now’s Digital Security Helpline, as confirmed by the Citizen Lab, also identified that Radzina’s device was infected with Pegasus spyware on or around December 2, 2022, December 7, 2022, and January 16, 2023...

...Who is responsible? 

Access Now and the Citizen Lab are not publicly naming a specific operator at this time. Given that Poland has not been documented as targeting victims outside the country with Pegasus spyware, and considering reports that Poland’s government stopped using Pegasus spyware in 2021, it is unlikely that Poland is behind the attacks mentioned in this investigation. The Citizen Lab tells us that there is also no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers...