Citizen Lab has published a new report today in which we uncover a major global cyber espionage campaign targeting numerous individuals in the United States, United Kingdom, Canada, Germany, and more than a dozen other countries. Strong circumstantial evidence points to Ethiopia, with the surveillance technology supplied by an Israel-based company, Cyberbit Solutions.
The full, very detailed report entitled, “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware,” and authored by Citizen Lab’s Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and myself, can be found here.
Among the report’s notable details: public logfiles located by Citizen Lab’s Bill Marczak allowed us to track Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of the spyware to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Bill’s extraordinary detective work here is spectacular. Special shout to to Geoff Alexander, who did some excellent supportive work reverse engineering malware samples.
A graphic (put together thanks to John Scott Railton, as usual) that shows the locations of these demonstrations can be found here.
The operators also tried to infect Citizen Lab lead technical researcher on the project, Bill Marczak, as outlined in this Motherboard piece. As Daily Beast reporter, Joseph Cox, noted, that’s “one of the dumbest things you can possibly do with your nation-state malware.”
A companion piece (led by Citizen Lab’s Sarah Mckune) detailing legal and regulatory issues raised by our report can be found here. Great to see support from Human Rights Watch, who wrote a lengthy post and a letter to Cyberbit.