Skip to content
Policy

Exposed: Ethiopia’s nefarious, comically bungled spyware campaign

Publicly traded company helps country spy on critics, no questions asked.

Dan Goodin | 49
Credit: Citizen Lab
Story text

Researchers have uncovered a nefarious but comically incompetent spyware campaign that’s targeting Ethiopian dissidents in the US, UK, and other countries.

A report published Wednesday morning by the University of Toronto’s Citizen Lab said the campaign, which has operated for at least 14 months, is carried out using hacking tools sold by Cyberbit, a wholly owned subsidiary of Elbit Systems, an Israeli company whose shares are sold on the Nasdaq stock exchange. Log files left unprotected on the Internet showed people inside Ethiopia using the spyware in an attempt to surreptitiously surveil journalists, researchers, and activists in 20 countries.

The report is the latest to expose the shady world of commercial spyware, which often sells potent hacking tools to countries with known human rights abuses. Previous companies caught selling surveillance wares to rogue nations include UK-based Gamma Group, Italy-based Hacking Team, and NSO Group of Israel. Use of Elbit-owned Cyberbit tools to spy on Ethiopian dissidents all but confirms the Israeli company does the same thing.

In Wednesday’s report, Citizen Lab researchers wrote:

As a provider of powerful surveillance technology, Cyberbit has the responsibility under both Israel’s export control regime as well as the UN Guiding Principles on Business and Human Rights to concern itself with the potential for human rights abuses facilitated through use of its product. The fact that PSS wound up in the hands of Ethiopian government agencies, which for many years have demonstrably misused spyware to target civil society, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the effectiveness of Israel’s export controls in preventing human rights abuses.

Confidential video made public

In October 2016, Ethiopian activist Jawar Mohammed received an email asking for comment on a video posted to a page that impersonated a legitimate video website in Eritrea, a country that borders Ethiopia. Code hosted on the page checked to see if Windows computers used an outdated version of Adobe’s Flash Player. If it did, the page redirected the browser to a page on getadobeplayer[.]com, which offered a genuine Flash update that was bundled with spyware called PC Surveillance System from Cyberbit. Mohammed forwarded the email to Citizen Lab, which has monitored the campaign for more than a year. Other targets included a US-based media outlet that serves Oromo people, a PhD student and a lawyer who have both worked on Oromo issues, and Citizen Lab Research Fellow Bill Marczak.

An email sent to Jawar on October 4, 2016.
Credit: Citizen Lab
An email sent to Jawar on October 4, 2016. Credit: Citizen Lab

As Citizen Lab began to investigate the campaign, researchers soon discovered that servers used to communicate with machines infected with PC Surveillance System hosted publicly readable log files that detailed the activity of both operators and targets. The logs showed that the people operating the malware used IP addresses local to Ethiopia and that targets included various Eritrean companies and government agencies. The publicly accessible files also tracked Cyberbit employees as they traveled throughout the world with infected demonstration PCs. IP addresses showed the demo PCs connecting from countries with authoritarian records, including Nigeria, Rwanda, Uzbekistan, Zambia, and the Philippines.

This is not the first time the Ethiopian government has been accused of using spyware to surveil critics. In 2015, Citizen Lab detailed the country’s use of Hacking Team spyware to target US-based journalists. Two years earlier, Citizen Lab reported Ethiopia was among the countries using Gamma Group’s FinSpy spyware.

Not our job

In a December 5 letter responding to Citizen Lab questions, an unnamed Cyberbit official defended the company, in part by saying it operates within the “strict regulations” of Israeli law.

“Cyberbit Solutions offers its products only to sovereign governmental authorities and law enforcement agencies,” the letter, headed “Re: Your Letter Dated November 29, 2017,” stated. “Such governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions. Cyberbit Solutions products greatly contribute to national security and law enforcement where its products are used.”

A Wednesday op-ed in Wired, written by Citizen Lab Director Ron Deibert and headlined “Evidence that Ethiopia is spying on journalists shows commercial spyware is out of control,” called for “legal and policy efforts across multiple jurisdictions to combat the runaway problem. Regulation is almost always an imperfect remedy, but given the no-questions-asked approach of Cyberbit and many of its competitors, it’s arguably better than what we have now.”

Listing image: Citizen Lab

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
49 Comments
Prev story
Next story