New York, September 13, 2023—The Committee to Protect Journalists said that it is deeply disturbed by the findings of an investigation released Wednesday by rights organizations that the phone of Galina Timchenko, head of the independent Russian news website Meduza, was infected by Pegasus surveillance spyware while she was in Germany earlier this year.
“CPJ is deeply disturbed by the disclosures that attackers used Pegasus spyware to infect the phone of exiled journalist Galina Timchenko, one of the world’s most prominent Russian media figures,” said Gulnoza Said, CPJ’s Europe and Central Asia program coordinator. “Journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. The threat is simply too large to ignore.”
Timchenko’s phone was infected by Pegasus, a spyware produced by the Israeli company NSO Group, while she was in Berlin on or around February 10, 2023, according to a Meduza report and a joint-investigation by rights groups Access Now and research organization Citizen Lab. The investigation found that the infection took place shortly after Russia’s Prosecutor General designated Meduza as an “undesirable” organization – a measure that banned the outlet from operating on Russian territory – and likely lasted several days or weeks.
According to the investigation, Apple had warned Timchenko and “other targets” in June that their devices may have been targeted with state-sponsored spyware. Meduza editor-in-chief Ivan Kolpakov told CPJ via messaging app that Apple’s warning prompted them to request that Access Now check Timchenko’s device.
According to Access Now, this is the first documented case of Pegasus surveillance of a Russian journalist; the investigation reported that the attack could have come from Russia, one of its allies, or an EU state may have been responsible for the attack.
The fact that some European government may have used Pegasus against Timchenko is “beyond our comprehension,’” Kolpakov said in a statement shared with CPJ. “As the developers claim, this software is used to fight terrorism — yet it is systematically used against the opposition and journalists.”
Meduza operates in exile, with most of its staff based in Berlin and the Latvian capital of Riga and covers various topics, including politics, social issues, culture, and the war in Ukraine. CPJ awarded Timchenko its 2022 Gwen Ifill Press Freedom Award.
“We often repeat to ourselves and our employees that Europe gives a feeling of complete security. But it is only a feeling – an illusion of security,” Kolpakov said in the statement.
Meduza journalist Elena Kostyuchenko recently reported that she may have been poisoned in Germany in October 2022.
Kolpakov said he hoped to be able to identify those responsible for the attack and obtain explanations from them as well as from the NSO Group.
NSO Group previously told CPJ that it licenses Pegasus to fight crime and terrorism, stating that it investigates “all credible claims of misuse and take[s] appropriate action,” including shutting down a customer’s access to the software.
A 2022 CPJ special report noted that the development of high-tech “zero-click” spyware like Pegasus– the kind that takes over a phone without a user’s knowledge or interaction – poses an existential crisis for journalism and the future of press freedom around the world. The report included CPJ’s recommendations to protect journalists and their sources from the abuse of the technology and called for an immediate moratorium on exporting this technology to countries with poor human rights records. CPJ has also joined other rights groups in calling for immediate action to stop spyware threatening press freedom.
CPJ emailed NSO Group and the German Federal Ministry of the Interior for comment on the Timchenko findings but did not immediately receive any replies.