Ethiopian Cyber Spies Left Clues Behind

The Ethiopian government used spyware acquired from an Israeli company to spy on dissidents living in the country and abroad, but government operatives have failed when configuring their command and control (C&C) server, exposing a list of all their targets.

This secret surveillance operation appears to have started last year, and consisted of spear-phishing emails that contained links to various sites

On these websites, users were lured to download a fake Adobe Flash Player update or an app named Adobe PdfWriter to view videos or PDF files. The two files were laced with malware.

Ethiopian operatives made crucial mistakes 
The spear-phishing campaign wasn't very well executed, and some targets became suspicious. Some forwarded the fishy emails to Citizen Lab, an organization that has a long history of tracking and exposing politically motivated surveillance campaigns.

Instead of backing down and dismantling their infrastructure, Ethiopian government operatives decided to spear-phish a Citizen Lab researcher involved in the investigation, a big error on their part. The Citizen Lab team became more interested in the attacks and eventually discovered that the malware packed with the fake Flash Player and PdfWriter apps was communicating with an online C&C server that was exposing its web folders.

Inside these web folders, researchers found everything they needed to understand what attackers were after, including logs of the attackers' IP addresses, and a detailed list of targets the Ethiopian government operatives were trying to infect and keep under surveillance.

Attackers went after local and foreign targets
The Ethiopian government not only infected local Ethiopians but also a large number of persons living in the Ethiopian diasporas in other countries. The list of targets, which Citizen Lab researchers promptly notified, included journalists, activists, and dissidents involved in recent protests that took place in Ethiopia's Oromia region, but also government officials from neighboring country Eritrea.

Malware is "lawful surveillance tech" sold by Israeli firm
According to the Citizen Lab team, the malware used in these attacks is a Windows program named PC Surveillance System (PSS), sold by Cyberbit, an Israel-based cyber-security company that is a subsidiary of Elbit Systems. Cyberbit knowingly markets and sells PSS as lawful surveillance software to intelligence and law enforcement agencies across the world.

The company now joins three other firms whose products were exposed as the go-to cyber tools of oppressive regimes. They are Hacking Team (product: RCS - Remote Control Systems), Gamma Group (product: FinSpy), and NSO Group (multiple products).

According to Citizen Lab researchers, this was not the first time the Ethiopian government bought surveillance software, country officials being avid customers of HackingTeam and Gamma Group, whose products they deployed in previous years.
Contacted by Citizen Lab investigators, Cyberbit management washed its hands of all responsibility, telling researchers they are only a vendor and they do not operate any of their products.

The company also said it offers PSS "only to sovereign governmental authorities and law enforcement agencies," which "are responsible to ensure that they are legally authorised to use the products in their jurisdictions." Nonetheless, it's because of companies like Cyberbit that turn a blind eye to what their clients actually do that oppressive governments remain in power for years and decades because they're able to discover and arrest, if not worse, any critical voices.

Bleeping Computer

You Might Also Read:

African States Quick To Adopt Network Surveillance:

Israel To Assist Nigeria With Cybersecurity:

Israel: The Cyber Power:

Biter Bitten: The Hacking Team Hit by Breach:

 

« Directors Who Conceal Cyber Attacks Could Face Prison
US Defense Contractors Stole Images From UK Secret Surveillance Station »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: How to improve your security posture with a web application firewall (WAF)

ON-DEMAND WEBINAR: How to improve your security posture with a web application firewall (WAF)

Watch this webinar to discover how a WAF goes beyond a standard firewall and helps you meet security industry compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Plan B

Plan B

Plan B is a specialist IT continuity and Disaster Recovery Service provider.

GlobalSign

GlobalSign

GlobalSign is an identity services company providing cloud-based, PKI solutions for enterprises needing to conduct safe commerce, communications, content delivery and community interactions.

ISO Quality Services Ltd

ISO Quality Services Ltd

ISO Quality Services is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management Standards including ISO 27001..

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

Exabeam

Exabeam

Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.

Asseco Group

Asseco Group

Asseco Poland stands at the forefront of the multinational Asseco Group. We are a leading provider of state-of-the-art IT solutions in Central and Eastern Europe.

Tata Consultancy Services

Tata Consultancy Services

Tata Consultancy Services is a global leader in IT services, consulting & business solutions including cyber security.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

Search Guard

Search Guard

Search Guard® is an Open Source security suite for #Elasticsearch and the entire #ELK stack that offers encryption, authentication, authorization, audit logging and multi tenancy.

NTIC Cyber Center

NTIC Cyber Center

NTIC Cyber Center is an organization dedicated to making the National Capital Region (Washington DC) more resilient to cyber-attacks.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

Enet 1 Group1

Enet 1 Group1

Enet 1 Group audits, assesses, recommends, and delivers tested solutions for the ever-increasing threats to your critical systems and digital assets

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.