Spyware vendor may have helped Ethiopia target journalists – even after it was aware of abuses, researchers say Andrea Peterson March 9, 2015
(Washington Post)-The Ethiopian government appears again to be using Internet spying tools to attempt to eavesdrop on journalists based in suburban Washington, said security researchers who call such high-tech intrusions a serious threat to human rights and press freedoms worldwide.
The journalists, who work for Ethiopian Satellite Television in Alexandria, Va., provide one of the few independent news sources to their homeland through regular television and radio feeds — to the irritation of the government there, which has accused journalists of “terrorism” and repeatedly jammed the signals of foreign broadcasters.
The struggle increasingly has stretched into cyberspace, where malicious software sold to governments for law enforcement purposes has been observed targeting the journalists, researchers said. The most recent documented case, from December, came several months after The Washington Post first detailed the government’s apparent deployment of the Internet spying tools, which though far cruder, offer some of the same snooping capabilities enjoyed by the National Security Agency and the intelligence services of other advanced nations.
“This is the second round of coordinated attempts at installing spyware so they can monitor our systems and uncover who our sources are inside of the Ethiopia,” said Neamin Zeleke, the managing director of Ethiopian Satellite Television, which is commonly known as ESAT. “This is a really tenacious attempt to crack down on freedom of expression.”
Zeleke became suspicious when a message arrived in his inbox in December with an attachment claiming to have information about upcoming elections. Normally, that’s the sort of information ESAT is eager to get its hands on: Ethiopia is ruled by a government notoriously unfriendly to the press — leaving much of the independent journalism on local affairs to outfits such as ESAT that operate outside of the country but rely on sources from inside Ethiopia.
But editors and reporters at ESAT have become wary of e-mails from unknown senders in recent years — and for good reason.
In 2013, the computer of one of Zeleke’s colleagues was infected with malware after the colleague opened what appeared to be a Microsoft Word file. They later learned that it was probably a commercial spying tool sold to governments around the world by the Italy-based vendor Hacking Team, according to researchers at Citizen Lab at the University of Toronto’s Munk School of Global Affairs.
So after receiving the recent suspicious e-mail, Zeleke said he forwarded it to the Citizen Lab researchers instead of opening the attachment.
The e-mail, along with other messages to Ethiopian journalists, show that Ethiopia appears to be continuing to wage a digital campaign against independent journalists — including some based within the United States — with the help of updated versions of Hacking Team software, according to the report’s authors Bill Marczak, John Scott-Railton and Sarah McKune.
Sophisticated surveillance tools on a budget
While the debate over cyberattacks has been dominated by disclosure about National Security Agency capabilities and alleged cyberespionage campaigns of Chinese and Russian hackers, a booming commercial spyware market has put high-tech surveillance tools within the reach of governments worldwide. In the hands of repressive regimes, this can mean a wave of cyberattacks on journalists, human rights workers and political activists.
The Internet, instead of being a tool for organizing and spreading information about government abuse, can become a tool for oppression able to even reach those who have fled the physical borders of a country.
And the latest Citizen Lab report suggests that Hacking Team may continue to support its software to nations even after abuse was identified.
Hacking Team declined to comment on whether it sells its services to Ethiopia. “We do not disclose the identities of clients nor their locations as a matter of policy,” company spokesperson Eric Rabe told The Post. “Obviously, clients demand confidentiality and require it in order to conduct legitimate legal surveillance of suspects in cases of crime, terrorism or other wrongdoing.”
The Ethiopian government also did not directly answer questions about whether it uses Hacking Team’s products. “Ethiopia acts in compliance with its own laws and with the laws of nations,” Tesfaye Wolde of the Ethiopian Embassy in Washington said in a statement.
Hacking Team investigates allegations of abuse, Rabe said. “In cases where we find that an agency is misusing our technology, we can take a variety of actions up to and including suspending support for the system.”
He did not say, though, whether those investigations have ever resulted in a country being cut off. “It can be quite difficult to determine facts, particularly since we do not operate surveillance systems in the field for our clients,” Rabe said. “Assertions that may seem perfectly obvious to some can be extremely difficult to actually prove.”
And activists are skeptical. “Hacking Team is one of the go-to companies of authoritarian regimes who absolutely need spying capabilities and don’t want to develop them on their own,” said Christopher Soghoian, a principal technologist at the American Civil Liberties Union.
The company’s signature product is its Remote Control System (RCS), which allows governments to hack into the computers of targets and gain almost complete control. “For a few hundred thousand dollars, they will give you the software you need to take over someone’s webcams, microphones, and access other sensitive information,” Soghoian said.
It’s this RCS malware that Citizen Lab says attackers appear to have tried to use against ESAT. “In this case, what we have is the same entity who attacked ESAT in 2013 attacking them in December of 2014 using Hacking Team’s software again,” Marczak, one of researchers, said. The malware linked back to the same sort of control infrastructure as the previous version, and researchers uncovered other evidence, including an encryption certificate, that tie it back to Hacking Team, according to Citizen Lab.
The malware was modified from the version used against ESAT journalists reported in February 2014 to avoid tools developed to help activists and journalists detect whether they had been infected by commercial spyware, Citizen Lab said. The modifications to the malware indicate that Hacking Team continued to provide support to the Ethiopian government even after The Post reported on the issue last year.
Rabe of Hacking Team said the company’s software is regularly updated for customers who are not in violation of its customer policy, which says the company will stop providing support to a client if it believes their software has been used to “facilitate gross human rights abuses.”
The use of Hacking Team software is a strong sign that the Ethiopian government was behind the attack, Marczak said.
“The software is sold exclusively to governments — and in the case of ESAT, it doesn’t seem like there’s anyone else who would be interested in targeting them beyond Ethiopia,” he said.
But there are other signs that point to Ethiopia — including Internet addresses used by the attacker that were linked to an Ethiopian telecom provider, researchers said, as well as links uncovered between the attacker and a computer that calls itself “INSA-PC,” a possible reference to the Ethiopian Information Network Security Agency, or INSA.
Ethiopia’s crack down on journalists
Ethiopia has a poor track record on freedom of the press. “There’s been a systematic decimation of independent media” since 2010, said Felix Horne, Africa researcher at Human Rights Watch, featuring escalating tactics including threats of jail time.
And that campaign has become more aggressive as the country approaches elections in May, with 30 some journalists fleeing the country and six publications closing down in 2014, he said.
The State Department, which declined to comment for this story, has repeatedly expressed concern about human rights abuses by the country’s government against activists and journalists. But the United States maintains strong ties with Ethiopia, especially when it comes to combating Islamist extremism in neighboring Somalia. Wolde, of the Ethiopian Embassy, said that Ethiopia “has close working relations with the United States and has done nothing to jeopardize these relations.”
ESAT, which was started in 2010, is largely staffed by journalists who have fled Ethiopia, sometimes while facing the threat of torture or imprisonment, Zeleke said. While independent, the group is viewed by outside observers as tied to political opposition groups within Ethiopia. And the malware campaign shows that its reporters are within the digital grasp of the Ethiopian government, even if they’ve escaped its physical control, Zeleke said.
But he said that he is most worried about sources who share information with the outlet, often at significant personal risk. “We have all kinds of contacts who give us information,” Zeleke said. “The government wants to know who they are so they can crack down and arrest them.”
News of commercial surveillance tools has had a chilling effect among those inside Ethiopia and the diaspora, Horne said. “A lot of Ethiopians have become afraid to talk on tech that they previously considered secure like Skype or e-mail.”
Hacking Team is not the only company selling this type of technology. The Electronic Frontier Federation is currently suing Ethiopia on behalf of a U.S. citizen whose computer was allegedly infected in 2013 by FinSpy, another form of commercial spyware available to foreign governments.
Attempting to hack someone located in the United States with spyware is illegal, said Nate Cardozo, a lawyer with the EFF, unless done in partnership with domestic law enforcement agencies. “It’s absolutely a violation of U.S. law, probably both the Computer Fraud and Abuse Act and the Wiretap Act,” he said.
Many companies that market their tools to foreign governments have made it a point to stay outside the range of U.S. courts, he said, and they often argue they cannot be held responsible for what a country does once it buys the products. “The industry turns a blind eye to the abuses of their products, and they have from the very beginning,” Cardozo said.
Rabe said that Hacking Team works to “prevent abuse in ways that no other company in our business comes close to.” Last month, the company announced it is complying with a European Union agreement that controls the export of its type of software. The company has previously committed not to sell to countries on various International blacklists.
But the latest Citizen Lab report could make it harder for the industry to insist they are ignorant of abuses, researchers said.
“This is the first case we’ve been able to identify where abuses have continued, Marczak said. “It’s very much a retort to the defenses we hear from this industry.”
Correction: An earlier version misspelled the name of one of the Citizen Lab report authors, Sarah McKune, as Sarah McCune. We regret the error.
Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
See below to read the Human Right Watch Report on TPLF hacking of ESAT.
For Immediate ReleaseEthiopia: Digital Attacks Intensify
Spyware Firm Should Address Alleged Misuse
(New York, March 9, 2015) – The Ethiopian government has renewed efforts to silence independent voices abroad by using apparent foreign spyware, Human Rights Watch said today. The Ethiopian authorities should immediately cease digital attacks on journalists, while foreign surveillance technology sellers should investigate alleged abuses linked to their products.
Independent researchers at the Toronto-based research center Citizen Lab on March 9, 2015, reported new attempts by Ethiopia to hack into computers and accounts of Ethiopian Satellite Television (ESAT) employees based in the United States. The attacks bear similarities to earlier attempts to target Ethiopian journalists outside Ethiopia dating back to December 2013. ESAT is an independent, diaspora-run television and radio station.
“Ethiopia’s government has over the past year intensified its assault on media freedom by systematically trying to silence journalists,” said Cynthia Wong, seniorInternet researcher at Human Rights Watch. “These digital attacks threaten journalists’ ability to protect the safety of their sources and to avoid retaliation.”
The government has repressed independent media in Ethiopia ahead of the general elections scheduled for May, Human Rights Watch said. Many privately owned print publications heavily self-censor coverage of politically sensitive issues or have shut down. In the last year, at least 22 journalists, bloggers, and publishers have beencriminally charged, at least six publications have closed amid a campaign of harassment, and many journalists have fled the country.
Many Ethiopians turn to ESAT and other foreign stations to obtain news and analysis that is independent of the ruling Ethiopian People’s Revolutionary Democratic Front. However, intrusive surveillance of these news organizations undermines their ability to protect sources and further restricts the media environment ahead of the elections. Government authorities have repeatedly intimidated, harassed, and arbitrarilydetained sources providing information to ESAT and other foreign stations.
Citizen Lab’s analysis suggests the attacks were carried out with spyware called Remote Control System (RCS) sold by the Italian firm Hacking Team, which sells surveillance and hacking technology. This spyware was allegedly used in previous attempts to infect computers of ESAT employees in December 2013. If successfully installed on a target’s computer, the spyware would allow a government controlling the software access to activity on a computer or phone, including email, files, passwords typed into the device, contact lists, and audio and video from the device’s microphone and camera.
Citizen Lab also found that the spyware used in the attacks against ESAT appeared to have been updated as recently as December 2014. On November 19, a security researcher, Claudio Guarnieri, along with several nongovernmental organizations, publicly released a tool called Detekt, which can be used to scan computers for Hacking Team RCS and other spyware. Citizen Lab’s testing determined that Detekt was able to successfully recognize the version of RCS used in a November attack, but not the version used in a December attack. Citizen Lab concluded that this may indicate that the software had been updated sometime between the two attempts.
These new findings, if accurate, raise serious concerns that Hacking Team has not addressed evidence of abuse of its product by the Ethiopian government and may be continuing to facilitate that abuse through updates or other support, Human Rights Watch said.
Hacking Team states that it sells exclusively to governments, particularly law enforcement and intelligence agencies. The firm told Human Rights Watch in 2014 that “we expect our clients to behave responsibly and within the law as it applies to them” and that the firm will suspend support for its technology if it believes the customer has used it “to facilitate gross human rights abuses” or “who refuse to agree to or comply with provisions in [the company’s] contracts that describe intended use of HT [Hacking Team] software.” Hacking Team has also stated that it has suspended support for their product in the past, in which case the “product soon becomes useless.”
Media reports and research by independent human rights organizations in the past year have documented serious human rights violations by the Ethiopian government that at times have been facilitated by misuse of surveillance powers. Although spyware companies market their products as “lawful intercept” solutions used to fight serious crime or counterterrorism, the Ethiopian government has abused its counterterrorism laws to prosecute bloggers and journalists who merely report on public affairs or politically sensitive issues. Ethiopian laws that authorize surveillance do not adequately protect the right to privacy, due process, and other basic rights, and are inconsistent with international human rights requirements.
Hacking Team previously told Human Rights Watch that “to maintain their confidentiality” the firm does not “confirm or deny the existence of any individual customer or their country location.” On February 25, 2015, Human Rights Watchwrote to the firm to ask whether it has investigated possible abuse of its products by the Ethiopian government to target independent media and hack into ESAT computers. In response, on March 6 a representative of the firm emailed Human Rights Watch that the company “take[s] precautions with every client to assure that they do not abuse our systems, and, we investigate when allegations of misuse arise” and that the firm is “attempting to understand the circumstances in this case.” The company also stated that “it can be quite difficult to get to actual facts particularly since we do not operate surveillance systems in the field for our clients.” Hacking Team raised unspecified questions about the evidence presented to identify the spyware used in these attacks.
Human Rights Watch also asked the company whether contractual provisions to which governmental customers agree address governments’ obligations under international human rights law to protect the right to privacy, freedom of expression, and other human rights. In a separate March 7 response from the firm’s representative, Hacking Team told Human Rights Watch that the use of its technology is “governed by the laws of the countries of our clients,” and sales of its technology are regulated by the Italian Economics Ministry under the Wassenaar Arrangement, a multilateral export controls regime for dual-use technologies. The company stated that it relies “on the International community to enforce its standards for human rights protection.”
The firm has not reported on what, if any, investigation was undertaken in response to the March 2014 Human Rights Watch report discussing how spyware that appeared to be Hacking Team’s RCS was used to target ESAT employees in 2013. In its March 7 response, the company told Human Rights Watch that it will “take appropriate action depending on what we can determine,” but they “do not report the results of our investigation to the press or other groups, because we consider this to be an internal business matter.”
Without more disclosure of how Hacking Team has addressed potential abuses linked to its business, the strength of its human rights policy will be in question, Human Rights Watch said.
Sellers of surveillance systems have a responsibility to respect human rights, which includes preventing, mitigating, and addressing abuses linked to its business operations, regardless of whether government customers adequately protect rights.“Hacking Team should publicly disclose what steps it has taken to avoid abuses of its product such as those alleged against the Ethiopian government,” Wong said. “The company protects the confidentiality of its customers, yet the Ethiopian government appears to use its spyware to compromise the privacy and security of journalists and their sources.”
For more Human Rights Watch reporting on Internet freedom, please visit:
For more Human Rights Watch reporting on Ethiopia, please visit:
For more information, please contact:
In San Francisco, Cynthia Wong (English): +1-917-860-3186 (mobile); firstname.lastname@example.org. Follow on Twitter @cynthiamw
In Ottawa, Felix Horne (English): +1-514-894-8629 (mobile); or email@example.com. Follow on Twitter @FelixHorne1
In Amsterdam, Leslie Lefkow (English): +31-621-597-356 (mobile); firstname.lastname@example.org. Follow on Twitter @LefkowHRW