At least seven journalists and activists who have been vocal critics of the Kremlin and its allies have been targeted inside the EU by a state using Pegasus, the hacking spyware made by Israel’s NSO Group, according to a new report by security researchers.

The targets of the hacking attempts – who were first alerted to the attempted cyber-intrusions after receiving threat notifications from Apple on their iPhones – include Russian, Belarusian, Latvian and Israeli journalists and activists inside the EU.

Pegasus is considered one of the most sophisticated cyberweapons in the world, and is operated by countries who acquire the technology from NSO. The company says it is meant to be used for legitimate reasons, such as fighting crime. But researchers have documented hundreds of cases in which operators of the spyware, including states inside the EU, have allegedly used it for other purposes, including spying on political opponents and journalists.

Researchers said they could not definitively identify the state or state agency behind the latest hacking attempts, but they said technical indicators suggested the attempts may have been made by the same NSO client. The developments follow a similar report last year that found Pegasus spyware had been used by an operator inside the EU to target Galina Timchenko, the award-winning Russian journalist and co-founder of the news website Meduza.

The investigation into the latest attempted cyber-attacks was conducted by the digital civil rights campaigners Access Now, the Citizen Lab at the University of Toronto’s Munk School, and Nikolai Kvantaliani, an independent security analyst.

When it is successfully deployed, Pegasus can hack into any phone, access photos and mobile phone calls, detect a person’s location, and activate a user’s recorder, turning the phone into a listening device.

The company was placed on a blacklist by the Biden administration in 2021. It is also being sued by WhatsApp and Apple, in cases that it has disputed and that are being litigated in US courts.

While Russia might seem to be the most logical possible state behind the latest series of attacks, researchers have focused their attention within the EU and say they do not believe that Russia or Belarus are NSO customers. While Latvia appears to have access to Pegasus, it is not known for targeting individuals outside its borders. Estonia is also a known user of Pegasus and, researchers said, appears to use the spyware “extensively” outside its borders, including in Europe.

One Russian target, a journalist who lives in exile in Vilnius and has decided to remain anonymous due to personal safety concerns, received two Apple threat notifications, with the latest on 10 April 2024, according to the researchers. An analysis of the journalist’s mobile phone confirmed an attempted infection on 15 June 2023. The journalist attended a conference for Russian journalists in exile in Riga, Latvia the next day, focusing on the vulnerabilities facing journalists in the region.

Two Belarusian members of civil society living in Warsaw also received Apple notifications on 31 October 2023. Opposition politician and activist Andrei Sannikov, who ran for the presidency of Belarus in 2010 and was arrested and held by the Belarusian KGB after the poll, had his phone infected on or about 7 September 2021. It was not discovered for two years, he said.

"Even if it is Estonia or Lithuania, or Latvia or Poland, it does not exclude that it is the FSB or KGB [behind it],” Sannikov said. Asked whether the spate of attacks indicated that an intelligence or law enforcement agency within the EU had been infiltrated by Russia or its allies, he added: “Yes of course. It is I think common knowledge that the western institutions are heavily infiltrated and so [are] opposition circles, as well.”

Natalia Radzina, editor-in-chief of the independent Belarusian media website Charter97.org, and winner of the international press freedom award from the Committee to Protect Journalists, was infected with Pegasus twice in late 2022 and in early 2023.

Radzina called the infections a violation of privacy that was reminiscent of previous intrusions in Belarus, where she was politically persecuted and imprisoned by the KGB.

“I know that for many years my absolutely legal journalistic activity can only be of interest to the Belarusian and Russian special services, and I am only afraid of possible cooperation in this matter between the current operators, whoever they are, with the KGB or the FSB,” she said.

Three other journalists living in Riga also received Apple threat notifications: Evgeny Erlikh, an Israeli-Russian journalist; Evgeny Pavlov, a Latvian journalist, and Maria Epifanova, general director of Novaya Gazeta Europe.

NSO, which is regulated by the Israel’s ministry of defence, says it sells its spyware to vetted law enforcement agencies strictly for the purposes of preventing crime and terror attacks. It said it could not confirm or deny the identities of any alleged specific customers, but that it wanted to emphasise that NSO only sells its products to “allies of Israel and the US”.

The company also provided the Guardian with a copy of a letter it had sent to Ivan Kolpakov, the editor-in-chief of Meduza, in response to his letter to the company. NSO’s deputy general counsel Chaim Gelfand said the company was “deeply troubled by any allegation of potential misuse of our system” and said he would immediately review information Kolpakov had provided to him and initiate an investigation “if warranted”. The company could not, he said, substantiate or refute any allegations without additional information.

Gelfand added: “NSO Group is committed to upholding human rights and protecting vulnerable individuals and communities, including journalists who play a crucial role in promoting and protecting these rights.”