FacebookTwitterLinkedIn

Ethiopian Spies Score Own Goal

Through extensive research done by Citizen Lab show Ethiopian spies using spyware acquired from Israeli company Cyberbit. The discovery resulted from the Ethiopian spies failing to configure the Command and Control (C&C) server. This left the information agency’s targets exposed online for all to see. The surveillance operation appears to have started last year.

The program utilized a poorly executed spear fishing campaign where potential targets were lured to download to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. These files were laced with the spyware sold by Cyberbit. The affair has yet again raised questions as to the morality of such companies. This is further highlighted by the fact that Ethiopia is one of the poorest countries in the world. Ethiopia is a country where less than 5 percent of the population has access to the internet and is a country run by an autocratic government routinely flagged for human rights abuses and corruption.

Operatives make fatal error

As has been mentioned the initial spear phishing campaign was poorly executed. So much so that intended targets became suspicious. Those who were weary forwarded the emails to Citizen Lab, a group well known for exposing politically motivated surveillance campaigns. This should have been the first warning to stop the operation for the operatives. They, however, continued the campaign and targeting one of the researchers at Citizen Lab. This obviously drew the rights groups’ attention.

ethiopian spies score own goal

The research team found that the emails were laced with the malware sold by the Israeli company. It was further discovered that the malware, packed with fake Flash Player and PdfWriter apps, was communicating with an online C&C server that was exposing its web folders. In a rather unprofessional display, the exposed web folder contained the logs of the attackers' IP addresses and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.

The targets of the misguided campaign

From all the information gained from the exposed server researchers were able to see who was targeted. The targets included both local and foreign persons of obvious interest to the Ethiopian government. Included in the list were journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region. These protests resulted in security forces killing over 1000 people, many of them from Oromia, during anti-government protests. This culminated in a state of emergency that was called in October 2016 that lasted over 10 months. The cause of the protests resulted from fear of the governments’ the Addis Ababa Master Plan, which they feared would displace some of the 2 million Oromo residents living around Addis Ababa. The government responded by labeling the protestors as terrorists and allowed for lethal force to be used against the protestors.

Other targets included government officials from the neighboring country of Eritrea. Also included were Ethiopians living abroad. One of the major Ethiopian targets was Jawar Mohammed, the Executive Director of the Oromia Media Network (OMN). He is also a major voice opposed to the actions of his government with 1.2 million Facebook followers. It was the emails sent to him that were forwarded to Citizen Lab.

Cyberbit

Cyberbit is an Israel-based cybersecurity company and a wholly-owned subsidiary of Israeli defense and homeland security manufacturer and contractor Elbit Systems. Elbit systems previously acquired C4 Security in June 2011 for $10.9 million. It appears as if it was C4 who developed the product called “PSS Surveillance System,” billed as a “solution for intelligence and law enforcement agencies.”, according to an employees LinkedIn profile. It is this spyware that is been used by Ethiopian operatives to snoop on activists and citizens. Although, according to Cyberbit the program is sold and marketed as lawful surveillance software to intelligence and law enforcement agencies across the world.

PSS spyware is an incredibly feature-rich offering. The features include:

  • Audio/Video recording including scheduling recordings at a later time
  • Reading browser history and stored passwords
  • Filesystem operations including creating, deleting, moving, renaming, uploading, and downloading files
  • Editing/Querying registry keys
  • Geolocation based on available wifi networks
  • Accessing Skype databases, call logs, and contacts
  • Listing network connections and devices
  • Starting/Stopping processes
  • Taking screenshots
  • Keylogging
  • Accessing clipboard data
  • Accessing recently used file list

The ethical questions raised

Cyberbit has joined companies like Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products) as the go-to companies for cyber tools used by regimes to spy on their citizens. In a letter written by Citizen Lab to Cyberbit, informing them of the use of their spyware by Ethiopian officials, Cyberbit responded by stating it only offers PSS “… to sovereign governmental authorities and law enforcement agencies,” which “are responsible to ensure that they are legally authorized to use the products in their jurisdictions.” This effectively washes their hands of any responsibility.

While the company has washed their hands of responsibility they may still be in contravention of certain laws. As providers of powerful surveillance technology, the company is bound by both Israel’s export control regime as well as the UN Guiding Principles on Business and Human Rights to concern itself with the potential for human rights abuses facilitated through the use of its product. Ethiopia already has a record of misusing surveillance software supplied from other companies, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the effectiveness of Israel’s export controls in preventing human rights abuses.

One of the major concerns raised by offerings marketed by companies like Cyberbit is their apparent disregard for intellectual property. The apparent abuse of Adobe Systems or the code-signing certificate verification process undermines security in the larger digital ecosystem. They also contravene terms of service as well as clear legal standards that exist in many jurisdictions to prevent appropriation of intellectual property. Surely then if a company builds a successful company on those foundations legal and ethical questions need to be asked by the international community at large.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal