Ethiopian Cyber Spies Left Clues Behind

Uploaded on 2017-12-22 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

The Ethiopian government used spyware acquired from an Israeli company to spy on dissidents living in the country and abroad, but government operatives have failed when configuring their command and control (C&C) server, exposing a list of all their targets.

This secret surveillance operation appears to have started last year, and consisted of spear-phishing emails that contained links to various sites

On these websites, users were lured to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. The two files were laced with malware.

Ethiopian operatives made crucial mistakes 
The spear-phishing campaign wasn't very well executed, and some targets became suspicious. Some forwarded the fishy emails to Citizen Lab, an organization that has a long history of tracking and exposing politically motivated surveillance campaigns.

Instead of backing down and dismantling their infrastructure, Ethiopian government operatives decided to spear-phish a Citizen Lab researcher involved in the investigation, a big error on their part. The Citizen Lab team became more interested in the attacks and eventually discovered that the malware packed with the fake Flash Player and PdfWriter apps was communicating with an online C&C server that was exposing its web folders.

Inside these web folders, researchers found everything they needed to understand what attackers were after, including logs of the attackers' IP addresses, and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.

Attackers went after local and foreign targets
The Ethiopian government not only infected local Ethiopians but also a large number of persons living in the Ethiopian diasporas in other countries. The list of targets, which Citizen Lab researchers promptly notified, included journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region, but also government officials from neighboring country Eritrea.

Malware is "lawful surveillance tech" sold by Israeli firm
According to the Citizen Lab team, the malware used in these attacks is a Windows program named PC Surveillance System (PSS), sold by Cyberbit, an Israel-based cyber-security company that is a subsidiary of Elbit Systems. Cyberbit knowingly markets and sells PSS as lawful surveillance software to intelligence and law enforcement agencies across the world.

The company now joins three other firms whose products were exposed as the go-to cyber tools of oppressive regimes. They are Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products).

According to Citizen Lab researchers, this was not the first time the Ethiopian government bought surveillance software, country officials being avid customers of HackingTeam and Gamma Group, whose products they deployed in previous years.
Contacted by Citizen Lab investigators, Cyberbit management washed its hands of all responsibility, telling researchers they are only a vendor and they do not operate any of their products.

The company also said it offers PSS "only to sovereign governmental authorities and law enforcement agencies," which "are responsible to ensure that they are legally authorised to use the products in their jurisdictions." Nonetheless, it's because of companies like Cyberbit that turn a blind eye to what their clients actually do that oppressive governments remain in power for years and decades because they're able to discover and arrest, if not worse, any critical voices.

Bleeping Computer

You Might Also Read:

African States Quick To Adopt Network Surveillance:

Israel To Assist Nigeria With Cybersecurity:

Israel: The Cyber Power:

Biter Bitten: The Hacking Team Hit by Breach:

 

« Directors Who Conceal Cyber Attacks Could Face Prison
US Defense Contractors Stole Images From UK Secret Surveillance Station »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Satisnet

Satisnet

Satisnet is a leading Security Reseller, Managed Security Services Provider (MSSP) and Cyber Training Innovator, with operations throughout the UK, EMEA and United States.

itWatch

itWatch

itWatch is focused on data loss prevention (DLP), endpoint security, mobile security, encryption, and cost reducing solutions for IT operations.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Secmentis

Secmentis

Secmentis is a cyber security consultancy specializing in penetration testing, threat intelligence, and proactive defense for your IT infrastructure.

CyberPrism

CyberPrism

CyberPrism provides SaaS solutions using proprietary technology, underpinned by industry-leading technical practitioners to protect OT within Government, Maritime and Industrial markets.

IPN (ICT Research Platform Nederlands)

IPN (ICT Research Platform Nederlands)

IPN promotes academic research and education in the ICT field by building and maintaining a national community, and by developing policy to advance the field. Areas of focus include Cyber Security.

infySEC

infySEC

InfySEC is an information security services organization offering Security Technology services, Security Consulting, Security Training, Research & Development.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

Sygnia

Sygnia

Sygnia is a cyber technology and services company, providing high-end consulting and incident response support for organizations worldwide.

TRU Staffing Partners

TRU Staffing Partners

TRU Staffing Partners is an award-winning contract staffing and executive search firm for cybersecurity, eDiscovery and privacy companies and professionals.

Netlinkz

Netlinkz

Netlinkz has developed the Virtual Secure Network (VSN) overlay technology platform, a breakthrough in connectivity security, speed, and simplicity.

Apptega

Apptega

Apptega is an award-Winning Cybersecurity and Compliance Platform. Our mission is to make cybersecurity and compliance easy for everyone.

Cigent Technology

Cigent Technology

Cigent keeps the most valuable asset in your organization safe—your data. Our advanced endpoint and managed network security solutions prevent ransomware and data theft.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.