Foreign regimes like Ethiopia use spyware against journalists, even in U.S.

By Craig Timberg originally published on Washington Post

Mesay Mekonnen was at his desk, at a news service based in Northern Virginia, when gibberish suddenly exploded across his computer screen one day in December. A sophisticated cyber­attack was underway.

But this wasn’t the Chinese army or the Russian mafia at work.

Instead, a nonprofit research lab has fingered government hackers in a much less technically advanced nation, Ethi­o­pia, as the likely culprits, saying they apparently used commercial spyware, essentially bought off the shelf. This burgeoning industry is making surveillance capabilities that once were the exclusive province of the most elite spy agencies, such as National Security Agency, available to governments worldwide.

Origin of hacking attempts on journalists
Origin of hacking attempts on journalists

The targets of such attacks often are political activists, human rights workers and journalists, who have learned that the Internet allows authoritarian governments to surveil and intimidate them even after they have fled to supposed safety.

That includes the United States, where laws prohibit unauthorized hacking but rarely succeed in stopping intrusions. The trade in spyware itself is almost entirely unregulated, to the great frustration of critics.

“We’re finding this in repressive countries, and we’re finding that it’s being abused,” said Bill Marczak, a research fellow for Citizen Lab at the University of Toronto’s Munk School of Global Affairs, which released a report Wednesday. “This spyware has proliferated around the world . . .without any debate.”

Citizen Lab says the spyware used against Mekonnen and one other Ethio­pian journalist appears to have been made by Hacking Team, an Italian company with a regional sales office in Annapolis. Its products are capable of stealing documents from hard drives, snooping on video chats, reading e-mails, snatching contact lists, and remotely flipping on cameras and microphones so that they can quietly spy on a computer’s unwitting user.

Some of the targets of recent cyberattacks are U.S. citizens, say officials at Ethio­pian Satellite Television’s office in Alexandria, where Mekonnen works. Others have lived in the United States or other Western countries for years.

(Astrid Riecken/For The Washington Post) - Neamin Zeleke, managing director of Ethiopian Satelite Television, suspects that the Ethiopian government has employed spyware to identify opposition supporters.
(Astrid Riecken/For The Washington Post) – Neamin Zeleke, managing director of Ethiopian Satelite Television, suspects that the Ethiopian government has employed spyware to identify opposition supporters.

“To invade the privacy of American citizens and legal residents, violating the sovereignty of the United States and European countries, is mind-boggling,” said Neamin Zeleke, managing director for the news service, which beams reports to Ethi­o­pia, providing a rare alternative to official information sources there.

Citizen Lab researchers say they have found evidence of Hacking Team software, which the company says it sells only to governments, being used in a dozen countries, including Uzbekistan, Kazakhstan, Sudan, Saudi Arabia and Azerbaijan.

The Ethio­pian government, commenting through a spokesman at the embassy in Washington, denied using spyware. “The Ethiopian government did not use and has no reason at all to use any spyware or other products provided by Hacking Team or any other vendor inside or outside of Ethi­o­pia,” Wahide Baley, head of public policy and communications, said in a statement e-mailed to The Washington Post.

Hacking Team declined to comment on whether Ethi­o­pia was a customer, saying it never publicly confirms or denies whether a country is a client because that information could jeopardize legitimate investigations. The company also said it does not sell its products to countries that have been blacklisted by the United States, the United Nations and some other international groups.

“You’ve necessarily got a conflict between the issues around law enforcement and the issues around privacy. Reasonable people come down on both sides of that,” said Eric Rabe, a U.S.-based senior counsel to Hacking Team. “There is a serious risk if you could not provide the tools that HT provides.”

The FBI, which investigates computer crimes, declined to comment on the Citizen Lab report.

Allegations of abuse

Technology developed in the aftermath of the Sept. 11, 2001, terrorist attacks has provided the foundation for a multibillion-dollar industry with its own annual conferences, where firms based in the most developed countries offer surveillance products to governments that don’t yet have the ability to produce their own.

Hacking Team, which Reporters Without Borders has named on its list of “Corporate Enemies” of a free press, touted on its Web site that its “Remote Control System” spyware allows users to “take control of your targets and monitor them regardless of encryption and mobility. It doesn’t matter if you are after an Android phone or a Windows computer: you can monitor all the devices.”

Hacking Team software has been used against Mamfakinch, an award-winning Moroccan news organization, and Ahmed Mansoor, a human rights activist in the United Arab Emirates who was imprisoned after signing an online political petition, Citizen Lab reported. Another research group, Arsenal Consulting, has said Hacking Team software was used against an American woman who was critical of a secretive Turkish organization that is building schools in the United States.

Such discoveries have sparked calls for international regulation of Hacking Team and other makers of spyware, which typically costs in the hundreds of thousands of dollars, according to experts.

By selling spyware, “they are participating in human rights violations,” said Eva Galperin, who tracks spyware use for the Electronic Frontier Foundation, a civil liberties group based in San Francisco. “By dictator standards, this is pretty cheap. This is pocket change.”

Rabe, the Hacking Team official, said that the company does not itself deploy spyware against targets and that, when it learns of allegations of human rights abuses by its customers, it investigates those cases and sometimes withdraws licenses. He declined to describe any such cases or name the countries involved.

Ethio­pian Satellite Television, typically known by the acronym ESAT, started in 2010 and operates on donations from members of the expatriate community. The news service mainly employs journalists who left Ethi­o­pia in the face of government harassment, torture or criminal charges. Though avowedly independent, ESAT is viewed as close to Ethiopia’s opposition forces, which have few other ways of reaching potential supporters.

Despite the nation’s close relationship with the U.S. government — especially in dealing with unrest and Islamist extremism in neighboring Somalia — the State Department has repeatedly detailed human rights abuses by the Ethi­o­pian government against political activists and journalists. There has been little improvement, observers say, since the 2012 death of the nation’s longtime ruler, Meles Zenawi.

“The media environment in Ethi­o­pia is one of the most repressive in Africa,” said Felix Horne, a researcher for Human Rights Watch. “There are frequent cases of people who have spoken to journalists being arrested. There’s very little in the way of free flow of information in the country. The repressive anti-terrorism law is used to stifle dissent. There are a number of journalists in prison for long terms for doing nothing but practicing what journalists do.”

Taking the bait

Mekonnen was wary as soon as he received a document, through a Skype chat with a person he did not know, on Dec. 20. But the file bore the familiar icon of a Microsoft Word file and carried a name, in Ethiopia’s Amharic language, suggesting that it was a text about the ambitions of a well-known political group there. The sender even used the ESAT logo as his profile image, suggesting the communication was from a friend, or at least a fan.

When the screen filled with a chaotic series of characters, Mekonnen knew he had been fooled — in hacker jargon, he had taken “the bait” — yet it wasn’t clear what exactly was happening to his computer, or why.

That same day, an ESAT employee in Belgium also had received mysterious documents over Skype chats. Noticing that the files were of an unusual type, he chose not to open them on his work computer. Instead, the ESAT employee uploaded one of the files to a Web site, VirusTotal, that scans suspicious software for signs of their origins and capabilities.

That Web site also has a system to alert researchers when certain types of malicious software are discovered. Marczak, the Citizen Lab researcher, who had been tracking the spread of spyware from Hacking Team and other manufacturers, soon got an e-mail from VirusTotal reporting that a suspicious file had been found, carrying telltale coding.

Marczak, a doctoral student in computer science at the University of California at Berkeley, had worked with members of the Ethio­pian community before, during an attempted hacking incident last April. When he received the alert from VirusTotal, he got in touch with ESAT’s offices in Alexandria and began looking for signs of Hacking Team software on the news service’s computers. He was eventually joined in the detective work by three other researchers affiliated with Citizen Lab, Claudio Guarnieri, Morgan Marquis-Boire and John Scott-Railton. They did not detect an active version of the spyware on Mekonnen’s computer, suggesting it had failed to activate properly or was removed by the hackers who deployed it. But when Citizen Lab analyzed the file itself — still embedded in Mekonnen’s Skype account — its coding tracked closely to other Hacking Team spyware, Marczak said.

The Citizen Lab team found that the spyware was designed to connect to a remote server that used an encryption certificate issued by a group listed as “HT srl,” an apparent reference to Hacking Team. The certificate also mentioned “RCS,” which fits the acronym for the company’s “Remote Control System” spyware.

The researchers discovered a similar encryption certificate used by a server whose IP address was registered to Giancarlo Russo, who is Hacking Team’s chief operating officer. The phone number and mailing address associated with that server’s IP address matched the company’s headquarters in Milan, Citizen Lab said.

The evidence of Ethiopia’s involvement was less definitive — as is common when analysts attempt to learn the origin of a cyberattack — though the Citizen Lab researchers express little doubt about who was behind the attack. The document that Mekonnen downloaded, they noted, had a title in Amharic that referred to Ethio­pian politics, making clear that the attackers had deep knowledge of that country.

In addition, few governments have enough interest in Ethio­pian politics to deploy a sophisticated spyware attack against journalists covering the country, Marczak said. “I can’t really think of any other government that would like to spy on ESAT.”

The biggest fear among journalists is that spies have accessed sensitive contact lists on ESAT computers, which could help the government track their sources back in Ethi­o­pia.

“This is a really great danger for them,” Mekonnen said.