Zero-Click iPhone Exploit Drops Spyware on Exiled Russian Journalist

A report this week about Pegasus spyware showing up on an iPhone belonging to award-winning Russian journalist Galina Timchenko has highlighted again the seemingly myriad ways that government and law enforcement agencies appear to have to deliver the odious surveillance tool on target devices.

Timchenko is an exiled Russian investigative journalist and co-founder of Meduza, a Russian- and English-language news site headquartered in Riga, Latvia. On June 22, Apple sent Timchenko a threat notification that warned her that her device is likely the target of a state-sponsored attack. Apple earlier this year rolled out the spyware threat notifications, which are designed specifically to assist users that the company determines are being individually targeted because of what they do.

Targeted for Spying

Meduza’s technical director reached out to the University of Toronto’s Citizen Lab for help understanding what the alert might have been about. Researchers at Citizen Lab, who have earned a reputation over the years for their ability to conduct investigations into incidents of digital espionage, analyzed forensics artifacts from Timchenko’s phone and quickly determined that someone had installed Pegasus on it in February.

Citizen Lab and Access Now, a nonprofit that advocates for human rights in the digital age, collaborated on the investigation of the incident and released two separate reports on it this week.

“We believe the infection could have lasted from days up to weeks after the initial exploitation,” Citizen Lab said. “The infection was conducted via a zero-click exploit, and forensic traces lead us to assess with moderate confidence that it was achieved via the PWNYOURHOME exploit targeting Apple’s HomeKit and iMessage.” Neither Citizen Lab or Access Now attributed the attack to any specific nation-state actor.

PWNYOURHOME is one of three iOS 15 and iOS 16 zero-click exploits that Citizen Lab previously determined NSO Group’s clients to have used in 2022 to drop Pegasus on target iPhones. The two-phase zero-click exploit first targets the HomeKit smart home functionality built into iPhones, and then uses the iMessage process to essentially breach device protections and enable Pegasus…