"The inside view of spyware’s 'dirty interference,' from two recent Pegasus victims", 25 June 2024

Andrei Sannikov challenged longtime Belarusian dictator Aleksandr Lukashenko in the country’s 2010 national elections, a move that landed him in jail for 16 months, provoked threats that his young son would be taken by the state and led him to flee the country after his release from prison due to death threats.

Sannikov has spent every day since his escape trying to undermine Lukashenko, leading a campaign promoting the integration of Belarus into the European Union by writing books, speaking at universities and attending conferences with other freedom fighters.

“My goal is to go back to a free Belarus,” said Sannikov, who now lives in exile in Poland.

Perhaps it’s no surprise, then, that Sannikov is one of seven Russian- and Belarusian-speaking activists and journalists living in exile whose phones were recently discovered to have been targeted by or fully infected with powerful commercial spyware known as Pegasus, according to a recent report published by the digital civil rights group Access Now. 

Five of the seven victims’ devices were infected with Pegasus, while two others had an attempted breach or, in one case, could not be confirmed with an infection.

The findings about Sannikov and the six other victims are part of a broader ongoing probe into Pegasus attacks against similar people in the region, Recorded Future News has learned. The powerful spyware has become a threat to activists, political opposition figures and journalists around the globe as authoritarian and even many democratic governments deploy it outside its intended use for fighting crime and terrorism.

Sannikov worries about Pegasus, he said in an interview, because “there are no effective means to prevent it and to fight it.”

“If the software spreads then we will be vulnerable in every part of the world,” he added.

Another of the seven victims to speak with Recorded Future News, Evgeny Erlikh, works in Latvia on a U.S.-funded Radio Free Europe/Radio Liberty news program designed for a Russian-speaking audience. He believes he is likely one of several additional and so far mostly unknown Latvia-based journalists to be hit with Pegasus.

Digital forensic researchers are now studying the devices of other potential victims with similar profiles, according to Natalia Krapiva, senior tech legal counsel at Access Now. 

Even as Pegasus is showing up on an increasing number of phones belonging to civil-society organizations and individuals, experts and victims say they are bracing for usage of the powerfully invasive spyware to grow exponentially. 

The newly discovered infections are just the “tip of the iceberg,” Sannikov said, echoing Ehrlikh’s contention that many victims in his community likely remain unknown.

The tip of the iceberg

Six of the seven new victims received Apple threat notifications, which are warnings that say an iPhone may have been targeted by mercenary spyware. The alerts are sent to users by email and iMessage as well as in a red-lettered display after they sign into their device with their Apple ID. 

Sannikov did not receive a threat notification from Apple and instead learned of the infection when he turned over his phone for a free security check offered at a large conference he attended in November 2023. 

“It was quite a coincidence that I submitted my phone,” Sannikov said.

Digital forensic researchers found Sannikov’s phone was compromised in September 2021 at a time when the opposition leader said he was attending a prominent conference in Poland. A large number of opposition politicians, journalists, civil society activists and major public figures were among the 5,000-plus attendees.

A seasoned activist, Sannikov said he doesn’t trust any electronics and never discusses sensitive work-related information on his phone or computer.

His personal communications are a different story.

A spokesperson for the NSO Group said that it cannot confirm or deny specific customers for regulatory reasons, but did reiterate that it does not sell Pegasus to Russia or its allies.

“NSO complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies,” the spokesperson said via email. “Our customers use these technologies daily to prevent crime and terror attacks.”

A chilling effect

Sannikov doesn’t think it is random that his phone was breached when he was at a conference mingling with politicians, journalists and other public figures. 

The larger pattern supports his thesis: Four of the seven newly revealed victims were attacked or infected immediately before, while or after attending similar conferences, meetings or, in one case, a press conference with a Belarusian opposition leader.

...

While it is unclear who is responsible for any of the seven new attacks, five of the seven devices analyzed in the new report “recorded Apple IDs used by Pegasus operators in their hacking attempts,” according to researchers from The Citizen Lab, a University of Toronto-based digital security and human rights research group, which worked with Access Now investigating the digital forensics of the attacks.

A Latvian connection?

There is no evidence that Russia or Belarus are Pegasus customers, and Poland stopped using the spyware in 2021, Access Now says.

Latvia appears to use the spyware but is not known for deploying it against people in other countries, according to the researchers, who also said that neighboring Baltic nation Estonia coordinates with Latvia and Lithuania on security matters and does use Pegasus extensively across Europe.

Erlikh, the journalist who produces a Radio Free Europe/Radio Liberty news show, worked for years in Russia, including as a correspondent in Chechnya. His phone was found to be infected with Pegasus in 2023.

...

Erlikh said his Pegasus infection hasn’t made him feel less safe in Latvia, but has “made us realize that apparently they [Latvian state officials] are noticing us.”

He called the recently surfaced cases “just a drop in the ocean.”

A spokesperson for the Latvian Embassy in Washington said via email that spyware is an international problem and emphasized that Pegasus can be installed from any location despite the fact that the impacted journalists are based in Latvia.

A dangerous technology spreads

The NSO Group says it only sells Pegasus to vetted law enforcement and intelligence agencies that agree to use the technology to investigate legitimate targets, but the company won’t divulge any further information — including which national governments are customers. However, in recent years Pegasus has been found on devices belonging to members of civil society or political opposition leaders in Spain, Greece, Hungary, Poland, India, El Salvador, Thailand and Latvia, among many other countries.