Champing at the cyberbit:         TPLF has been targeting Ethiopian dissidents at home & abroad with new commercial spyware thru 2017 — without much success given the persistent demands to get rid of it!

6 Dec

Posted by The Ethiopia Observatory (TEO)
by By Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert, December 5, 2017
[Click to magnify]
Key Findings

    *   This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash player updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.

    *   We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.

    *   Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.

    *   We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.

One infection in Finland is described as “unexplained activity” (see para 6.3.3). It occurred between May 26/2017 and November 28/2017, as is also the case with one each infection in Ethiopia, Indonesia and Slovakia. The Ethiopia infection occurred “with no known overlap with the Ethiopia client’s IP address space.”

Figure 4: Data exfiltrated by PSS (Source: Cyberbit Marketing Materials).

Cyberbit describes PSS as “a comprehensive solution for monitoring and extracting information from remote PCs.” As is standard in the marketing materials for spyware companies, Cyberbit represents that their design “eliminat[es] the possibility that the operation will be traced back to the origin.”

Read the full article from the original source — The Citizenlab.

%d bloggers like this: