Full Report
Campaigners demand investigation and long-delayed action on PEGA Committee recommendations
Analysis Summary
# Incident Report: Surveillance of PEGA Committee Member via Pegasus Spyware
## Executive Summary
Former Greek MEP and investigative journalist Stelios Kouloglou was targeted and infected with Pegasus spyware on at least two occasions while serving on the PEGA Committee—the very body tasked with investigating spyware abuse in the EU. Forensic analysis by Citizen Lab confirmed the compromise, highlighting significant gaps in EU oversight and the continued targeting of high-profile political figures despite ongoing legislative scrutiny. The incident has triggered a coalition of civil liberties groups to demand urgent accountability and the implementation of long-delayed PEGA Committee recommendations.
## Incident Details
- **Discovery Date:** July 2026 (public disclosure)
- **Incident Date:** October 2022 and March 2023
- **Affected Organization:** European Parliament (PEGA Committee)
- **Sector:** Government / International Policy
- **Geography:** European Union / Greece
## Timeline of Events
### Initial Access
- **Date/Time:** October 2022 (First infection); March 2023 (Second infection)
- **Vector:** Likely "Zero-click" exploit (Typical of Pegasus) or targeted social engineering.
- **Details:** The infections occurred during critical periods of the PEGA Committee inquiry, specifically during hearings regarding formal recommendations for spyware regulation.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; Pegasus is designed for mobile device compromise to access local data, sensors, and cloud-linked accounts.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to an MEP's communications, contacts, location data, and microphone/camera. The timing suggests the goal was to monitor sensitive internal discussions regarding the EU's investigation into spyware manufacturers.
### Detection & Response
- **How it was discovered:** Forensic analysis of Kouloglou’s iPhone performed by Citizen Lab.
- **Response actions taken:** Civil liberties groups (Amnesty International, CDT) issued a joint statement demanding investigation by the EU’s Directorate-General for IT (DG ITEC) and the implementation of stricter export and usage controls.
## Attack Methodology
- **Initial Access:** Pegasus spyware (Likely remote, zero-click exploit).
- **Persistence:** Maintained through advanced mobile rootkit techniques tailored for iOS.
- **Privilege Escalation:** Exploitation of kernel-level vulnerabilities to bypass iOS sandboxing.
- **Defense Evasion:** Pegasus operates in volatile memory (RAM) and often leaves minimal footprints; use of encrypted command-and-control (C2) channels.
- **Credential Access:** Extraction of tokens and passwords from the device keychain.
- **Discovery:** Accessing contact lists, calendar invites, and emails.
- **Lateral Movement:** Not applicable (Endpoint-specific surveillance).
- **Collection:** Interception of encrypted messages (WhatsApp, Signal), calls, and environmental recording.
- **Exfiltration:** Data transmitted to an NSO Group-associated C2 server.
- **Impact:** Compromise of parliamentary integrity and surveillance of a journalist/politician.
## Impact Assessment
- **Financial:** Undisclosed; involves high costs of forensic investigation.
- **Data Breach:** Full compromise of an MEP’s mobile device during sensitive inquiry periods.
- **Operational:** Potential exposure of PEGA Committee strategy and confidential testimony.
- **Reputational:** Significant damage to EU’s image as a "safe" democratic bloc; perceived failure of the 2021 Dual-Use Regulation.
## Indicators of Compromise
- **Network indicators:** Connections to known NSO Group C2 domains (e.g., [.]com, [.]net infrastructure — *defanged*).
- **File indicators:** Process names linked to "Pegasus" or "BridgeHead" in iOS crash logs.
- **Behavioral indicators:** Unusual battery drain; presence of suspicious processes identified during Citizen Lab forensic toolkit (MVT) scans.
## Response Actions
- **Containment measures:** Isolation and decommissioning of the infected device.
- **Eradication steps:** Forensic wiping of hardware and password resets for all linked accounts.
- **Recovery actions:** Call for a robust investigation by DG ITEC and formal EU-level responses to the PEGA recommendations.
## Lessons Learned
- **Oversight Vulnerability:** Even those investigating the abuse of spyware are not immune to being targeted by it.
- **Attribution Difficulty:** While a specific operator was linked (the same one targeting Russian/Belarusian activists), definitive state attribution remains technically challenging.
- **Regulatory Failure:** Existing EU export controls (2021 Dual-Use Regulation) are currently insufficient to prevent spyware movement across borders within the bloc.
## Recommendations
- **Mandatory Forensic Audits:** Implement regular, proactive cybersecurity screening for MEPs serving on sensitive committees.
- **Enhanced Export Controls:** Reform the 2021 Dual-Use Regulation to include stricter licensing for intra-EU spyware trade.
- **Victim Remedies:** Establish a formal mechanism for victims to receive notifications and legal assistance following state-sponsored surveillance.
- **Europol Involvement:** Mandate that member states involve Europol and independent oversight bodies when deploying such tools.