EU lawmaker spied on with Pegasus while probing spyware abuses

A former Member of the European Parliament was repeatedly infected with NSO Group’s Pegasus spyware while serving on the committee tasked with investigating its misuse across the EU, according to a new report by Citizen Lab. The findings, released on Wednesday, reveal how Stelios Kouloglou’s devices were compromised during his time on the PEGA Committee, which ran from March 2022 to July 2023.
A chilling irony on the EU’s surveillance watch
The irony is stark: Kouloglou was hacked while helping lead the PEGA Committee’s inquiry into Pegasus and other spyware abuses in Europe. Citizen Lab’s forensic analysis confirmed three separate infections—on October 21, 2022, and March 6 and 7, 2023—both during intense phases of committee work. The first breach occurred just ten days before a planned visit to Greece and Cyprus, and while drafts of the committee’s first report were circulating among members. The second and third infections struck as the committee finalized its conclusions, two months before the report’s adoption in May 2023.
Zero-click attacks and overlooked warnings
Kouloglou’s device, running iOS 15.5, was compromised via PWNYOURHOME, a zero-click exploit targeting Apple’s HomeKit system. According to Citizen Lab, the attack involved a specially crafted NSKeyedArchive sent to HomeKit, followed by malicious content delivered through MessagesBlastDoorService—all without any user interaction. Apple had already patched the vulnerability by then, yet Kouloglou received three separate threat notifications from Apple in March and August 2023, and April 2024, none of which he recalled seeing. The timing of the first infection adds further intrigue: on October 21, 2022, Kouloglou was in a Greek hospital for elective surgery when investigative journalist Thanasis Koukakis—himself a confirmed target of Predator spyware—visited him. If Pegasus intercepted conversations in that hospital room, it may have violated Greece’s laws protecting health data confidentiality.
Unanswered questions and wider implications
Citizen Lab states it is highly confident in the Pegasus infections but cannot identify the NSO customer responsible. While no evidence links the operation to the Greek government—previously associated with Predator spyware—technical traces suggest a single Pegasus operator also targeted Russian and Belarusian journalists and activists across Europe. The infections occurred in both Greece and Belgium, indicating the operator likely held a cross-border surveillance license within the EU. The case underscores the persistent risks faced by those investigating state-sponsored spyware, even within institutional oversight bodies.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.

