Since 2016, the Ethiopian government has targeted dissidents and journalists in nearly two dozen countries with spyware provided by an Israeli software company, according to a new report from Citizen Lab, a research and development group at the University of Toronto.
Once their computers are infected, victims of the attack can be monitored covertly whenever they browse the web, the report says.
Based on an in-depth analysis of the methods used to trick victims into installing the software, Citizen Lab concluded that “agencies of the Ethiopian government” deployed the spyware to target individuals critical of their policies.
More than 40 devices in 20 countries were infected, according to Citizen Lab’s research. It’s unknown how many individuals might have been targeted.
Citizen Lab’s report found that attackers used email to target dissidents, outspoken critics and perceived enemies by impersonating legitimate websites and software companies. In some cases, they sent messages about events related to Ethiopian politics, with links purporting to show related videos.
Those links led to web pages that prompted victims to update their Flash Players or download “Adobe PdfWriter,” fictitious software that, in fact, led to CutePDF Writer, a tool to create PDF files.
The attackers embedded the spyware in bona fide programs by exploiting security vulnerabilities, creating the impression that recipients were installing legitimate software and coaxing them to provide the administrator-level permissions needed to activate the surveillance. Once installed, the spyware spread to additional files tied to web browsers, making the software difficult to remove and nearly always active.
Any activity on an infected computer can be monitored, and information from web searches, emails and Skype contact lists can be extracted. A remote operator can take screenshots and record audio and video from a connected webcam.
Based on information provided by WiFi networks, attackers can also track the physical location of the infected device.
“Once the government has that information, they can do things like hijacking your email account,” said Bill Marczak, a senior research fellow at Citizen Lab and lead author of the new report.
“So, they’ll sign into your email account and then use your account to target your friends and basically expand the number of targets they have,” Marczak told VOA.
Eritrean, Ethiopian dissidents among those targeted
In October 2016, the Ethiopian government declared a nearly year-long state of emergency following months of protests that spread across the country.
Those protests — and a subsequent government crackdown that resulted in more than 800 deaths, according to a 2016 report by Amnesty International — were monitored by diaspora media groups, including the Oromia Media Network.
OMN's executive director, Jawar Mohammed, was a confirmed target of the recently uncovered spyware attack.
“The pattern seems to be that they were very interested in what these Oromo activists and journalists were saying, how they were working, and perhaps even whom they were talking to back in Ethiopia,” Marczak said.
The Citizen Lab report also found seven infections in Ethiopia’s neighbor and longtime rival, Eritrea, most of whom were targets with ties to Eritrean government agencies and businesses.
According to Human Rights Watch, this is at least the third spyware vendor since 2013 that Ethiopia has used to target dissidents, journalists and activists.
Ethiopia previously used Remote Control System spyware from HackingTeam, an Italian company, to target journalists based in the United States, Citizen Lab said. It said Ethiopia also targeted dissidents using FinSpy spyware by FinFisher, a company based in Munich, Germany.
Citizen Lab’s analysis produced an unusual level of detail about the program due to the discovery of a publicly available log file with in-depth data about both the attackers and targets. After analyzing that file, Citizen Lab concluded “that the spyware’s operators are inside Ethiopia, and that victims also include various Eritrean companies and government agencies.”
Since the Israel-based spyware manufacturer was only authorized to sell their software to intelligence and law enforcement agencies, Citizen Lab concluded that the Ethiopian government was behind the attacks.
Israeli security firm
The group behind the spyware, Cyberbit, is a subsidiary of Elbit Systems, a $3 billion company that trades on the NASDAQ. Cyberbit describes itself as “a team of cybersecurity experts, who know firsthand what it means to protect high-risk organizations and manage complex incidents.”
The spyware used in the attacks uncovered by Citizen Lab is called PC Surveillance System (PSS). Cyberbit no longer lists PSS on its website, but marketing materials from 2015 describe the software as “a comprehensive solution for monitoring and extracting information from remote PCs.”
Key features touted by Cyberbit include covert operation, the ability to bypass encryption and the ability to target devices anywhere in the world. Cyberbit marketed the product to intelligence organizations and law enforcement agencies.
Citizen Lab also determined that Cyberbit representatives contacted Zambia's Financial Intelligence Center and potential clients in Rwanda and Nigeria.
Spying with impunity
Citizen Lab and Human Rights Watch both have raised concerns about the ease with which governments can acquire sophisticated surveillance tools to target dissidents with impunity.
According to Marczak, it’s legal to produce and sell spyware to governments and law enforcement organizations, but Cyberbit would have required approval from the Israeli government to export the software to Ethiopia.
Missing in the process, Marczak said, is careful consideration of the impact on human rights.
In their report, researchers with Citizen Lab concluded that, “The fact that PSS wound up in the hands of Ethiopian government agencies, which for many years have demonstrably misused spyware to target civil society, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the effectiveness of Israel's export controls in preventing human rights abuses.”
The use of spyware by governments to monitor people around the world also occupies a murky legal space.
In 2016, the U.S. Court of Appeals for the District of Columbia dismissed a lawsuit filed by an American citizen born in Ethiopia. The plaintiff claimed the Ethiopian government used spyware to monitor his activities for months, but the court dismissed the case because the law allegedly broken did not apply to foreign states.