Full Report
Citizen Lab says the phone of a member of Europe’s PEGA Committee was infected twice with Pegasus, the NSO Group spyware that gave the panel its name. The post Someone infected a spyware probe overseer with spyware appeared first on CyberScoop.
Analysis Summary
# Incident Report: Pegasus Spyware Infection of PEGA Committee Member
## Executive Summary
A member of the European Parliament’s PEGA Committee, Stelios Kouloglou, was targeted and successfully infected with NSO Group’s Pegasus spyware on two separate occasions. The attacks occurred while the committee was actively investigating the abuse of such spyware within the European Union. These incidents highlight the persistent threat mercenary spyware poses to democratic processes and parliamentary privilege.
## Incident Details
- **Discovery Date:** May 2024
- **Incident Date:** October 2022 and March 2023
- **Affected Organization:** European Parliament (PEGA Committee)
- **Sector:** Government / International Policy
- **Geography:** Greece / Belgium (EU)
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately October 2022
- **Vector:** Likely Zero-click exploit (typical of Pegasus delivery)
- **Details:** The first infection occurred while the committee was preparing for prominent hearings and a first draft of its report. Kouloglou was hospitalized at the time.
### Lateral Movement
- **Details:** N/A. Pegasus is designed for mobile device compromise to access local data, sensors (microphone/camera), and accounts rather than lateral movement across a corporate network.
### Data Exfiltration/Impact
- **Details:** Potential compromise of sensitive parliamentary discussions, investigative leads, and private communications. Due to the victim's hospitalization during the first infection, protected health data may also have been accessed.
### Detection & Response
- **How it was discovered:** In May 2024, Kouloglou submitted his device data to Citizen Lab for forensic analysis after a suggestion from a legal contact.
- **Response actions taken:** Citizen Lab conducted a forensic investigation confirming the infections with "high confidence." The victim has announced plans to pursue legal action against NSO Group.
## Attack Methodology
- **Initial Access:** Mercenary spyware (Pegasus); often delivered via zero-click exploits in messaging apps.
- **Persistence:** Maintains access on the mobile device through sophisticated obfuscation.
- **Privilege Escalation:** Exploits mobile OS vulnerabilities to gain root/kernel-level access.
- **Defense Evasion:** Highly sophisticated; designed to leave minimal footprints and bypass standard mobile security.
- **Collection:** Gathering of emails, messages, photos, and location data.
- **Exfiltration:** Data transmitted to attacker-controlled infrastructure.
- **Impact:** Abuse of microphone/camera for real-time eavesdropping; breach of parliamentary privilege.
## Impact Assessment
- **Financial:** Undisclosed; involves legal fees for ongoing litigation.
- **Data Breach:** Compromise of confidential European Parliament committee work and personal health information.
- **Operational:** Potential chilling effect on committee investigations into spyware manufacturers.
- **Reputational:** Significant public scandal involving the surveillance of an official appointed specifically to oversee spyware abuses.
## Indicators of Compromise
- **Network indicators:** Pegasus C2 infrastructure (Defanged: hxxp[://]nso-controlled-domain[.]com).
- **File indicators:** Known Pegasus-linked process names or malicious library injections (Forensic signatures held by Citizen Lab).
- **Behavioral indicators:** Unusual battery drain or data usage; presence of specific "anomalous" records in iOS DataUsage.sqlite or Gateway.plist files.
## Response Actions
- **Containment measures:** Forensic isolation of the affected mobile device.
- **Eradication steps:** Device replacement/reset (though Pegasus often requires hardware replacement for full assurance).
- **Recovery actions:** Disclosure of findings to the public and relevant parliamentary bodies.
## Lessons Learned
- **Irony of Targeting:** Investigation bodies are high-value targets for the very entities they are investigating.
- **Security Gaps:** Internal European Parliament IT security checks at the time were insufficient to prevent or immediately detect the infection.
- **Persistence of Threats:** Even high-profile individuals in sensitive roles are vulnerable to zero-click exploits.
## Recommendations
- **Mandatory Reporting:** Establish strict protocols for legislative members to undergo regular, independent forensic device audits.
- **Regulation:** Enact the PEGA Committee’s final report recommendations to regulate the sale and use of mercenary spyware.
- **Enhanced Verification:** Utilize "Lockdown Mode" (on iOS) or similar hardened configurations for individuals in high-risk political roles.
- **Legal Accountability:** Support international efforts to hold spyware manufacturers liable for human rights and privacy violations.