Pegasus Spyware Used to Hack EU Politician Investigating NSO Group

European Union officials have confirmed that the mobile device of a high-ranking member of the European Parliament was compromised using Pegasus spyware while the politician was actively participating in a committee investigation into the software’s use. The breach, which targeted a lawmaker serving on the PEGA committee, underscores the ongoing tension between digital surveillance technology and the legislative bodies tasked with regulating it, according to reports verified by the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware.

The incident marks a significant escalation in the controversy surrounding NSO Group, the Israeli technology firm that developed the Pegasus software. Pegasus is designed to covertly infiltrate smartphones, granting operators access to encrypted messages, emails, location data, and even the device’s microphone and camera. While NSO Group maintains that its product is intended solely for use by government agencies to combat terrorism and organized crime, the targeting of a European lawmaker has intensified scrutiny from regulators and privacy advocates globally, as documented in the final report of the European Parliament’s PEGA committee.

The Scope of the Investigation

The PEGA committee was established in March 2022 following widespread allegations that various national governments—both within and outside the European Union—had misused commercial spyware to target journalists, political dissidents, and opposition figures. The committee’s mandate was to examine whether the use of such tools violated EU law, specifically the rights to privacy and freedom of expression enshrined in the Charter of Fundamental Rights of the European Union, as detailed in the official text of the Charter.

The Scope of the Investigation

The discovery that a committee member’s phone had been compromised raised immediate questions regarding the security of European political institutions. Lawmakers involved in the probe reported receiving notifications from tech companies, such as Apple, warning them that they might have been targeted by “state-sponsored attackers.” These notifications prompted internal security audits within the European Parliament, which have since led to enhanced cybersecurity protocols for staff and elected representatives, according to statements released by the European Parliament Press Service.

NSO Group and the Regulatory Response

NSO Group has consistently denied wrongdoing, asserting that it does not operate the software it sells to its government clients and therefore cannot be held responsible for how those clients use the technology. In public hearings and responses to the European Parliament, the company has emphasized its compliance with export control regulations. However, the PEGA committee’s findings suggested that the lack of transparency in the spyware industry makes it nearly impossible to hold vendors accountable for the actions of their end-users, a conclusion supported by reports from Amnesty International’s Security Lab.

How NSO Group's Pegasus spyware was found on Jamal Khashoggi's fiancée's phone. | FRONTLINE

The committee’s final report, adopted in May 2023, called for stricter regulation of the spyware market, including a moratorium on the sale and use of such software until a clear legal framework is established. The report explicitly noted that the use of spyware against politicians, even within democratic states, poses a fundamental threat to the integrity of democratic processes. The European Commission is currently reviewing these recommendations to determine if new legislative measures are required to protect EU citizens and institutions from unauthorized digital surveillance, as noted in the official portal of the European Commission.

What Happens Next

As of late 2024, the focus has shifted toward the implementation of the European Union’s broader cybersecurity initiatives, including the EU Cyber Solidarity Act and the Cyber Resilience Act. These legislative efforts aim to strengthen the bloc’s capacity to detect and respond to cyber threats. The European Parliament continues to monitor instances of spyware abuse, with further hearings and updates expected as national judicial authorities conduct their own investigations into the specific instances of hacking identified during the PEGA inquiry.

What Happens Next

For those interested in the ongoing legal and technical developments, the European Parliament maintains a public repository of meeting transcripts and committee findings. Public discourse regarding the balance between national security and individual privacy remains a central pillar of the ongoing legislative debate in Brussels. Please share your thoughts or continue the conversation in the comments section below.

Leave a Comment