Executive Summary
In 2022 and 2023, the European Parliament's PEGA Committee, established to investigate the misuse of surveillance spyware like NSO Group's Pegasus, faced an ironic security breach. Greek journalist and substitute committee member Stelios Kouloglou's phone was infected with Pegasus spyware twice: first around October 2022 and again in March 2023. These infections coincided with critical phases of the committee's work, including the drafting of its final report. The infections were confirmed by the University of Toronto's Citizen Lab, highlighting the persistent threat posed by sophisticated spyware even to those tasked with investigating its misuse.
This incident underscores the ongoing challenges in protecting sensitive information from advanced surveillance tools. It also emphasizes the need for robust cybersecurity measures within governmental bodies and the urgency of implementing the PEGA Committee's recommendations to prevent future abuses of spyware technologies.
Why This Matters Now
The infection of a PEGA Committee member's phone with Pegasus spyware highlights the persistent and evolving threat of surveillance tools targeting high-profile individuals. This incident underscores the urgent need for robust cybersecurity measures and the implementation of regulatory frameworks to prevent the misuse of such technologies.
Attack Path Analysis
An attacker exploited vulnerabilities in the target's mobile device to install Pegasus spyware, gaining unauthorized access. The spyware escalated privileges to control device functions, enabling data collection. It moved laterally by accessing various applications and data stores. The spyware established command and control channels to receive instructions and exfiltrate data. Sensitive information was transmitted to external servers. The attack compromised personal and potentially classified information, violating privacy and security protocols.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited vulnerabilities in the target's mobile device to install Pegasus spyware, gaining unauthorized access.
Related CVEs
CVE-2022-42856
CVSS 8.8A type confusion issue in WebKit allows remote attackers to execute arbitrary code on affected devices.
Affected Products:
Apple iOS – < 16.3.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Command and Scripting Interpreter
Boot or Logon Autostart Execution
Valid Accounts
Impair Defenses
Input Capture
Exfiltration Over C2 Channel
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
GDPR – Security of Processing
Control ID: Article 32
ISO/IEC 27001 – Management of Technical Vulnerabilities
Control ID: A.12.6.1
CISA Zero Trust Maturity Model 2.0 – Identity Governance
Control ID: Identity Pillar
DORA – ICT Risk Management Framework
Control ID: Article 5
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Parliamentary committees face targeted Pegasus spyware infections during sensitive investigations, compromising democratic processes and requiring enhanced egress security controls.
Newspapers/Journalism
Investigative journalists experience sophisticated spyware attacks that bypass traditional security measures, necessitating zero trust segmentation and anomaly detection capabilities.
Law Practice/Law Firms
Legal professionals pursuing spyware litigation face encrypted traffic interception risks, requiring multicloud visibility and threat detection across hybrid connectivity environments.
Computer/Network Security
Security research organizations like Citizen Lab require enhanced inline IPS and cloud native security fabric to protect spyware investigation activities.
Sources
- Someone infected a spyware probe overseer with spywarehttps://cyberscoop.com/pegasus-spyware-pega-committee-member-targeted/Verified
- Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with Pegasushttps://citizenlab.ca/research/member-of-committee-investigating-spyware-hacked-with-pegasus/Verified
- Spyware used against MEP investigating Pegasus abuses, report findshttps://www.theguardian.com/world/2026/jul/03/spyware-used-against-mep-investigating-pegasus-abuses-report-findsVerified
- Politician who investigated spyware abuses had his phone hacked with Pegasus spywarehttps://techcrunch.com/2026/07/02/politician-who-investigated-spyware-abuses-had-his-phone-hacked-with-pegasus-spyware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily secures cloud workloads, its principles could inform strategies to limit unauthorized access in mobile environments.
Control: Zero Trust Segmentation
Mitigation: By enforcing strict segmentation, Aviatrix CNSF would likely limit the spyware's ability to escalate privileges and access sensitive functions.
Control: East-West Traffic Security
Mitigation: Aviatrix CNSF would likely restrict lateral movement by controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix CNSF would likely detect and limit unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix CNSF would likely restrict unauthorized data exfiltration by enforcing egress policies.
Aviatrix CNSF would likely reduce the overall impact by limiting the attacker's ability to access and exfiltrate sensitive information.
Impact at a Glance
Affected Business Functions
- Legislative Communications
- Confidential Committee Deliberations
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive legislative communications and confidential committee deliberations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and limit lateral movement.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Ensure devices are regularly updated and patched to mitigate known vulnerabilities.
- • Conduct regular security audits and training to enhance awareness and preparedness against spyware threats.



