Germany: Phone of Meduza’s Galina Timchenko Infected with Pegasus Spyware in Berlin

This is the first reported case of spyware being found on a Russian journalist’s phone

Location: Germany, Berlin
Date: February 10, 2023

Head of Meduza, Galina Timchenko, reveals her phone was hacked with Pegasus while in Berlin. The co-founder of the Russian news outlet discovered the spyware months later and fears her contacts could be compromised. The Coalition For Women In Journalism is alarmed that Pegasus has been found on Timchenko’s phone. We demand immediate answers from the NSO Group and an immediate prohibition on the malicious hacking software used to target journalists worldwide.

Galina Timchenko, an award-winning Russian journalist living in exile in Europe, was targeted in a cyber-attack using Israeli company NSO Group's spyware.

It is the first known case of an independent Russian journalist, affiliated with a media outlet deemed "undesirable" by Moscow, being hacked with Pegasus.

Timchenko recalls learning she was hacked “felt like I’d been stripped naked in the town square. Like someone had reached into my pocket. Like I was dirty somehow. I wanted to wash my hands.”

When a phone is hacked using Pegasus, a spyware operator can access all phone data, including location and encrypted messages. It can also be used to manipulate a phone’s camera and microphone to record, turning it into a portable listening device.

The Pegasus infection on Timchenko’s phone is believed to have lasted for several days or weeks.

The outlet Meduza operates in exile, with most of its team situated in Berlin and Riga. Their reporting displeases the Kremlin, and they have faced incredible backlash from Russian authorities, including the suspected poisoning of one of its reporters. The publication also relies on anonymous reporters working in Russia for its site. 

After learning of the hack, Timchenko worried about the exposure of her contact list and how that could affect those reporting inside Russia.

A joint investigation by Citizen Lab and Access Now revealed the attack occurred in Berlin, Germany, around February 10, 2023. The timing is significant as it occurred just before a gathering in Berlin of prominent independent Russian media figures living in exile and shortly after Meduza was labeled an “undesirable” organization by Russia’s Prosecutor General.

During the meeting in Berlin, exiled journalists, including Timchenko, discussed the mounting pressure they faced. They strategized on how to counteract it effectively. Redkollegiya, a Russian media organization, organized the event.

“Through me, they could have eavesdropped on this meeting,” worries Timchenko.

Timchenko believes that Russia was responsible for hacking her phone.

“Before this, all the other attacks were from Russia. We’ve had a number of different attacks, and they were all from Russia. So if it swims like a duck, quacks like a duck, it’s probably a duck,” she told the Guardian.

However, surveillance and spyware experts from Citizen Lab and Access Now say it is"unlikely" that Russia is an NSO Group client. Their research did not show any indications of Russian involvement in the attack.

The NSO Group exclusively sells its spyware Pegasus to government agencies. The Israeli company does not disclose its clients' names, but its spokesperson implied that Russia was not among them. The spokesperson stated that NSO only sells its technologies to allies of the US and Israel and takes action if credible allegations of misuse arise.

Experts on Russian security have previously noted that Russia is paranoid about using foreign spyware and is a seller of intelligence spyware on the global market rather than a buyer.

“We do not see evidence of Russia using NSO’s product,” says John Scott-Railton at Citizen Lab, who investigated the hack. “But that doesn’t mean we know everything.”

The researchers pointed out other potential options. Timchenko was using a Latvian SIM at the time of the hack. Latvia is an NSO Group customer. But there is no evidence to suggest Latvia has the capability to use Pegasus software beyond its borders. Germany, another NSO Group client, was also considered unlikely to have targeted Timchenko.

Another possible suspect is a government that is an ally of Russia. In its examination of Timchenko's phone, Access Now suggests either Kazakhstan or Azerbaijan, suspected Pegasus clients, could have carried out the attack upon Moscow's request. In May 2023, CFWIJ documented how Azerbaijan authorities infected Armenian journalist Astghik Bedevyan’s phone with Pegasus while she was reporting for RFE/RL in 2021. Access Now also cites Kazakhstan as a possible suspect due to its history of blocking Meduza without formal requests.

But researchers have no evidence to suggest that either Kazakhstan or Azerbaijan has ever conducted a Pegasus attack in Europe, and Timchenko was in Germany at the time of infection.

The lack of clarity surrounding the source of the hack underscores the urgent need for stronger laws and regulations to counter the proliferation of spyware like Pegasus.

John Scott-Railton from Citizen Lab says that Timchenko's case serves as a reminder of Europe's unresolved issue with Pegasus spyware. The United States has blacklisted the NSO Group following reports of its spyware being used to target journalists and critics. Scott-Railton questions why Germany, where the hack occurred, has not signed the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware despite its signing by 11 other countries.

This lack of political will to address the proliferation of spyware in Europe is deeply concerning. The European Commission has implemented regulations to safeguard reporters against malware. However, some member states, notably France and Sweden, have diluted the language of the European Media Freedom Act, enabling surveillance of journalists under the guise of national security.

The Coalition For Women In Journalism condemns the invasive hack on Galina Timchenko’s phone. We demand answers from the NSO Group. We also strongly urge the European Union to take decisive action against malware use in member states. Journalists must be able to report without fear their sources are being compromised and their conversations are being recorded. We call for Pegasus’ use in Europe to be completely prohibited and for the safeguards laid out in the original European Media Freedom Act to be restored and implemented. Journalists are not spies. There can be no justification for hacking their phones under the pretext of national security.