• This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.
• We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.
• Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.
• We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.

This report describes a campaign of targeted malware attacks apparently carried out by Ethiopia from 2016 until the present. In the attacks we document, targets receive via email a link to a malicious website impersonating an online video portal. When a target clicks on the link, they are invited to download and install an Adobe Flash update (containing spyware) before viewing the video. In some cases, targets are instead prompted to install a fictitious app called “Adobe PdfWriter” in order to view a PDF file. Our analysis traces the spyware to a heretofore unobserved player in the commercial spyware space: Israel’s Cyberbit, a wholly-owned subsidiary of Elbit Systems. The spyware appears to be a product called PC Surveillance System (PSS), recently renamed PC 360.

The attacks we first identified were targeted at Oromo dissidents based outside of Ethiopia, including the Oromia Media Network (OMN). Oromia is the largest regional ethnic state of Ethiopia by population and area, comprised mostly of the Oromo people.

Figure 1: Oromia Region, Ethiopia

We later discovered that the spyware’s command and control (C&C) server has a public logfile that appears to show both operator and victim activity, allowing us to gain insight into the identity of the operators and the targets. Based on our analysis of the logfile, it appears that the spyware’s operators are inside Ethiopia, and that victims also include various Eritrean companies and government agencies.

We scanned the Internet for similar C&C servers and found what appear to be several servers used by Cyberbit. The public logfiles on those servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to various potential clients. The logfiles appear to place Cyberbit employees at IP addresses associated with the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos to clients we could not identify in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.

Figure 2: Countries with Ethiopian Cyberbit targets.

This report is the latest in a growing body of work that shows the wide abuse of nation-state spyware by authoritarian leaders to covertly surveil and invisibly sabotage entities they deem political threats. After FinFisher, Hacking Team, and NSO Group, Cyberbit is the fourth vendor of nation-state spyware whose tools we have seen abused, and the second based in Israel.  Cyberbit’s PSS is also not the first spyware that Ethiopia has abused outside of its borders: in 2015, we discovered that Ethiopia’s Information Network Security Agency (INSA) was using Hacking Team’s RCS spyware to target US-based journalists at the Ethiopian Satellite Television Service (ESAT). Ethiopia has also previously targeted dissidents using FinFisher’s FinSpy spyware.

Citizen Lab has published a companion post outlining some of the legal and regulatory issues raised by this investigation. We also sent letters to Cyberbit and Adobe concerning the misuse of their respective products. Cyberbit responded on December 5, 2017, stating in part: “we appreciate your concern and query and we are addressing it subject to the legal and contractual confidentiality obligations Cyberbit Solutions is bound by.” Adobe responded on December 6, 2017, stating in part: “we have taken steps to swiftly address this issue, including but not limited to contacting Cyberbit and other relevant service providers.”

2.1. Oromo Protests and Diaspora Media Outlets

Largely peaceful protests erupted in the Ethiopian state of Oromia in November 2015, in response to a government decision to pursue a development project involving the razing of a forest and football field. Protesters coalesced around opposition to a larger plan, the Addis Ababa Master Plan, which they feared would displace some of the 2 million Oromo residents living around Addis Ababa. The government labeled the protesters terrorists and responded with lethal force and arbitrary arrests. Over the next year, security forces killed over 1000 people, many of them from Oromia, during anti-government protests. This culminated in a state of emergency that was called in October 2016 that lasted over 10 months.

Oromia Media Network (OMN) is a US-based media channel that describes itself as an “independent, nonpartisan and nonprofit news enterprise whose mission is to produce original and citizen-driven reporting on Oromia, the largest and most populous state in Ethiopia.”  OMN broadcasts via satellite, and also has an Internet and social media presence. According to Human Rights Watch, OMN “played a key role in disseminating information throughout Oromia during the protests.” The government has “reportedly jammed OMN 15 times since it began operations in 2014” and arrested individuals for providing information to OMN or displaying the channel in their businesses.

2.2. Cyberbit and PSS

Cyberbit is an Israel-based cyber security company and a wholly-owned subsidiary of Israeli defense and homeland security manufacturer and contractor Elbit Systems. Cyberbit was established in 2015 in order to “consolidate Elbit Systems’ activities relating to the Cyber Intelligence and Cyber Security markets.” Cyberbit merged with the NICE Cyber and Intelligence Division in 2015 after Elbit acquired that entity for approximately $158 million, with Cyberbit reportedly taking on the division’s employees. Elbit had previously acquired C4 Security in June 2011 for $10.9 million; C4 described itself as “specializ[ing] in information warfare, SCADA and military C&C systems security.“  According to one employee’s LinkedIn page, C4 also developed a product called “PSS Surveillance System,” billed as a “solution[] for intelligence and law enforcement agencies.” Cyberbit marketing materials¹ refer to what appears to be the same system: “CYBERBIT PC Surveillance System (PSS).” PSS is also referenced on Elbit’s website as a solution “for collection from personal computers.” Elbit reportedly will be reorganizing Cyberbit, effective as of 2018, to separate its defense and commercial businesses, with Cyberbit continuing to operate the “C4i division and commercial cyber business.” Elbit’s major subsidiaries are located in Israel and the United States, and Elbit is listed on the NASDAQ and the Tel Aviv Stock Exchange.

Figure 3: Screenshot of PSS Console (Source:Cyberbit Marketing Materials).

Cyberbit is the second Israel-based nation-state spyware vendor we have identified and analyzed, the other being NSO Group. The two companies operate in the same market and have even been connected with the same clients. In an extradition request for former Panamanian President Martinelli, Panama alleged that Martinelli had directed the purchase of two spyware products: PSS and NSO Group’s Pegasus. Additionally, a leaked Hacking Team email about NSO claims that: “NSO only has mobile agents … Apparently the pc part is handled by another company, PSS.”

Cyberbit describes PSS as “a comprehensive solution for monitoring and extracting information from remote PCs.” As is standard in the marketing materials for spyware companies, Cyberbit represents that their design “eliminat[es] the possibility that the operation will be traced back to the origin.”

Figure 4: Data exfiltrated by PSS (Source:Cyberbit Marketing Materials).

Cyberbit says that PSS “helps LEAs and intelligence organizations to reduce crime, prevent terrorism and maintain public safety by gaining access, monitoring, extracting and analyzing information from remote PCs.”  Information that PSS can monitor and extract includes “VoIP calls, files, emails, audio recordings, keylogs and virtually any information available on the target device.”

Jawar Mohammed is the Executive Director of the Oromia Media Network (OMN). He is also a prolific activist, with more than 1.2 million followers on Facebook. October 2, 2016 was the annual Irreecha cultural festival, the most important Oromo cultural festival. Millions of people each year gather at the festival site in Bishoftu, near Addis Ababa. In 2016, “scores of people” died at the festival “following a stampede triggered by security forces’ use of teargas and discharge of firearms in response to an increasingly restive crowd.” Jawar was active at the time on social media in stoking the passions of Oromo on the ground, circulating both verified and unverified information. On October 4, 2016, while in Minneapolis, USA, Jawar received the email in Figure 5.  He forwarded the email to Citizen Lab for analysis.

Figure 6: Message displayed when a target clicks on a link to eastafro[.]net.

If the user downloads and installs the malicious Flash update, their computer is infected. It is clear that this is a targeted attack: if a user simply types in eastafro[.]net into their browser’s address bar, they are redirected to the legitimate site, eastafro.com. If a user does the same with getadobeplayer[.]com, they are served a “403 Forbidden” message. Both sites have robots.txt files instructing search engines not to crawl them. Access to the spyware is granted only if the user clicks on a link sent by the operator.

In all, Jawar received eleven emails between 5/30/2016 and 10/13/2016, and one more than a year later on 11/22/2017. Each email contained links to what were purportedly videos on eastafro[.]net, or Adobe Flash Player updates on getadobeplayer[.]com. The 11/22/2017 email contained a link to eastafro[.]net that asked the target to install “Adobe’s PdfWriter,” a fictitious product. The download contained the same spyware as the malicious Adobe Flash Player updates, but was packaged with CutePDF Writer, “a proprietary Portable Document Format converter and editor for Microsoft Windows developed by Acro Software,” with no connection to Adobe.

Figure 7: “Adobe PdfWriter” Installation Prompt.

In many cases, the operators appear to have registered their own accounts to send the infection attempts. However, the email address sbo.radio88[@]gmail.com used by operators to target Jawar is associated with the radio station of the Oromo Liberation Front (OLF). The account may have been compromised.

READ MORE HERE ON CITIZENLAB.CA