Researchers from the University of Toronto’s amazing Citizen Lab (previously) have published a new report detailing the latest tactics from the autocratic government of Ethiopia, “the world’s first turnkey surveillance state” whose human rights abuses have been entirely enabled with software and expertise purchased on the open market, largely from companies in western countries like Finfisher and Hacking Team.
In Champing at the Cyberbit, Citizen Lab researchers Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert disclose how malware developed and sold by the Israeli company Cyberbit (a subsidiary of Elbit) was used to attack members of the Ethiopian opposition, including political exiles in the USA and elsewhere who were forced to leave Ethiopia in fear of their lives.
Citizen Lab also determined that the malware servers used to effect these attacks were actively operated and managed by Cyberbit — in other words, they actively colluded in the use of their products to attack journalists and peaceful democratic opposition figures on behalf of a tyrannical regime.
Cyberbit also targeted Citizen Lab researcher Bill Marczak.
Citizen Lab was able to assemble a complete picture of the illegal surveillance that Cyberbit effected on behalf of Ethiopia because Cyberbit failed to secure its servers; once Citizen Lab discovered them, they were able to browse all the surveillance data that Cyberbit’s malware had extracted from its victims.
Citizen Lab also used Cyberbit’s publicly readable data to track where the company had demonstrated its products and determined that the company was making sales calls in many failed and autocratic states, including Rwanda, Nigeria, Zambia, Vietnam, Thailand, Uzbekistan, Kazakhstan, and The Philippines.
* This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.
*
We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.
*
Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.
*
We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.
Champing at the Cyberbit [Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert/Citizen Lab]
Ethiopia Allegedly Spied on Security Researcher With Israel-Made Spyware [Lorenzo Franceschi-Bicchierai/Motherboard]