The Ethiopian government used spyware acquired from an Israeli company to spy on dissidents living in the country and abroad, but government operatives have failed when configuring their command and control (C&C) server, exposing a list of all their targets.
This secret surveillance operation appears to have started last year, and consisted of spear-phishing emails that contained links to various sites. On these websites, users were lured to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. The two files were laced with malware.
The spear-phishing campaign wasn't very well executed, and some targets became suspicious. Some forwarded the fishy emails to Citizen Lab, an organization that has a long history of tracking and exposing politically motivated surveillance campaigns.
Instead of backing down and dismantling their infrastructure, Ethiopian government operatives decided to spear-phish a Citizen Lab researcher involved in the investigation — a big error on their part.
The Citizen Lab team became more interested in the attacks and eventually discovered that the malware packed with the fake Flash Player and PdfWriter apps was communicating with an online C&C server that was exposing its web folders.
Inside these web folders, researchers found everything they needed to understand what attackers were after, including logs of the attackers' IP addresses, and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.
Recap: Cyberbit/Elbit, a multi-billion dollar corp listed on Nasdaq, sells lawful intercept tech to a blacklisted country, uses 90s social engineering skills for infection, C&C domains under employee names, trojan signed with a subsidiary cert, leaves all Op logs open on www— Chaouki Bekrar (@cBekrar) December 6, 2017
The list of targets —which Citizen Lab researchers promptly notified— included journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region, but also government officials from neighboring country Eritrea.
The Ethiopian government not only infected local Ethiopians but also a large number of persons living in the Ethiopian diasporas in other countries (see map below).
According to the Citizen Lab team, the malware used in these attacks is a Windows program named PC Surveillance System (PSS), sold by Cyberbit, an Israel-based cyber-security company that is a subsidiary of Elbit Systems.
Cyberbit knowingly markets and sells PSS as lawful surveillance software to intelligence and law enforcement agencies across the world.
The company now joins three other firms whose products were exposed as the go-to cyber tools of oppressive regimes. They are Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products).
According to Citizen Lab researchers, this was not the first time the Ethiopian government bought surveillance software, country officials being avid customers of HackingTeam and Gamma Group, whose products they deployed in previous years.
Contacted by Citizen Lab investigators, Cyberbit management washed its hands of all responsibility, telling researchers they are only a vendor and they do not operate any of their products.
The company also said it offers PSS "only to sovereign governmental authorities and law enforcement agencies," which "are responsible to ensure that they are legally authorized to use the products in their jurisdictions."
Nonetheless, it's because of companies like Cyberbit that turn a blind eye to what their clients actually do that oppressive governments remain in power for years and decades because they're able to discover and arrest —if not worse— any critical voices.
The full Citizen Lab report is available here.