European Parliament Member Investigating Spyware Was Hacked With Pegasus
Former MEP Stelios Kouloglou was repeatedly hacked with Pegasus spyware while serving on the EU committee investigating its misuse, indicating direct retaliation against oversight efforts. Forensic analysis reveals the use of a zero-click exploit in Apple’s HomeKit software (codenamed PWNYOURHOME) to compromise his iPhone, highlighting vulnerabilities in smart home integrations. The attack infrastructure shares indicators with campaigns targeting Russian and Belarusian exiles, suggesting a singl
Analysis
TL;DR
- Former MEP Stelios Kouloglou was repeatedly hacked with Pegasus spyware while serving on the EU committee investigating its misuse, indicating direct retaliation against oversight efforts.
- Forensic analysis reveals the use of a zero-click exploit in Apple’s HomeKit software (codenamed PWNYOURHOME) to compromise his iPhone, highlighting vulnerabilities in smart home integrations.
- The attack infrastructure shares indicators with campaigns targeting Russian and Belarusian exiles, suggesting a single Pegasus customer with multi-country jurisdictional licenses is responsible.
- This incident underscores the escalating risks to democratic institutions and lawmakers, as spyware operators increasingly target those tasked with regulating their own industry.
Why It Matters
This case demonstrates that commercial spyware is not merely a tool for law enforcement but is actively weaponized against political opponents and regulators, posing a direct threat to democratic processes and judicial independence. For security researchers and policymakers, it highlights the critical need for stricter oversight of NSO Group’s licensing practices and the urgent requirement for tech companies to patch zero-click vulnerabilities in peripheral ecosystems like IoT and smart home apps.
Technical Details
- Exploit Vector: The initial compromise utilized a zero-click exploit in Apple’s HomeKit smart home software, specifically targeting the
PWNYOURHOMEvulnerability, which allowed remote code execution without user interaction. - Timeline and Frequency: Forensic artifacts indicate infections occurred around October 21, 2022, and again on March 6-7, 2023, while the device was running iOS 15.5, prior to the release of the patch in iOS 16.3.1.
- Infrastructure Linkage: The attacker used the email address
rauharepo888@gmail.com, which matches infrastructure previously linked to campaigns targeting Russian and Belarusian-speaking activists, implying a shared operator. - Detection Mechanisms: The victim received Apple’s native threat notifications regarding mercenary spyware attempts on March 2, 2023, August 29, 2023, and April 10, 2024, confirming ongoing surveillance attempts even after the initial compromise.
Industry Insight
- Regulatory Paradox: The targeting of a committee member investigating spyware suggests that surveillance vendors and their clients view regulatory scrutiny as a threat, potentially leading to increased cyber-espionage against journalists, lawyers, and politicians involved in policy-making.
- Supply Chain Security: The use of a HomeKit-related exploit emphasizes that the attack surface for zero-click exploits extends beyond core messaging apps to include IoT and smart home interfaces, necessitating broader security audits by OS providers.
- Licensing Accountability: The evidence pointing to a single customer with multi-jurisdictional licenses calls for greater transparency from the NSO Group regarding client vetting and usage monitoring to prevent the misuse of technology against civil society and democratic institutions.
Disclaimer: The above content is generated by AI and is for reference only.