Full Report
A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc. "Through forensic analysis of his device, we found that the attackers could have had
Analysis Summary
# Incident Report: Pegasus Spyware Compromise of PEGA Committee Member
## Executive Summary
A forensic investigation by Citizen Lab revealed that Stelios Kouloglou, a former Member of the European Parliament (MEP), was repeatedly targeted and hacked with Pegasus spyware. The compromise occurred while Kouloglou was serving on the PEGA Committee, which was specifically tasked with investigating the abuse of commercial surveillance tools. The attack resulted in the potential exposure of confidential European Parliament documents and committee deliberations.
## Incident Details
- **Discovery Date:** May 2026 (Forensic analysis)
- **Incident Date:** October 21, 2022; March 6–7, 2023
- **Affected Organization:** European Parliament (PEGA Committee)
- **Sector:** Government / International Policy
- **Geography:** Greece / Belgium (EU-wide impact)
## Timeline of Events
### Initial Access
- **Date/Time:** October 21, 2022, at 10:16 UTC
- **Vector:** Zero-click exploit (Codenamed "PWNYOURHOME")
- **Details:** Attackers utilized a vulnerability in Apple’s HomeKit smart home software. The device performed a lookup for a specific HomeKit email address: `rauharepo888[@]gmail.com`.
### Lateral Movement
- **Details:** Not applicable/disclosed. As this was mobile spyware, the focus was on local device compromise and data collection rather than traditional network lateral movement.
### Data Exfiltration/Impact
- **Details:** Forensic analysis indicates attackers likely gained access to confidential committee documents, internal deliberations, and private communications. The timing overlapped with critical legislative drafting and testimonies regarding spyware abuse in Greece.
### Detection & Response
- **Detection:** Detected via retrospective forensic analysis in May 2026 and earlier Apple Threat Notifications received by the victim on March 2, 2023, August 29, 2023, and April 10, 2024.
- **Response Actions:** Forensic triage by Citizen Lab researchers; disclosure to the public and relevant parliamentary bodies.
## Attack Methodology
- **Initial Access:** Zero-click exploit (PWNYOURHOME) targeting Apple HomeKit.
- **Persistence:** Pegasus agent installation following successful exploitation.
- **Privilege Escalation:** Exploitation of iOS kernel vulnerabilities (standard Pegasus behavior).
- **Defense Evasion:** Use of zero-click exploitation which requires no user interaction and leaves minimal forensic footprint on the UI.
- **Credential Access:** Likely harvesting of session tokens and stored credentials via the Pegasus agent.
- **Discovery:** Automated reconnaissance of device files, contacts, and messages.
- **Lateral Movement:** N/A (Device-centric infection).
- **Collection:** Gathering of confidential documents, encrypted messages, and microphone/camera access.
- **Exfiltration:** Data transmitted over mobile data/Wi-Fi to C2 infrastructure.
- **Impact:** High-level espionage and breach of sensitive political deliberations.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with forensic investigations and security remediation.
- **Data Breach:** Exposure of confidential legislative documents and private communications of an MEP.
- **Operational:** Potential interference with the PEGA Committee’s investigation into spyware.
- **Reputational:** Significant public outcry regarding the ability of commercial spyware to infiltrate the very bodies investigating its abuse.
## Indicators of Compromise
- **Network indicators:** Lookups/Traffic associated with `rauharepo888[@]gmail.com`.
- **File indicators:** Forensic artifacts related to the Pegasus process and PWNYOURHOME exploit.
- **Behavioral indicators:** Activation of Pegasus processes two minutes after HomeKit email lookups.
## Response Actions
- **Containment:** MEP was alerted via Apple Threat Notifications and subsequent forensic discovery.
- **Eradication:** Device analysis and recommendation for hardware replacement.
- **Recovery:** Apple released a patch (iOS 16.3.1) to address the PWNYOURHOME vulnerability used in the attack.
## Lessons Learned
- **Key Takeaways:** High-profile investigators are primary targets for the very entities/tools they are investigating. Zero-click exploits remain the most dangerous vector as they bypass user security training.
- **What could have been done better:** Earlier forensic vetting of devices belonging to committee members investigating high-risk state-sponsored threats.
## Recommendations
- **Prevention:** Implement "Lockdown Mode" on iOS for high-risk individuals.
- **Maintenance:** Promptly update mobile devices to latest OS versions (at the time, the victim was running iOS 15.5 despite updates being available).
- **Policy:** Establish mandatory periodic forensic audits for government officials serving on sensitive security or oversight committees.