Ethiopian Cyber Spies Left Clues Behind

The Ethiopian government used spyware acquired from an Israeli company to spy on dissidents living in the country and abroad, but government operatives have failed when configuring their command and control (C&C) server, exposing a list of all their targets.

This secret surveillance operation appears to have started last year, and consisted of spear-phishing emails that contained links to various sites

On these websites, users were lured to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. The two files were laced with malware.

Ethiopian operatives made crucial mistakes 
The spear-phishing campaign wasn't very well executed, and some targets became suspicious. Some forwarded the fishy emails to Citizen Lab, an organization that has a long history of tracking and exposing politically motivated surveillance campaigns.

Instead of backing down and dismantling their infrastructure, Ethiopian government operatives decided to spear-phish a Citizen Lab researcher involved in the investigation, a big error on their part. The Citizen Lab team became more interested in the attacks and eventually discovered that the malware packed with the fake Flash Player and PdfWriter apps was communicating with an online C&C server that was exposing its web folders.

Inside these web folders, researchers found everything they needed to understand what attackers were after, including logs of the attackers' IP addresses, and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.

Attackers went after local and foreign targets
The Ethiopian government not only infected local Ethiopians but also a large number of persons living in the Ethiopian diasporas in other countries. The list of targets, which Citizen Lab researchers promptly notified, included journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region, but also government officials from neighboring country Eritrea.

Malware is "lawful surveillance tech" sold by Israeli firm
According to the Citizen Lab team, the malware used in these attacks is a Windows program named PC Surveillance System (PSS), sold by Cyberbit, an Israel-based cyber-security company that is a subsidiary of Elbit Systems. Cyberbit knowingly markets and sells PSS as lawful surveillance software to intelligence and law enforcement agencies across the world.

The company now joins three other firms whose products were exposed as the go-to cyber tools of oppressive regimes. They are Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products).

According to Citizen Lab researchers, this was not the first time the Ethiopian government bought surveillance software, country officials being avid customers of HackingTeam and Gamma Group, whose products they deployed in previous years.
Contacted by Citizen Lab investigators, Cyberbit management washed its hands of all responsibility, telling researchers they are only a vendor and they do not operate any of their products.

The company also said it offers PSS "only to sovereign governmental authorities and law enforcement agencies," which "are responsible to ensure that they are legally authorised to use the products in their jurisdictions." Nonetheless, it's because of companies like Cyberbit that turn a blind eye to what their clients actually do that oppressive governments remain in power for years and decades because they're able to discover and arrest, if not worse, any critical voices.

Bleeping Computer

You Might Also Read:

African States Quick To Adopt Network Surveillance:

Israel To Assist Nigeria With Cybersecurity:

Israel: The Cyber Power:

Biter Bitten: The Hacking Team Hit by Breach:

 

« Directors Who Conceal Cyber Attacks Could Face Prison
US Defense Contractors Stole Images From UK Secret Surveillance Station »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

L J Kushner & Associates

L J Kushner & Associates

L.J. Kushner is a leading Information Security recruiting firm.

Cyberwatch

Cyberwatch

Cyberwatch is a Vulnerability Scanner & Fixer software that helps you to detect and fix the vulnerabilities of your Information System.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

FinCom.co

FinCom.co

FinCom.Co is the world’s first automatic AML/ KYC screening system, for comprehensive compliance.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

US Army Cyber Command (ARCYBER)

US Army Cyber Command (ARCYBER)

US Army’s Cyber Command (ARCYBER) is engaged in the real-world cyberspace fight today, against near-peer adversaries, ISIS, and other global cyber threats.

SecureLayer7

SecureLayer7

SecureLayer7 is an international provider of integrated business information security solutions with an innovative approach to IT security.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

OSC Edge

OSC Edge

OSC was founded with the vision of providing expert solutions in IT to government and businesses. OSC Edge empowers organizations with solutions that prepare them for today and tomorrow.

Zeron

Zeron

Zeron build bridges between security teams and top management. Our platform unifies your cyber risk posture seamlessly, encompassing threat insights and quantifiable risk scenarios.

Kontra

Kontra

Kontra application security training is an interactive and intuitive learning experience that engages developers.

Defence Labs

Defence Labs

Defence Labs is a cybersecurity company specialising in cost effective penetration testing for small-to-medium sized enterprises.

Foghorn Consulting

Foghorn Consulting

Foghorn can analyze your cloud to enhance performance and security, while reducing costs. Based on AWS’ 6 Pillars, our AWS WAFR Certified Engineers Will Identify Areas of Improvement.

ZIUR Industrial Cybersecurity Center

ZIUR Industrial Cybersecurity Center

ZIUR is a public initiative to help industrial companies reinforce their protection and that of their products or services against cyberattacks.