An award-winning Russian journalist living in exile in Europe was hacked using Israeli spyware made by NSO Group, according to a joint investigation by the Citizen Lab and Access Now.
Galina Timchenko was hacked on or around 23 February, at a time when she was based in Berlin, Germany, marking the first time that a Russian journalist – whose media outlet has been targeted by Moscow and ldeclared an “undesirable organisation” – has been hacked.
The news has raised questions about who might be behind the attack. Researchers said they were not immediately able to identify who might have targeted Timchenko’s phone, but said it was hacked using Pegasus, one of the world’s most sophisticated military-grade spyware tools.
Russia would be considered an obvious candidate to have targeted Timchenko, who is the co-founder and chief executive of Meduza, an independent Russian news website that has a record of publishing critical articles about the war in Ukraine and investigations into the Russian elite, including those close to Vladimir Putin.
NSO, which is closely regulated by the Israeli government, sells only to government agencies. The company is known to sell to authorities in many European countries – including the German police – and countries in the Middle East and Africa.
The Citizen Lab and Access Now said they believed it was “unlikely” that Russia was a client of NSO Group, and emphasised that they had not seen any other indications from research that Moscow might be behind the attack.
The declaration left a few other possible options, the researchers said. Meduza is based in Latvia, which appears to be an NSO Group customer. But researchers said there was no evidence that Latvia had the ability to use Pegasus software outside its own border.
Germany is a known client, too, but the researchers said they believed it was unlikely that that a German police agency – which is believed to use Pegasus – had targeted her. The Netherlands Intelligence and Security Service, the Dutch intelligence agency, and an Estonian government agency both appear to use Pegasus outside their jurisdiction, including within Europe.
The Guardian has previously reported that Estonia, a Nato member, acquired access to Pegasus in 2019 but was informed by NSO in August that year that the company would not permit Estonian officials to use the spyware against Russian targets.
Timchenko was using a Latvian country code at the time she was hacked.
“It is plausible that one of these agencies was targeting Timchenko although it would be unclear under what justification,” researchers said. They added that it was possible that a Russian ally known to be a Pegasus customer could be behind the spying on behalf of Russia, including Azerbaijan or Kazakhstan, though researchers said they had never observed attacks against individuals living in the EU by either country.
NSO was not immediately available for comment. The company has said it sells its spyware to countries to be used only to fight serious crime and terrorism threats. It has also denied having any knowledge or control of individuals who are targeted once their spyware licenses are sold to government clients, who then operate the hacking software.
Meduza was declared an “undesirable organisation” by the Russian government earlier this year, making it virtually impossible to conduct reporting or collect revenue in the country. Before founding Meduza, Timchenko was the editor of Lenta.ru, an extremely popular website that pioneered online news in Russia.
Timchenko was fired by Lenta.ru’s billionaire owner due to her team’s reporting on the 2014 Ukraine crisis. The decision sparked a staff revolt that resulted in Timchenko co-founding Meduza in Riga, Latvia, where she believed the website would have more protection from the Russian government and Kremlin-friendly businessmen.
She is one of the most prominent Russian journalists outside the country. She appears regularly at academic forums and events, including those that attract prominent figures in the Russian opposition and émigré communities.