A recent report revealed that Galina Timchenko, an award-winning Russian journalist, had Pegasus spyware installed on her iPhone. This incident brings to light the various methods government and law enforcement agencies use to deliver this intrusive surveillance tool to target devices. Timchenko, an exiled investigative journalist and co-founder of the news site Meduza, received a threat notification from Apple in June, warning her about a state-sponsored attack on her device. Apple has introduced spyware threat notifications to assist users who are individually targeted due to their activities.

In order to understand the alarm, Meduza's technical director reached out to Citizen Lab, a renowned research group at the University of Toronto specializing in digital espionage investigations. Citizen Lab researchers examined artifacts from Timchenko's phone and quickly determined that Pegasus had been installed on her device in February. Citizen Lab, in collaboration with nonprofit organization Access Now, conducted an investigation into the incident and released two separate reports on the matter. They believe that the infection could have persisted for several days to weeks after the initial exploitation. The infection was achieved through a zero-click exploit called PWNYOURHOME, targeting Apple's HomeKit and iMessage. However, the attack was not attributed to a specific nation-state actor.

Citizen Lab previously discovered two other zero-click exploits, FIDMYPWN and LatentImage, used by NSO Group customers to install Pegasus on iPhones in 2022. These exploits target the Find My feature and HomeKit, respectively. There has been a surge in iOS exploits and vulnerabilities targeting iPhone users. Citizen Lab recently found a threat, known as Blastpass, that exploited two no-click zero-day vulnerabilities in the latest version of iOS. They urged users to update their devices immediately.

This incident demonstrates that adversaries have multiple ways to exploit vulnerabilities in the iOS environment and install spyware on targeted devices. In Timchenko's case, the spyware provided the attacker with complete access to her iPhone, including passwords, correspondence, personal information of Meduza staff, and even the identities of individuals collaborating with the news site.

Pegasus, developed by Israeli company NSO Group, is a controversial surveillance tool used by government agencies and law enforcement authorities. It allows customers to extract various types of data from mobile devices, such as messages, emails, media files, passwords, and precise location information. The spyware uses advanced techniques to avoid detection by antivirus and threat detection tools. NSO Group claims to sell Pegasus exclusively to authorized agencies for legitimate purposes, but critics argue that it enables governments, particularly those with poor human rights records, to spy on journalists, activists, and political opponents. In 2021, a leaked database revealed that NSO Group clients had selected over 50,000 phone numbers for surveillance, including those of journalists and human rights activists.

According to a senior researcher at Citizen Lab, NSO customers typically spend large sums of money for access to Pegasus, possibly reaching tens of millions of dollars.