Ethiopian Cyber Spies Left Clues Behind

The Ethiopian government used spyware acquired from an Israeli company to spy on dissidents living in the country and abroad, but government operatives have failed when configuring their command and control (C&C) server, exposing a list of all their targets.

This secret surveillance operation appears to have started last year, and consisted of spear-phishing emails that contained links to various sites

On these websites, users were lured to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. The two files were laced with malware.

Ethiopian operatives made crucial mistakes 
The spear-phishing campaign wasn't very well executed, and some targets became suspicious. Some forwarded the fishy emails to Citizen Lab, an organization that has a long history of tracking and exposing politically motivated surveillance campaigns.

Instead of backing down and dismantling their infrastructure, Ethiopian government operatives decided to spear-phish a Citizen Lab researcher involved in the investigation, a big error on their part. The Citizen Lab team became more interested in the attacks and eventually discovered that the malware packed with the fake Flash Player and PdfWriter apps was communicating with an online C&C server that was exposing its web folders.

Inside these web folders, researchers found everything they needed to understand what attackers were after, including logs of the attackers' IP addresses, and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.

Attackers went after local and foreign targets
The Ethiopian government not only infected local Ethiopians but also a large number of persons living in the Ethiopian diasporas in other countries. The list of targets, which Citizen Lab researchers promptly notified, included journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region, but also government officials from neighboring country Eritrea.

Malware is "lawful surveillance tech" sold by Israeli firm
According to the Citizen Lab team, the malware used in these attacks is a Windows program named PC Surveillance System (PSS), sold by Cyberbit, an Israel-based cyber-security company that is a subsidiary of Elbit Systems. Cyberbit knowingly markets and sells PSS as lawful surveillance software to intelligence and law enforcement agencies across the world.

The company now joins three other firms whose products were exposed as the go-to cyber tools of oppressive regimes. They are Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products).

According to Citizen Lab researchers, this was not the first time the Ethiopian government bought surveillance software, country officials being avid customers of HackingTeam and Gamma Group, whose products they deployed in previous years.
Contacted by Citizen Lab investigators, Cyberbit management washed its hands of all responsibility, telling researchers they are only a vendor and they do not operate any of their products.

The company also said it offers PSS "only to sovereign governmental authorities and law enforcement agencies," which "are responsible to ensure that they are legally authorised to use the products in their jurisdictions." Nonetheless, it's because of companies like Cyberbit that turn a blind eye to what their clients actually do that oppressive governments remain in power for years and decades because they're able to discover and arrest, if not worse, any critical voices.

Bleeping Computer

You Might Also Read:

African States Quick To Adopt Network Surveillance:

Israel To Assist Nigeria With Cybersecurity:

Israel: The Cyber Power:

Biter Bitten: The Hacking Team Hit by Breach:

 

« Directors Who Conceal Cyber Attacks Could Face Prison
US Defense Contractors Stole Images From UK Secret Surveillance Station »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Corero Network Security

Corero Network Security

Corero Network Security is dedicated to improving the security of the Internet through the deployment of its innovative DDoS & Network Security Solutions.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

Giesecke+Devrient (G+D)

Giesecke+Devrient (G+D)

Giesecke+Devrient develop security technologies in four major areas: enabling secure payment, providing trusted connectivity, safeguarding identities and protecting digital infrastructures.

Segusoft

Segusoft

With its encryption platform SEGULINK, Segusoft provides standard software for companies to securely transfer files and messages.

Dualog

Dualog

Dualog provides a maritime digital platform which ensures that services work reliably and securely onboard.

Global Incubator Network Austria (GIN Austria)

Global Incubator Network Austria (GIN Austria)

GIN Austria is the connecting link between Austrian and international startups, investors, incubators and accelerators with a focus on selected hotspots in Asia.

BrandShield

BrandShield

BrandShield is an anti-counterfeiting, anti-phishing and online brand protection solution.

Robo Shadow

Robo Shadow

Robo Shadow are trying to bridge the gap between the top tier organisations that can afford everything and everyone else who has to “Make it up as they go along” when it comes to Cyber.

Arcturus Security

Arcturus Security

Arcturus is a CREST-approved cyber security consultancy created by experts in the field.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

Silverse

Silverse

At Silverse, we specialize in building a comprehensive cybersecurity journey, anchored by our extensive experience, industry expertise, and an ecosystem of trusted partners.

Gutsy

Gutsy

Gutsy uses process mining to help organizations visualize and analyze their complex security processes to understand how they actually run, based on observable event data.

BBS Technology

BBS Technology

BBS Technology is a company that develops and delivers next-generation cyber security technologies worldwide.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.

Cyber Advisors

Cyber Advisors

Cyber Advisors offers customizable cyber security solutions and IT services for businesses of all sizes across the nation from experts you can trust.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.