The Ethiopian Government spied on political opponents commercial malware'm purchased from the Israeli company

The Ethiopian Government was using spy software PC Surveillance System (PSS), which has acquired from the Israeli company Group of "cyber security", with the intelligence authorities. According to researchers from the Citizen Lab, who made themselves known from 2016 year of investigation, the secret operation to spy on citizens of Ethiopia began in the year 2016 and consisted mainly of sending messages that contain links to various websites- pages that contain infected programs pretending to Adobe products, avast, Aviry is, Ccleaner and others. The experts were able to determine the IP address of the incorrectly configured server C & C, which contained information about all infected devices to which remote access were holders of control of the server.

The origins of evil

Protests against the Government of Ethiopia started in November 2015, in response to the decision on the implementation of the project "the development", including the destruction of part of the local environment and the football pitches in the zone of the Oromia region in Ethiopia.

According to the plans, was associated with the displacement of the "about 2 million inhabitants. After a few months of "negotiations", the protesters were touted as terrorists — killed more than 1000 protesters, and many of them were arrested.

Initially, one of the most awkward political opponents was Yawer Mohammed, activist and Executive Director of Oromia information portal Media Network (OMN), funded by the Americans. According to human rights organisations, OMN has played an important role during the information a riot. OMN staff, journalists and individuals that contribute to the content on the website were from 2014 year repeatedly arrested. Feeling the pinch of the Government were also other people otherwise associated with public institutions of the European Union, universities and law firms. All of these people have a common denominator — disagreed with the ruling political party.

Cyberbit and spyware PC Surveillance System (PSS)

Cyberbit is a company operating in the cyber security established in 2015 year by another Israeli company in the same industry.

Screenshot of PSS Control Panel (PC Surveillance System).

As explained by CitizenLab, the company Group is the second largest provider of spyware, as soon as the NSO Group Technologies-private cyberarmii. Both companies operate in the same market and they are even associated with the same clients.

PC Surveillance System was created for law enforcement and intelligence organizations in order to "prevent terrorism, respect and public security by": access, monitoring, recording and analyze information from computers. PSS can m.in: monitor and record VoIP calls, steal files, e-mail messages, record keystrokes.

Infection vectors

Began to inconspicuous. OT, used traditional engineering to entice the victim to downloaded from the link program, under the guise of start or update your flash plugin.

This kind of e-mail messages were sent to the victims, including Mohammed Jawara:

From: sbo radio <sbo.radio88[@]gmail.com>

Date: Wed, 4 Oct 2016 16:50:13 + 0300

Subject: Fw: Confidential video made public

What do you think of this video? In case you don't have the right version of adobe flash and can't watch the video, you can get the latest version of Adobe flash from Here

http://getadobeplayer [.] com/flashplayer/download/index7371.html.

— — —-Forwarded message — — —-

From: sbo radio <sbo.radio88[@]gmail.com>

Date: Thu, Oct 10, 2014 at 4:23 PM

Subject: Video hints Eritrea and Ethiopia war is highly likely it continueDear Excellencies, Video: Eritrea and Ethiopia war likely to continue

http://www.eastafro [.] net/eritrea-ethiopia-border-clash-video.html

regards,

Sbo Radio

The myth of friendly Grüßen

Among the infected programs are fake software downloads antivirus software from Avast and Avira, and also CCleaner and Adobe programs.

One of the many malicious websites.

Researchers from the Citizen Lab has managed to find the file that contains the location of the infected devices: each device have a unique ID, as well as detailed information about the system. Based on these data, managed to create a map of the victims:

Of the samples analysed were able to observe the exact operation of spy software. PSS can:

  • record audio and video, even on a specific time set according to the schedule,
  • steal your browser history and stored passwords,
  • create new files, delete existing, etc.
  • Edit the registry values
  • identify the victim based on wireless network
  • access contacts from Skype and call log,
  • identify the connected network devices,
  • identify the running processes,
  • take screenshots
  • record keystrokes,
  • access to the data from the system Clipboard (which is what will be copied),
  • read the file history,
Marketing diagram PSS.

Infections-spyware PC Surveillance System (PSS) has been observed in other countries with a system of Governments other than the democracy of Nigeria, the Philippines, Rwanda, Uzbekistan and Zambia. Evidence also indicates that the Ethiopian Government was abusing the spy software, including RCS (Remote Control System) developed by a team of Hacking Team and FinSpy — malware, which was commissioned by the German Government and created by the German company to fight "cybercrime". These tools were used to fight with journalists, activists, activists and others, which was not on hand to the Government of Ethiopia.

Citizen Lab report reveals something else. Well, the company Group providing spy software PSS, directly participated in the deliberate human rights violations. In addition, use of the image of the third-party applications and antivirus software — of course, in order to "provide better quality services." Own services. Wyręczanie a legitimate third-party programs by the Israeli company of the security sector is a very shameful and direct move. You can see the Israelis do not przebierali in the measures and used the same tricks, as cyber criminals.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.