Pegasus Spyware Infected EU Lawmaker Investigating the Tool, Citizen Lab Confirms
What Happened — Citizen Lab’s forensic analysis shows that former EU Member of the European Parliament Stelios Kouloglou was infected three times with NSO Group’s Pegasus spyware while serving on the EU “PEGA” committee that was tasked with investigating Pegasus abuses. The first infection (Oct 21 2022) used the zero‑click PWNYOURHOME exploit against Apple HomeKit; two later infections (Mar 6‑7 2023) occurred during the committee’s final drafting phase.
Why It Matters for Compliance & Audit Readiness
- The incident illustrates how a sophisticated zero‑click exploit can bypass traditional user‑awareness controls, underscoring the need for SOC 2‑aligned Access Controls that include device‑level hardening and continuous monitoring.
- Evidence of unauthorized access to confidential committee documents creates a clear audit trail requirement: organizations must be able to prove who accessed what, when, and how—exactly the kind of evidence SOC 2 audits demand.
Who Is Affected — Government & public‑sector bodies, elected officials, and any organization handling highly sensitive policy or intelligence data.
Recommended Actions
- Map the incident to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls; verify that mobile device management (MDM) policies enforce up‑to‑date OS patches and block zero‑day exploits.
- Implement continuous endpoint telemetry and immutable logging to capture anomalous process activity for forensic readiness.
- Review and strengthen incident‑response playbooks for zero‑click exploits, including rapid containment and mandatory breach notification procedures.
Source: Security Affairs
Technical Notes — The PWNYOURHOME exploit leveraged a crafted NSKeyedArchive delivered to Apple HomeKit, requiring no user interaction. The victim’s device ran iOS 15.5, an OS version already out‑of‑support. No Apple security updates were applied, allowing the zero‑click chain to execute Pegasus’s surveillance payload. Source: same as above