Researchers claim that Ethiopian spies used Hacking Team malware to target journalists in Washington D.C.
Early last year, a group of cybersleuths accused the Ethiopian government of using malware sold by an Italian surveillance company to spy on Ethiopian journalists based in the US.
But rather than cease their activities, the Ethiopian government is believed to have targeted the same journalists again, months later, using spyware from the same company according to a new report by researchers at the Citizen Lab—a digital watchdog group at the University of Toronto's Munk School of Global Affairs.
These latest attacks came after the Ethiopian government denied having ever used spyware, and after Hacking Team claimed to have a system in place to prevent these abuses—or at least cease to support clients that are found to have carried out abuse.
Hacking Team has never confirmed nor denied that Ethiopia was or still is one of its clients. But researchers at Citizen Lab say the evidence they have proves exactly the opposite—that Ethiopia hasn't given up on its attempts to intimidate and spy on journalists at the Ethiopian Satellite Television (ESAT), a news organization comprised mostly of expatriates that is often in the crosshairs of the government.
In fact, they believe Hacking Team is still supporting the country's efforts, providing updated and harder to detect versions of its software—despite the company's claims that it investigates any allegations of abuse. In its customer policy, Hacking Team says it is willing to take "appropriate action," including refusal to provide support for its products, in cases of "gross human rights abuses."
Citizen Lab researchers say these latest attacks suggest that Hacking Team's software is still being used to target dissidents.
"Ethiopian journalists were targeted yet again with what appears to be Hacking Team's spyware."
"Ethiopian journalists were targeted yet again with what appears to be Hacking Team's spyware—just months ago," said Bill Marczak, who co-authored the report with John Scott-Railton and Sarah McKune. "Probably most people would look at this and say this is not something you classify as legitimate usage."
Hacking Team, which Reporters Without Borders labelled as an "Enemy of the Internet," is part of an ever-growing group of surveillance tech companies that market their products exclusively to governments, police departments, and spy agencies. Other well-known companies that have caught the attention of activists, researchers, and even WikiLeaks, include FinFisher and its parent company Gamma International, which also sell spyware, and VUPEN, which sells intelligence agencies secret software vulnerabilities known as "zero-day" exploits.
However, the company has always denied any accusations that it sells malware to repressive governments—even though Citizen Lab has previously detected what it believes to be Hacking Team software in use against local journalists in Morocco, and by the United Arab Emirates government against a prominent human rights activist.
Hacking Team claims its software, knows as Remote Control System (RCS), is simply a tool to help police forces around the world fight criminals in the digital age. RCS allows its operators to monitor a target's computer or cellphone; can intercept and exfiltrate data such as passwords, emails, text messages and social media activities; and can surreptitiously enable a target's microphone to listen in on calls, or turn on the target's webcam.
But Cynthia Wong, a senior researchers at Human Rights Watch (HRW), said that Citizen Lab's new report is evidence that Hacking Team "has ignored previous allegations that their product has been abused in Ethiopia."
"This is not a new thing for Hacking Team," said Wong, whose organization reached out to Hacking Team demanding explanations in light of the report. "They were notified last year that their product may have been misused. There are some questions they should answer."
But Hacking Team, for now, is not answering them.
Reached by phone on Friday, company spokesperson Eric Rabe said he didn't "really have a reaction" to the new report—and went on to dismiss Citizen Lab's previous investigations.
"We're aware of their work and have seen some of their past reporting, some of which it seems to be based on some nicely presented suppositions," Rabe said.
Rabe declined to confirm or deny whether Ethiopia is a Hacking Team customer. Though the company has never disclosed its list of customers, Citizen Lab in another investigation claimed to have identified more than 20 of its clients. They allegedly include countries such as Azerbaijan, Kazakhstan, Saudi Arabia, and Sudan, which have poor human rights records.
"This is not a new thing for Hacking Team [...] There are some questions they should answer."
A report from HRW released in February called Ethiopia, "one of the world's biggest jailers of journalists," with 19 currently in prison, and accused the country of systematically assaulting independent voices.
Tesfaye Wolde, a spokesperson for the Ethiopian Embassy in Washington D.C., initially declined to comment. But when Motherboard sent Wolde a previous statement made by another embassy spokesperson last year—stating that Ethiopia "did not use and has no reason at all to use any spyware or other products provided by Hacking Team or any other vendor inside or outside of Ethiopia"—Wolde confirmed the statement was still correct.
"Yes! Sir! I agree with Wahide's answer," Wolde wrote in an email last week.
He did not answer further questions, only to say that Ethiopia "acts in compliance with its own laws and with the laws of nations."
On December 19, 2014, ESAT's managing director Neamin Zeleke received what he defined as a "suspicious email."
"I suspected this might be some sort of spyware," said Zeleke, who has been living in the US for about 20 years. After the attacks last year, Zeleke said he learned to be very cautious: "If I receive an email, and I'm very serious about this, I do not open attachments."
Instead, he forwarded the email to Marczak. When Marczak saw it, he didn't expect Hacking Team to be involved.
"It wasn't my first thought when I saw the attachments," Marczak told Motherboard. "But I surely did have in the back of my mind 'oh wouldn't this be interesting if it was Hacking Team?'"
The document attached to the email, according to the report, was designed to communicate with the same command and control infrastructure used in the 2013 attack—and included servers registered to state-owned Ethio Telecom. Citizen Lab's researchers argued that they were carried out by "the same attacker."
That same attacker also infected another target unaffiliated with ESAT, and took control of his Gmail address. The Gmail account was accessed from an IP address registered to a computer called INSA-PC, according to the report. As the researchers note, Ethiopia's intelligence agency is called Information Network Security Agency (INSA).
Citizen Lab documented another two attacks against ESAT journalists, dated November 5 and November 10, 2014. In both cases, the attacks consisted of emails with malicious attachments. The malware contained in those attachments communicated with the same IP address implicated in the attack against Zeleke, according to the report.
Despite these digital breadcrumbs, it seems that both the Ethiopian government and Hacking Team did try to hide at least some of their tracks following the release of last year's report.
Marczak said that a server implicated in the attack in 2013 went dark for roughly a month, in March of 2014, shortly after the release of last year's report. Then the server came back online for a brief period of time. Citizen Lab detected it because it still matched the fingerprint they created to identify it. But shortly afterward, Marczak said, the server apparently received an upgrade because it no longer matched the fingerprint. However, it still had the same IP address.
"It would have been smarter to change the IP address of the server," Marczak told Motherboard.
Meanwhile, the malware received by ESAT journalists in November 5 and 10 was detected as Hacking Team malware by the anti-virus tool Detekt, created by Claudio Guarnieri, another Citizen Lab-affiliated researcher.
But when the researchers tried Detekt with the sample used against Zeleke on December 19, the software did not detect it. To Marczak, this means Hacking Team must have upgraded its spyware after Detekt was launched in late November.
Looking For Answers
Marczak believes that Citizen Lab's latest report underscores once again that the booming spy tech industry needs oversight.
"When you have repeated cases of abuse, when Hacking Team was aware of this previous case of abuse—not to pick on Hacking Team or anything—but it calls into question this industry's reliance on self-regulation," he said.
And though there is movement to regulate cyberweapons on an international scale, governments around the world are still undecided on the best way to move ahead.
A number of countries, including the US, UK, Canada, France, Germany and others, agreed to expand the Wassenaar Agreement in late 2013. The treaty is intended to control the export of dual-use goods and technologies, and now includes "intrusion" technologies such as those sold by Hacking Team. As a result, many of these countries are slowly implementing a license regime that would compel surveillance companies to seek approval before exporting to certain countries.
"What steps will Hacking Team take to control such apparent misuse of its technology and prevent the continued targeting of ESAT journalists?"
Hacking Team itself stated at the end of last month that it would comply with the new regime. But it's still unclear whether this treaty will stop what critics call the "proliferation" of cyber tools to quash dissent.
In August of last year, after a series of reports on Hacking Team, Citizen Lab demanded answers from the company in an open letter. The company has yet to respond, so Citizen Lab's director Ronald Deibert is doubling down with another letter.
"After all of the prior reporting surrounding the use of [Hacking Team's spyware] RCS against ESAT journalists in December 2013 and its human rights implications, how has it come to pass that RCS is again linked in late 2014 to the same activity?" Deibert asked. "What steps will Hacking Team take to control such apparent misuse of its technology and prevent the continued targeting of ESAT journalists?"
Asked if Hacking Team undertook an investigation after last year's report, Rabe said that the company does not "report on the results of our investigations," nor whether the investigation even existed, "as a matter of policy."
"Frankly, we don't see Citizen Lab as a regulatory agency that we have to report to," he told Motherboard. "They may see their own work that way, but we don't."
Zeleke, one of the ESAT journalists targeted, has "no doubts" that it was Ethiopian spies using Hacking Team software who tried to hack him.
"Who else would like to invade our computers to extract information?"
"Who else would like to invade our computers to extract information?" he told Motherboard.
In any case, he's said he is not afraid, because he is far from the physical reach of his government. His data, and his contacts, however, are not—and it's the latter that the government is probably most interested in. They want to persecute the people that speak to ESAT, he said.
But Zeleke is confident that Ethiopia's tactics will not succeed, nor last for long—and he has a message for the Ethiopian government.
"This is not the way to govern," he said. "All the history's regions that have tried these methods and tactics, in the end they fall, down because you cannot rule by fear ad infinitum."
UPDATE 03/03/2015, 4:53 p.m.: After the publication of our article, Hacking Team's spokesperson Eric Rabe sent Motherboard a statement, largely echoing what Rabe said during our phone interview.
"At any time that we become aware of allegations of abuse of our software, we investigate," the statement read.
The statement, however, doesn't say whether Hacking Team will investigate the allegations made in this report.