Security researchers have confirmed that a European politician hacked his phone with the Pegasus spyware while serving on an investigative committee investigating abuses of the notorious surveillance tool. This has reignited new controversy over the misuse of spyware by governments to gather information about their critics.
Researchers at the University of Toronto’s digital rights unit, The Citizen Lab, report that the confirmed hacking of Greek journalist and former politician Stelios Kouloglou in 2022 and 2023 marks the first time a member of the European Parliament’s PEGA committee, tasked with investigating phone spyware attacks by European governments, has been a victim. public spyware.
Kouloglu told TechCrunch in a phone call that intentionally compromising his phone was “reckless.” A sitting European lawmaker described the hacking of Kouloglu’s phone as a “direct attack on the rule of law” and called on the European Commission to take concrete action by imposing strict restrictions on the use of spyware in the 27-member bloc.
While spyware attacks on lawmakers are rare, the timing and targeting of a committee investigator through the very spyware under his investigation suggests an intense focus on the committee’s inner workings ahead of a widely anticipated report detailing its findings. The hackers are opening new questions about how governments use spyware that was ostensibly necessary to detect serious crimes but was later caught snooping on the communications of journalists, lawmakers and critics.
Citizen Lab researchers did not attribute the phone hack to a specific country, but said the government client used the same Pegasus-loaded email address used in an earlier campaign that hacked journalists’ phones across Europe. The identity of the customer is not known, but the reuse of the same malicious email address suggests that the customer was authorized by the NSO Group to use Pegasus spyware to spy on phones in several countries in Europe.
A spokesperson for the European Commission did not respond to TechCrunch’s request for comment. The NSO Group also did not respond to a request for comment on the Citizen Lab report prior to publication.
In his report on FridayCitizen Lab said Kouloglu was hacked in October 2022 and at least twice in March 2023 using an exploit that compromised a security vulnerability in Apple’s iPhone software. This vulnerability had been patched but the patch had not yet been installed on Kouloglou’s phone. The exploit was a “zero-click” bug, meaning the spyware swooped in and stole his data without requiring any interaction on his part.
The bug exploited a previously discovered flaw in Apple’s smart home software used on iPhones. It allowed the spyware to grab personal data from Kouloglu’s phone without his knowledge, including text messages and other correspondence, location data and photos.
The timing of the October 2022 attack coincides with intense discussions about email and text messages in October and November 2022, before the delivery of a first draft detailing the spyware exploits focused on Cyprus, Greece, Hungary, Poland and Spain.
The hack also lines up just as Kouloglu was in the hospital at the time for a pre-scheduled surgery, which may have allowed the spyware operators to listen in on ambient audio discussing his health care or other conversations he was having with visitors at the time.
Months later, on March 6 and 7, Citizen Lab said Kouloglu’s phone was hacked again by the same Pegasus operator while Kouloglu traveled from Athens to Brussels, during a period of committee hearings and months before its written report was finalized and approved.
In a call, Kouloglu told TechCrunch that he didn’t know why he was specifically targeted, but that he believed it was because of his work on the European Parliament committee investigating Pegasus abuses.
He described his anger when he learned his phone had been hacked.
“You realize that all your personal data [was taken] — not all business exchanges or messages with ministers — but also the very private things, like the happy moments and the sad moments,” he told TechCrunch.
Kouloglu said he plans to sue NSO Group, the Israel-based spyware maker. NSO remains largely banned from use in the United States following a Biden-era executive order that banned government use of spyware that could violate people’s human rights.
Last year, the spyware maker confirmed that an unnamed US investment group had pumped tens of millions of dollars into the company, likely as part of an effort to restore NSO’s beleaguered brand associated with human rights abuses.
Kouloglu said he would make his story “about democracy, human rights and the fight against corruption” public.
“Corruption affects everyone,” he said.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
