A report published on Tuesday by the Canada-based Citizen Lab "describes a campaign of targeted malware attacks apparently carried out by Ethiopia from 2016 until the present. In the attacks we document, targets receive via email a link to a malicious website impersonating an online video portal. When a target clicks on the link, they are invited to download and install an Adobe Flash update (containing spyware) before viewing the video.
"In some cases, targets are instead prompted to install a fictitious app called 'Adobe PdfWriter' in order to view a PDF file. Our analysis traces the spyware to a heretofore unobserved player in the commercial spyware space: Israel’s Cyberbit, a wholly-owned subsidiary of Elbit Systems. The spyware appears to be a product called PC Surveillance System (PSS), recently renamed PC 360.
"The attacks we first identified were targeted at Oromo dissidents based outside of Ethiopia, including the Oromia Media Network (OMN). Oromia is the largest regional ethnic state of Ethiopia by population and area, comprised mostly of the Oromo people.
"We later discovered that the spyware’s command and control (C&C) server has a public logfile that appears to show both operator and victim activity, allowing us to gain insight into the identity of the operators and the targets. Based on our analysis of the logfile, it appears that the spyware’s operators are inside Ethiopia, and that victims also include various Eritrean companies and government agencies.
"We scanned the Internet for similar C&C servers and found what appear to be several servers used by Cyberbit. The public logfiles on those servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to various potential clients.
"The logfiles appear to place Cyberbit employees at IP addresses associated with the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos to clients we could not identify in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.
"Cyberbit Solutions Ltd. is an Israeli company that provides intelligence and lawful interception solutions worldwide. Cyberbit Solutions operates under strict regulations of the Israeli competent authorities and under a strict export control regime. Cyberbit Solutions offers its products only to sovereign governmental authorities and law enforcement agencies. Such governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions.
"Cyberbit Solutions products greatly contribute to national security and law enforcement where its products are used. Cyberbit Solutions is a vendor and it does not operate any of its products. Cyberbit Solutions customers are the sole operators of the products at their sole responsibility and they are obliged to do so according to all applicable laws and regulations. The activity of such law enforcement and intelligence agencies is a matter of national security in any country and as a foreign vendor Cyberbit is not exposed to their operational activity.
"Cyberbit Solutions is not at liberty to disclose the details of a specific client or a specific transaction, thus we cannot confirm or deny any specific transaction with the Ethiopian Government or any other government or authority.
"Cyberbit Solutions can confirm that any transaction made by it was approved by the competent authorities. In particular, Cyberbit Solutions lawful interception and intelligence products are subject to export control due to their nature and they were sold only after obtaining all relevant authorizations. Cyberbit Solutions sells its products only to end users that are approved by the relevant governmental authorities and each product is sold to a designated pre-approved governmental end user."