The spyware campaign’s log-file was inadvertently exposed by the hackers, which revealed the entire target list.
Ethiopian state-sponsored hackers’ secret campaign to spy on dissidents and journalists of the Ethiopian government was inadvertently exposed by the cyberespionage group. The hackers used commercial spyware — PC Surveillance System (PSS) — made by Israeli firm Cyberbit as part of their campaign. However, the hackers inadvertently publicly exposed their spyware campaign’s log-files, which revealed their list of targets.
The hackers were found targeting dissidents, journalists and academics, among others, living in around 20 countries, including the US, the UK, Canada, Germany, Australia, India and others. According to security experts at Citizen Lab, who uncovered the spyware campaign, the hackers had been spying on targets for around 14 months.
The hackers tricked victims into download malware-laced Adobe Flash Player, which was distributed to targets via phishing emails. However, some of the victims became suspicious of the phishing emails, indicating that the hackers were unable to design emails sophisticated enough to successfully dupe their targets. The hackers even attempted to spy on a Citizen Lab researcher, who was involved in investigating the campaign.
However, Citizen Lab researchers found the campaign’s publicly exposed C&C (command and control) servers, which further revealed that the spyware targeted not just the hackers’ targets but also Cyberbit employees as they travelled across the world, demonstrating the spyware to potential clients.
“The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria,” Citizen Lab researchers said in a blog.
Cyberbit is not the only spyware manufacturer to knowingly sell its products to authoritarian regimes. Companies such as Hacking Team, Gamma Group and NSO Group have also previously provided ready-to-use surveillance and hacking tools to oppressive governments.
“The fact that PSS wound up in the hands of Ethiopian government agencies, which for many years have demonstrably misused spyware to target civil society, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the effectiveness of Israel’s export controls in preventing human rights abuses. The apparent locations of PSS demonstrations reinforce those concerns,” Citizen Lab researchers said.