Russian news outlet in Latvia believes European state behind phone hack
An independent Russian news outlet whose founder was hacked in Germany earlier this year through military-grade spyware has said it believes a European state was most likely behind the cyberattack, raising thorny questions about an EU member state’s possible use of a blacklisted cyberweapon against a journalist.
Galina Timchenko and Ivan Kolpakov, the founder and current editor-in-chief of Meduza, a Latvia-based independent Russian news outlet outlawed by the Kremlin, said new circumstantial evidence pointed to an EU state as the likely perpetrator behind the hacking of Timchenko’s mobile phone in Berlin earlier this year, which occurred in February shortly before she participated in a meeting of exiled Russian journalists, The Guardian reports.
The news prompted one European member of parliament to say it seemed that governments were increasingly using surveillance methods comparable to those once deployed by the East German secret police, the Stasi, without proper oversight.
Timchenko was first alerted to the hack when she received a warning from Apple. The Guardian has since learned that at least four other Russian journalists – three of whom have mobile phones based in Latvia – received the same warning.
An investigation by the Citizen Lab at the University of Toronto and Access Now later confirmed with a high degree of certainty that Timchenko’s phone – which uses a Latvian country code – was hacked by a government user of Pegasus, a sophisticated spyware made by Israel’s NSO Group. When successfully deployed, Pegasus can hack any phone, and even turn a mobile into a remote listening device.
Timchenko initially said she believed the attack against her had originated in Russia, pointing to ways in which the Kremlin has pursued and stalked her and colleagues at Meduza since 2014, including using sophisticated cyberattacks.
But researchers at the Citizen Lab and Access Now have said they do not believe Russia is a client of NSO. The independent researchers have also confirmed that agencies within Latvia, Estonia and Germany are clients of NSO Group and have access to the spyware.
Timchenko – who has lived in Latvia for nearly a decade – said she now believes that an EU state may have targeted her in the hopes of capturing information from exchanges she has had with other Russian journalists who have more recently left Russia. In any case, she called it an “expensive pleasure” for any state to have targeted her.
Timchenko and Kolpakov point to tensions that emerged late last year when Meduza was the first Latvia-based outlet to publicly defend another independent Russian media group, the liberal-leaning broadcaster TV Rain, which was expelled from the Baltic country after a state broadcasting regulator accused it of being a threat to Latvian national security.
The broadcaster was criticised for displaying a map of Russia that included occupied Crimea, and for one anchor’s decision to refer to Russian troops as “our army”. TV Rain also did not provide viewers with Latvian subtitles, as required. The broadcaster was forced to move its operations to the Netherlands, and stoked what press reports at the time called a growing rift between the Latvian majority and Russian-speaking minority in Latvia.
The Meduza journalists said they published an open letter of support for press freedom, which was critical of the Latvian decision and signed by 300 supporters. It called the regulator’s move “unfair, wrong, and disproportionate to the official violations”.
While the letter described TV Rain’s violations as “wrong”, it also praised the Russian outlet in exile as one of the “few truly independent media outlets” that had retained a large audience inside Russia. The network, Meduza said, was obviously anti-Kremlin and opposed to the invasion of Ukraine.
“We published this letter and for the very first time, Latvian journalists supported us as well,” Timchenko said. It also prompted some criticism of her own organisation.
It is this criticism that the journalists see as possibly prompting Latvian authorities or others to home in on Meduza as a target of surveillance.
“Now it is likely that the hack was operated by some European security service. We don’t know if it was Latvia or some other country, but we have more [presence] in Latvia,” said Kolpakov.
Neither Latvia nor Germany – where the hack occurred – have offered to investigate the breach, which was widely reported.
The Biden administration has blacklisted NSO and other spyware companies, calling them a threat to US national security. In response to questions from the Guardian about the hacking of Timchenko, a US state department spokesperson said it condemned the harassment or extrajudicial surveillance of journalists, and stood in solidarity with independent Russian journalists “who work to shine a light on the Kremlin’s brutal war against Ukraine”.
Latvia has generally cultivated a strong reputation for protecting press freedoms. A 2022 state department report on human rights found “no credible reports” that the government monitored private online communications without appropriate legal authority.
Latvia’s embassy in Washington said in a statement that Meduza’s work providing “objective information to Russian audiences worldwide” was “widely appreciated in Latvia”.
“The [Foreign] Ministry is not aware of any electronic surveillance measures being taken against Ms Timchenko,” the embassy said.
It added: “Latvia has been providing a safe haven for independent Russian media and their staff. More than 20 different media institutions from Russia currently operate from Latvia.”
A spokesperson for the German federal police (BKA), which became an NSO customer in 2019, said it would not provide information about capabilities or tools used in covert measures.
The development followed a months-long inquiry by a special committee of the European parliament into spyware abuses by European governments, including in Hungary, Spain, Greece and Poland.
Sophie in ‘t Veld, a Dutch European parliament member who has headed the probe, expressed dismay at the recent developments and the apparent use of “totalitarian tactics” inside EU states, which she said were continuing to use Pegasus and other spyware tools without any intervention or oversight by national governments or the European Commission.
“People have often said this whole spyware story compares to the European version of Watergate. It’s not. It’s more like The Lives of Others,” she said, referring to the Oscar-winning German film depicting the pervasive surveillance of artists and writers in East Germany in the 1980s.
“I’m not saying Europe is already descending into totalitarianism, but these are totalitarian methods,” she said. “If it is true that the Latvian government or other European states did this, then there is no way to find out. There is no remedy, and no oversight.”
She added: “[EU] governments are using it for political purposes, just like undemocratic ones do. In some very exceptional cases the use of spyware might be legitimate … the point is that we have no way of knowing if the use is proportionate and legitimate.”
A person familiar with the issue said NSO has opened an investigation into the matter. The company has said in the past that it only sells its powerful hacking tools to government agencies for the purpose of investigating serious crimes.