Cyber Security

How a zero-click exploit infiltrated the European parliament spyware probe

How a zero-click Pegasus exploit targeted a European Parliament member during a high-stakes spyware investigation. Technical analysis of the PWNYOURHOME flaw.
How a zero-click exploit infiltrated the European parliament spyware probe

The breach of a mobile device belonging to a legislator tasked with investigating illegal surveillance is a scenario that sounds like a spy novel, but for Stelios Kouloglou, it was a forensic reality. While serving on the European Parliament PEGA Committee, Kouloglou was the target of repeated Pegasus spyware infections. This committee existed specifically to investigate the abuse of commercial surveillance tools across the European Union. The irony of the situation is heavy, yet the technical mechanics of the attack reveal a far more concerning reality about modern mobile security. This incident was not a matter of a user clicking a suspicious link or downloading a malicious attachment. It was a silent, zero-click intrusion that bypassed the standard security controls of one of the most secure consumer devices on the market.

I recently spent an afternoon reviewing the forensic artifacts common in Pegasus infections with a colleague who specializes in mobile incident response. We often see a pattern where the most sophisticated attackers avoid interaction entirely. They prefer the path of least resistance, which in the world of high-end mercenary spyware, often involves targeting system processes that the user never sees. In Kouloglou's case, the attackers weaponized a specific vulnerability in Apple's HomeKit framework. This methodology allows an attacker to compromise a device without any notification or action from the owner. When your security model relies on the user making the right choice, a zero-click exploit effectively renders that model obsolete.

The anatomy of the PWNYOURHOME exploit

The Citizen Lab researchers identified that the infections on Kouloglou's iPhone occurred through an exploit codenamed PWNYOURHOME. This specific attack chain targets the HomeKit daemon on iOS. On October 21, 2022, forensic logs showed a lookup for a specific HomeKit-related email address: rauharepo888[@]gmail.com. Two minutes later, a Pegasus process was active on the device, consuming mobile data. This sequence of events is a classic sign of a zero-click exploit at work. The attacker sends a specially crafted request through a service like iMessage or HomeKit, which the phone processes automatically in the background. If the request contains malicious code that exploits a memory management flaw, the attacker gains the ability to execute code with the privileges of the targeted service.

At the time of the first infection, Kouloglou was running iOS 15.5. Apple eventually addressed this vulnerability in iOS 16.3.1, but for months, the device remained open to this specific entry point. From an architectural perspective, this exploit highlights a systemic weakness in how mobile operating systems handle complex, interconnected services. HomeKit is designed to make life easier by automating smart home devices, but its deep integration into the core of the OS provides a massive attack surface. Think of it as a back door left unlocked in a high-security building because the residents wanted the convenience of a remote-controlled entry system.

Mapping the timeline of the intrusion

The timing of these infections suggests a highly strategic objective. The first successful compromise occurred in October 2022, while Kouloglou was in the hospital for surgery. During this period, he received a visit from Thanasis Koukakis, a Greek journalist who was previously targeted with Predator spyware. The second set of infections occurred in March 2023. This period was critical for the PEGA Committee, as members were engaged in intense discussions regarding the final drafting of their investigative report. The attackers had access to the device during the very weeks when confidential deliberations and witness testimonies were most sensitive.

Citizen Lab found that the spyware was active on March 6 and 7, 2023, weaponizing the same PWNYOURHOME exploit used months earlier. This persistence is a hallmark of Pegasus operations. The spyware is designed to be stealthy, but it is also resilient. If a device reboots, the operator often needs to re-infect it. The fact that the attackers successfully re-compromised the device using the same vector suggests they were confident in the exploit's continued efficacy against the unpatched iOS version. By design, Pegasus allows the operator to record calls, read encrypted messages, and even activate the microphone or camera remotely. For a member of a committee investigating these very tools, the exposure of such data is a catastrophic failure of confidentiality.

The connection to broader European surveillance

One of the most significant findings in the Citizen Lab report is the overlap between the Kouloglou case and other campaigns. The specific Gmail address used in the HomeKit lookup, rauharepo888[@]gmail.com, was also seen in attacks against Russian and Belarusian journalists living in exile in Europe. Forensic analysis of Pegasus infrastructure suggests that these email addresses are often unique to specific operators or customers of the NSO Group. This discovery points toward a Pegasus customer with a license that permits operations across multiple European jurisdictions.

This connection changes the narrative from an isolated incident to part of a pervasive pattern of cross-border surveillance. When a single operator is targeting both opposition journalists and high-ranking European legislators, the distinction between national security and political espionage vanishes. In terms of data integrity, the presence of such tools on a lawmaker's device calls into question the security of every communication they had with whistleblowers and activists. These individuals often risk their lives to provide information to investigative committees, and they do so under the assumption that their identity is protected by the legislator's digital security.

Telecommunications as a silent vector

While the Kouloglou case focused on malware-based surveillance, it is important to recognize that Pegasus is only one part of a larger toolkit. Recent investigations by Citizen Lab have also revealed the use of telecom-level tracking. These campaigns exploit weaknesses in the Signaling System No. 7 (SS7) and Diameter protocols, which are the backbone of global mobile roaming. Attackers can track a person's location without ever installing malware on their device. They do this by spoofing operator identities and sending malicious signaling commands through trusted telecom providers.

This type of surveillance is even harder to detect than a Pegasus infection. There are no forensic artifacts on the phone because the attack happens within the network infrastructure. Proactively speaking, this makes the telecommunications ecosystem a critical point of failure for high-risk individuals. Certain providers in the UK and Jersey were identified as transit points for this malicious signaling traffic. These providers effectively functioned as a covert bridge for surveillance vendors to track targets globally. This reveals that even if you have the most secure phone in the world, the network itself remains an exploitable path for state-sponsored actors.

Moving toward a resilient defense

The recurring theme in these forensic reports is that traditional security measures are insufficient against mercenary spyware. If you are a high-risk target, patching is only the first step. Patching is like plugging holes in a ship's hull; it keeps you afloat, but it doesn't stop the enemy from firing more shots. For users who face state-sponsored threats, Apple introduced Lockdown Mode. This feature drastically reduces the attack surface by disabling complex web technologies, blocking certain types of attachments, and restricting incoming service requests like HomeKit invitations from unknown users.

From a risk perspective, the Kouloglou case is a reminder that digital security is a mission-critical component of democratic oversight. When the investigators themselves are compromised, the integrity of the entire investigation is at risk. We must move toward a zero-trust model for mobile devices where we no longer assume a device is secure just because it is updated. For those in sensitive roles, hardware security keys and end-to-end encrypted communication via platforms like Signal are no longer optional. They are the baseline for survival in a digital environment where the walls have ears.

Key takeaways for high-risk users

Implementing a defensive strategy requires a granular approach to device hardening. If your work involves handling sensitive data or investigating powerful entities, consider the following steps:

  • Enable Lockdown Mode on all iOS and macOS devices to disable the high-risk features frequently used in zero-click exploits.
  • Audit your Apple ID and Google accounts for unauthorized devices and ensure that HomeKit permissions are restricted to known, trusted contacts.
  • Use hardware security keys for multi-factor authentication to prevent account takeovers even if your credentials are compromised.
  • Reboot your mobile device daily. While some spyware is persistent, many exploits reside in temporary memory and are cleared upon a restart.
  • Monitor for threat notifications from manufacturers. Apple and Google now proactively alert users when they detect signs of state-sponsored targeting.

Sources:

  • Citizen Lab: "The PEGA Committee and the Pegasus Spyware"
  • NIST Special Publication 800-213: "IoT Device Cybersecurity Guidance"
  • MITRE ATT&CK: "Mobile Software Techniques and Sub-Techniques"
  • European Parliament: "PEGA Committee Final Report on the Use of Pegasus"

Disclaimer: This article is for informational and educational purposes only and does not replace a professional cybersecurity audit or incident response service.

bg
bg
bg

See you on the other side.

Our end-to-end encrypted email and cloud storage solution provides the most powerful means of secure data exchange, ensuring the safety and privacy of your data.

/ Create a free account