A former EU lawmaker was hacked with Pegasus spyware while investigating its use, according to Citizen Lab.The Citizen Lab published a report documenting one of the more darkly ironic findings in recent surveillance research: former Member of the European Parliament Stelios Kouloglou was repeatedly infected with NSO Group‘s Pegasus spyware while serving on the very committee tasked with investigating Pegasus abuses across the EU. The PEGA Committee ran from March 2022 to July 2023. Kouloglou was on it the entire time.“We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe.” reads the Citizen Lab report. “Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations.”The infections happened on October 21, 2022, and again on March 6 and 7, 2023, both during periods of intense PEGA activity. The first infection came ten days before a planned committee visit to Greece and Cyprus, and while drafts of the first PEGA report were circulating among members. The second hit while the committee was deep in the final drafting process, two months before the report’s adoption in May 2023.The delivery mechanism for the first infection was PWNYOURHOME, a zero-click exploit targeting Apple’s HomeKit system.“On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888 [@]gmail.com. Two minutes later, a Pegasus process used mobile data. We assess that the phone was hacked with the PWNYOURHOME zero-click exploit at this point.” continues the report. “PWNYOURHOME appeared to first involve the attacker sending a specially crafted NSKeyedArchive that landed in HomeKit, followed by malicious content that landed in MessagesBlastDoorService.”the researchers noted. No interaction required from Kouloglou. His device was running iOS 15.5 on both infection dates — a version Apple had already moved past. He also received three Apple threat notifications about mercenary spyware targeting, in March 2023, August 2023, and April 2024. He told the Citizen Lab he didn’t recall seeing any of them.The timing of the first infection adds another layer. On October 21, 2022, Kouloglou was in a Greek hospital for elective surgery. He was visited that day by investigative journalist Thanasis Koukakis, who had himself been confirmed as a Predator spyware target and had testified before the PEGA Committee the month before. If Pegasus captured conversations in that hospital room, Greek law covering confidentiality of health data may have been violated.Citizen Lab says it is highly confident that former MEP Stelios Kouloglou was infected with Pegasus, but cannot identify the NSO’s customer behind the attack. Researchers found no evidence linking the operation to the Greek government, which has instead been associated with Predator spyware. Technical evidence suggests the same Pegasus operator also targeted Russian and Belarusian journalists and activists in Europe. The infections occurred in both Greece and Belgium, indicating the spyware operator likely held a license allowing surveillance across multiple EU countries.“We further note that infections appear to have been present on his phone in at least two European jurisdictions (We further note that infections appear to have been present on his phone in at least two European jurisdictions (Greece and Belgium).” continues Citizen Lab. “Based on what we know of NSO Group’s licensing, this would likely indicate that the customer had a license that enabled infections in multiple EU jurisdictions, narrowing the list of potential Pegasus operators that could be responsible for this case.”The same HomeKit email address used against Kouloglou in 2022 appeared in a prior Citizen Lab investigation into Pegasus infections of Russian and Belarusian-speaking journalists and activists living in Europe.This is the first confirmed case of a PEGA Committee member being hacked with Pegasus while the committee was in session. It’s not the first MEP targeted with spyware, Catalan MEPs were hit with Pegasus as far back as 2019, and French MEP Nathalie Loiseau confirmed she was targeted in early 2024. The Citizen Lab is now calling on the European Parliament to investigate the full scope of spyware targeting during the PEGA proceedings, and urging DG ITEC, which already offers optional spyware screening for MEPs, to significantly increase screening rates and publish yearly statistics. The committee spent more than a year investigating who was spying on Europeans. Someone was apparently taking notes the whole time.“Whichever entity is responsible for the hacking, the infection could have exposed strictly confidential exchanges among PEGA Committee members and their staff, and other sensitive and confidential parliamentary proceedings, including to parties under investigation by the Committee itself.” concludes the report. “The finding that a PEGA Committee member was targeted with Pegasus spyware during the Committee’s work highlights the serious threat that mercenary spyware poses to the integrity of democratic processes. “Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Pegasus spyware)