A surveillance system sold by a unit of Israel’s Elbit Systems Ltd. was used by the Ethiopian government to carry out digital espionage against journalists, activists and other entities, a Toronto-based human rights watchdog called The Citizen Lab wrote in a report.
The report, released Tuesday, describes how Ethiopian dissidents in the US, UK, and other countries received emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. A US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), was targeted, as were a PhD student and a lawyer, the report said, which noted that during the course of the investigation one of the authors of The Citizen Lab report was also targeted.
The attacks were “apparently” carried out by Ethiopia, the report said.
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto that focuses on research, development, and strategic policy regarding the impact of information and communication technologies on human rights.
The spyware in question is a commercial product known as PC Surveillance System sold by cybersecurity firm Cyberbit and marketed to intelligence and law enforcement agencies, the report said.
Elbit acquired Cyberbit from Nice Systems Ltd. in 2015 and the firm has offices in the US, Europe and Singapore.
Cyberbit develops and sells cybersecurity and cyber-intelligence products to and for governments, the military, businesses, academia, and critical infrastructures, among others. The products incorporate a mix of machine learning, big data, graph-based malware analysis, and other technological features that help detect, analyze, and respond to advanced cybersecurity threats.
The Citizen Lab monitored the spyware over the course of more than a year, from 2016 to the present, and found its operators connecting from Ethiopia to infected computers in over 20 countries, the report said.
According to the report, the attacks initially targeted Oromo dissidents of the regime based outside Ethiopia, including the Oromia Media Network. Oromia is the largest regional ethnic state of Ethiopia by population and area, home mostly to the Oromo people.
Targets received emails with links to a malicious website impersonating an online video portal, the report said. When the targets clicked on the link, they were invited to install and download an Adobe Flash update before they could watch a video. The spyware was hidden in that purported update. In other cases, the targets were asked to install a fictitious app called the Adobe PdfWriter to enable them to read a file.
One target, Jawar Mohammed, the executive director of the Oromia Media Network and an activist with more than 1.2 million followers on Facebook, received an email on October 4, 2016, with a link to a video and to the latest version of the Adobe Flash Player. Jawar forwarded the email to Citizen Lab for analysis. In all, Jawar received 11 such emails between May and October 2016, and one more than a year later in November 2017. Downloading and installing the malicious Flash update would result in an infected computer.
Cyberbit’s practices questioned
Cyberbit is the second Israel-based nation-state spyware vendor the Toronto-based group has identified and analyzed, the other being NSO Group. The two companies operate in the same market and have even been connected with the same clients, the report said.
“Our research, which documents new attacks against civil society by government actors based in and operating from Ethiopia, highlights the need for clear legal pathways for extraterritorially-targeted individuals to seek recourse,” Sarah McKune, a senior researcher at The Citizen Lab, wrote on Wednesday. “At this juncture, the Ethiopian government’s penchant for commercial spyware is notorious, as is its pattern of digital espionage against journalists, activists, and other entities — many of which are based overseas — that seek to promote government accountability and are therefore viewed as political threats. Yet the Ethiopian government and others like it have faced little pressure to cease this particular strain of digital targeting.”
“It is clear that Ethiopia has for years been known to misuse spyware against civil society actors in violation of their human rights,” she wrote. “The fact that a sale must have taken place in spite of this reality raises a number of concerns regarding Cyberbit’s due diligence practices and any assessment of human rights impact undertaken during the export licensing process.”
The indications that Cyberbit may be “misappropriating the names and trademarks of legitimate individuals and/or companies – to masquerade as trusted software” may provide grounds for legal action, she added.
The new report shows that if left unchecked, spyware companies “will resort to deceptive, unethical, and legally questionable practices,” and, as more governments develop an appetite for these products and services, more troubling cases will likely be uncovered, said McKune.
“Mitigating these issues will require a comprehensive review of legal, regulatory, and corporate social responsibility measures by governments and the international community,” she wrote.
Cyberbit dismissed the allegations of wrongdoing on its part, saying in a statement that it is “is a defense company that sells intelligence and cybersecurity products which are regulated by the Israeli Ministry of Defense, subject to the Israeli Defense Export Control Law and in accordance with international treaties.”
“Every marketing process and every transaction are made only after the receipt of all the appropriate approvals from the Israeli Defense Export Control Agency operating within the Israeli Ministry of Defense. The company’s intelligence and cybersecurity products are intended for the use of law enforcement agencies and intelligence and state national security intelligence and defense agencies, and each sale is made only to an end user approved by the Israeli Ministry of Defense.”
“The intelligence and defense agencies that purchase these products are obligated to use them in accordance with the law and in accordance with the jurisdiction granted to them by law. Cyberbit Solutions does not operate the products and, in similarity to other security manufacturers in Israel and abroad, Cyberbit Solutions is not exposed to the manner in which its products are operated by intelligence and defense agencies, which operate covertly by nature.”
“Cyberbit Solutions is fully committed to confidentiality towards its customers and is not permitted to relate to any specific transaction or specific customer. The company’s products contribute greatly to national security in the countries where they are sold and the law enforcement and defense authorities in these countries are committed to operating them in accordance with the law.”