{
	"id": "4c54a89a-1413-461e-976a-0aa4962c3172",
	"created_at": "2026-04-06T00:15:24.46315Z",
	"updated_at": "2026-04-10T03:20:43.05235Z",
	"deleted_at": null,
	"sha1_hash": "823d1cb3e45e4701d5d2cb288c373b7c16a63e04",
	"title": "Exiled, then spied on: Civil society in Latvia, Lithuania, and Poland targeted with Pegasus spyware - Access Now",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84996,
	"plain_text": "Exiled, then spied on: Civil society in Latvia, Lithuania, and\r\nPoland targeted with Pegasus spyware - Access Now\r\nBy Natalia Krapiva @natynettle\r\nArchived: 2026-04-02 12:35:11 UTC\r\n// What we found\r\nFollowing last year’s joint investigation into the use of NSO Group’s Pegasus spyware against Galina\r\nTimchenko, co-founder, CEO, and publisher of Meduza, Access Now, the Citizen Lab at the Munk School of\r\nGlobal Affairs \u0026 Public Policy at the University of Toronto (“the Citizen Lab”), and independent digital\r\nsecurity expert Nikolai Kvantiliani have uncovered how at least seven more Russian, Belarusian, Latvian, and\r\nIsraeli journalists and activists have been targeted with NSO Group’s Pegasus spyware within the EU.   \r\n// Who was targeted\r\nOne victim, who has chosen to remain anonymous, is a member of Belarusian civil society currently based in\r\nVilnius, Lithuania. After receiving an Apple threat notification on June 22, 2023, that their device had been\r\ntargeted with a state-sponsored attack, they reached out to the Citizen Lab for digital security support, who\r\nanalyzed the device and confirmed that it was infected with Pegasus spyware on or around March 25, 2021. This\r\ndate, “Freedom Day” (Dzień Voli), is a significant one, as it commemorates the Belarusian Democratic Republic’s\r\n1918 declaration of independence. Freedom Day celebrations have historically been suppressed by Belarusian\r\nofficials.\r\nAnother Russian journalist living in exile in Vilnius since Russia’s full-scale invasion of Ukraine, and who has\r\nalso chosen to remain anonymous, received two Apple threat notifications on October 31, 2023, and on April 10,\r\n2024. Access Now’s Digital Security Helpline, with the technical confirmation of the Citizen Lab, identified an\r\nattempt to infect the journalist’s device on or around June 15, 2023. On June 16, the journalist attended an event in\r\nRiga, Latvia, for Russian journalists in exile, which was organized by the Baltic Center for Media Excellence\r\n(BCME), DW Academy, and Sustainability Foundation. This event highlighted the ongoing vulnerabilities faced\r\nby media professionals in the region, underscoring the critical need for robust digital security measures. There\r\nwere also other significant circumstances surrounding the June 15 hacking attempt that the journalist decided to\r\nkeep private at this time due to personal safety concerns.\r\nThree additional victims, all based in Riga, Latvia, received Apple threat notifications. Access Now’s Digital\r\nSecurity Helpline analyzed their devices, with the Citizen Lab reviewing our results:\r\nEvgeny Erlikh, an Israeli-Russian journalist and the author and former producer of Baltic Weekly, on\r\nCurrent Time, RFE RL’s 24/7 Russian-language TV network. Our analysis showed that Erlikh’s iPhone\r\nwas infected with Pegasus spyware between November 28 and 29, 2022. At the time, Erlikh was\r\nhttps://www.accessnow.org/publication/civil-society-in-exile-pegasus/\r\nPage 1 of 3\n\nvacationing in Austria with his spouse, who also received an Apple threat notification, but we were unable\r\nto forensically analyze her phone. \r\nEvgeny Pavlov, a Latvian journalist, former correspondent for Novaya Gazeta Baltija, an independent\r\nnews media covering the Baltic countries, and former freelance journalist for Current Time’s Baltia\r\nprogram. Pavlov’s device was targeted with Pegasus on or around November 28, 2022, and on or around\r\nApril 24, 2023; however, we were unable to confirm if the attempts were successful. \r\nMaria Epifanova, general director of Novaya Gazeta Europe and director of Novaya Gazeta Baltija.\r\nEpifanova’s iPhone was infected on or around August 18, 2020 — the earliest known use of Pegasus to\r\ntarget Russian civil society. Epifanova was chief editor of Novaya Gazeta Baltija at the time, and the attack\r\noccurred shortly after she received accreditation to attend exiled Belarusian democratic opposition leader\r\nSvetlana Tikhanovskaya’s first press conference in Vilnius. \r\nTwo Belarusian civil society members currently living in Warsaw, Poland, also received Apple notifications on\r\nOctober 31, 2023: \r\nAndrei Sannikov is a prominent Belarusian opposition politician and activist, who ran for President of\r\nBelarus in 2010, receiving the second highest vote count after incumbent Alexander Lukashenko. After the\r\nelection he was arrested by the Belarusian KGB and held as a prisoner of conscience. Authorities also\r\nthreatened to take away his three-year old son. According to the Citizen Lab, Sannikov’s iPhone was\r\ninfected with Pegasus on or around September 7, 2021. \r\nNatallia Radzina is editor-in-chief of independent Belarusian media website Charter97.org and a\r\nrecipient of the Committee to Protect Journalists (CPJ) International Press Freedom Award. Radzina was\r\npersecuted for journalistic activities in Belarus, imprisoned, and forced to flee the country. Access Now’s\r\nDigital Security Helpline, as confirmed by the Citizen Lab, also identified that Radzina’s device was\r\ninfected with Pegasus spyware on or around December 2, 2022, December 7, 2022, and January 16, 2023.\r\nThe first infection took place the day after Radzina’s participation in the Third Anti-War Conference in\r\nVilnius, organized by the Free Russia Forum. \r\n// New patterns emerge\r\nOur investigation shows that the use of Pegasus spyware to target Russian- and Belarusian-speaking journalists\r\nand activists dates back until at least 2020, with more attacks following Russia’s full-scale invasion of Ukraine in\r\nFebruary 2022.\r\nAccess Now and the Citizen Lab also confirmed that five of the victims’ phones contained Apple IDs used by\r\nPegasus operators in their attempts to hack the devices. We know that targeting via various exploits that take\r\nadvantage of bugs in HomeKit can leave a record of the attacker’s Apple ID email address on the victim’s device.\r\nThe Citizen Lab believes that each Apple ID is used by a single Pegasus operator, though a single Pegasus\r\noperator might use multiple Apple IDs. We found the same Apple ID email address present on Pavlov, Radzina,\r\nand the second anonymous victim’s phones. A separate email account was used to target both Erlikh and Pavlov’s\r\nphones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another\r\nseparate identical email, according to the Citizen Lab. This suggests that a single Pegasus spyware operator may\r\nbe behind the targeting of at least three of the victims and possibly all five. \r\nhttps://www.accessnow.org/publication/civil-society-in-exile-pegasus/\r\nPage 2 of 3\n\n// Who is responsible? \r\nAccess Now and the Citizen Lab are not publicly naming a specific operator at this time. Given that Poland has\r\nnot been documented as targeting victims outside the country with Pegasus spyware, and considering reports that\r\nPoland’s government stopped using Pegasus spyware in 2021, it is unlikely that Poland is behind the attacks\r\nmentioned in this investigation. The Citizen Lab tells us that there is also no evidence suggesting that Russia,\r\nBelarus, or Lithuania are Pegasus customers. Latvia appears to use Pegasus, but the country is also not known\r\nfor targeting victims outside of its borders. Estonia is another Baltic state that cooperates closely with Latvia and\r\nLithuania on security matters, including regarding Russia and Belarus. According to the Citizen Lab, Estonia\r\ndoes appear to use Pegasus extensively outside their borders, including within multiple European countries. \r\n// The investigation continues\r\nAccess Now, the Citizen Lab, and other partners continue investigating these attacks against journalists, activists,\r\nand dissidents in exile and at home. We advise members of civil society to follow digital security\r\nrecommendations, which include updating your devices’ software or implementing Apple Lockdown Mode. If\r\nyou received an Apple threat notification or suspect your device may have been targeted with spyware, contact\r\nAccess Now’s Digital Security Helpline; support is available in nine languages including Russian. \r\nIn the meantime, Access Now urges all governments to establish an immediate moratorium on the export, sale,\r\ntransfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are\r\nput in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a\r\nhistory of enabling human rights abuses. \r\nSource: https://www.accessnow.org/publication/civil-society-in-exile-pegasus/\r\nhttps://www.accessnow.org/publication/civil-society-in-exile-pegasus/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.accessnow.org/publication/civil-society-in-exile-pegasus/"
	],
	"report_names": [
		"civil-society-in-exile-pegasus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/823d1cb3e45e4701d5d2cb288c373b7c16a63e04.pdf",
		"text": "https://archive.orkl.eu/823d1cb3e45e4701d5d2cb288c373b7c16a63e04.txt",
		"img": "https://archive.orkl.eu/823d1cb3e45e4701d5d2cb288c373b7c16a63e04.jpg"
	}
}