Full Report
“It is a direct attack on the rule of law,” says one European Parliament member of the new findings from Citizen Lab.
Analysis Summary
# Incident Report: Targeting of EU PEGA Committee Member via Pegasus Spyware
## Executive Summary
Citizen Lab has identified that Stelios Kouloglou, a former Member of the European Parliament (MEP) and member of the special committee investigating spyware (PEGA), was targeted and compromised by Pegasus spyware. The infection occurred while Kouloglou was actively investigating the misuse of such tools, highlighting a brazen attack on democratic institutions. The compromise granted unknown actors potential access to confidential parliamentary proceedings and sensitive personal communications.
## Incident Details
- **Discovery Date:** July 2026 (Public disclosure)
- **Incident Date:** Late 2022 (Fall 2022)
- **Affected Organization:** European Parliament (PEGA Committee)
- **Sector:** Government / International Politics
- **Geography:** Greece / European Union
## Timeline of Events
### Initial Access
- **Date/Time:** Fall 2022
- **Vector:** Mobile Exploit (Zero-click/one-click vulnerabilities)
- **Details:** The victim's iPhone was targeted and successfully compromised multiple times.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; Pegasus operates by movement from the initial exploitation process to higher-privilege system processes within the mobile OS to gain full device control.
### Data Exfiltration/Impact
- **Details:** Attackers gained potential access to the microphone, camera, encrypted messages, contact lists, web history, and photos. This likely included sensitive internal information regarding the PEGA Committee’s investigation into NSO Group and Intellexa.
### Detection & Response
- **Detection:** Forensic analysis performed by Citizen Lab.
- **Response Actions:** Forensic validation of the device and public reporting to highlight the breach of parliamentary confidentiality.
## Attack Methodology
- **Initial Access:** Exploitation of iOS/Android mobile operating system vulnerabilities.
- **Persistence:** Modern Pegasus variants often reside in memory but can be re-injected or utilize sophisticated persistence mechanisms to survive reboots.
- **Privilege Escalation:** Use of kernel-level exploits to bypass mobile sandbox protections.
- **Defense Evasion:** Use of encrypted command-and-control (C2) channels and self-destruct mechanisms if forensic analysis is detected.
- **Credential Access:** Extraction of tokens and passwords from the device keychain and app databases.
- **Discovery:** Access to contact lists and GPS location for target environment mapping.
- **Collection:** Real-time monitoring of microphone/camera and scraping of "at-rest" data (SMS, WhatsApp, Signal).
- **Exfiltration:** Data sent via encrypted HTTPS channels to NSO-infrastructure-linked servers.
- **Impact:** Complete loss of privacy and potential compromise of European Parliament confidentiality.
## Impact Assessment
- **Financial:** High forensic and investigation costs; broad systemic implications for EU security spending.
- **Data Breach:** Full compromise of personal and professional data on a primary mobile device.
- **Operational:** Disruption and potential intimidation of a legislative investigative committee.
- **Reputational:** High; demonstrates the vulnerability of high-ranking EU officials to commercial spyware.
## Indicators of Compromise
- **Network indicators:** Connections to known NSO Group-related domains (e.g., [.]veritass[.]com - *defanged*).
- **File indicators:** Presence of specific process names associated with Pegasus execution (e.g., `bh`, `setframed`).
- **Behavioral indicators:** Unusual battery drain, unexplained data usage spikes, and presence of "BridgeHead" artifacts in mobile logs.
## Response Actions
- **Containment:** Physical isolation of the compromised mobile device.
- **Eradication:** Advice generally involves device disposal or factory resets combined with OS updates, though hardware replacement is preferred for high-value targets.
- **Recovery:** Migration to hardened devices and rotation of all credentials accessed via the phone.
## Lessons Learned
- **Irony of Targeting:** Being an investigator into spyware does not grant immunity; rather, it increases the likelihood of being targeted by those seeking to monitor the investigation.
- **Institutional Failure:** European parliamentary bodies were not adequately prepared with technical counter-surveillance measures for their members.
- **Forensic Importance:** Without third-party organizations like Citizen Lab, state-level compromises of democratic leaders would remain entirely undetected.
## Recommendations
- **Device Hardening:** Deployment of "Lockdown Mode" on iOS for high-risk individuals.
- **Mandatory Audits:** Implementation of regular, proactive forensic "health checks" for mobile devices belonging to officials in sensitive committees (Security, Defense, Intelligence).
- **Legislative Action:** Strengthening of EU-wide regulations regarding the sale and export of commercial "intrusion software."