Repressive governments buy cheap spyware to keep tabs on critics

Spyware is now a growing business giving less technically advanced nations a surveillance edge

PUBLISHED : Thursday, 13 February, 2014, 11:56pm
UPDATED : Friday, 14 February, 2014, 3:34am

Ethiopian journalist Mesay Mekonnen was at his desk at a news service based in the US when gibberish skittered across his computer screen in December. A sophisticated cyberattack was under way.

But this wasn't an attack from the likes of China or Russia.

The likely culprits were government hackers from a much less technically advanced nation, Ethiopia, where the perpetrators apparently bought commercial spyware off the shelf, a non-profit research lab says.

Once the exclusive province of the most elite spy agencies like the National Security Agency, spyware is now a growing commercial industry, making surveillance capabilities widely available to governments worldwide.

The targets often are political activists, human rights workers and journalists who have learned that the internet allows authoritarian governments to watch and intimidate them, even after they have fled to supposedly safe havens.

That includes the United States, where laws prohibit unauthorised hacking but rarely stop intrusions. The trade in spyware itself is almost entirely unregulated, to the critics' frustration.

To invade the privacy of American citizens and legal residents … is mind-boggling

"We're finding this in repressive countries and we're finding that it's being abused," says Bill Marczak, a research fellow for Citizen Lab at the University of Toronto's Munk School of Global Affairs. "This spyware has proliferated around the world … without any debate."

Citizen Lab says the spyware used against Mekonnen and one other Ethiopian journalist appears to be made by Hacking Team, an Italian company. Its products are capable of stealing documents from hard drives, snooping on video chats, reading e-mails, snatching contact lists and remotely flipping on cameras and microphones so they can quietly spy on a computer's unwitting user.

Some of the targets of recent cyberattacks are US citizens, say officials at Ethiopian Satellite Television's office in Virginia, where Mekonnen works.

"To invade the privacy of American citizens and legal residents, violating the sovereignty of the United States and European countries, is mind-boggling," says Neamin Zeleke, managing director for the news service, which beams reports to Ethiopia, providing a rare alternative to official information sources there.

Citizen Lab researchers say they have found evidence of Hacking Team software, which the company says it sells only to governments, being used in a dozen countries, including Uzbekistan, Kazakhstan, Sudan, Saudi Arabia and Azerbaijan.

The Ethiopian government, commenting through a spokesman at the embassy in Washington, denied using spyware. "The Ethiopian government did not use and has no reason at all to use any spyware or other products provided by Hacking Team or any other vendor inside or outside of Ethiopia," says Wahide Baley, head of public policy and communications.

Hacking Team declined to comment on whether Ethiopia was a customer, saying it never publicly confirms or denies whether a country is a client because that information could jeopardise legitimate investigations. The company also says it does not sell its products to countries that have been blacklisted by the United States, the United Nations and some other international groups.

"You've necessarily got a conflict between the issues around law enforcement and the issues around privacy," says Eric Rabe, a US-based senior counsel to Hacking Team.

The FBI, which investigates computer crimes, declined to comment on Citizen Lab's findings.

Technology developed in the aftermath of the September 11, 2001 terrorist attacks has provided the foundation for a multibillion-dollar industry with its own annual conferences, where firms based in the most developed countries offer surveillance products to governments that don't yet have the ability to produce their own.

Hacking Team - named by Reporters Without Borders on its list of "Corporate Enemies" of a free press - touted on its website that its "Remote Control System" spyware allows users to "take control of your targets and monitor them regardless of encryption and mobility. It doesn't matter if you are after an Android phone or a Windows computer: you can monitor all the devices".

By selling spyware, Hacking Team and other makers "are participating in human rights violations", says Eva Galperin, who tracks spyware use for the Electronic Frontier Foundation, a civil liberties group based in San Francisco. "By dictator standards, this is pretty cheap. This is pocket change."

Rabe, the Hacking Team official, says that the company does not itself deploy spyware against targets and that, when it learns of allegations of human rights abuses by its customers, it investigates those cases and sometimes withdraws licences. He has declined to describe any such cases or name countries.

Ethiopian Satellite Television (ESAT) started in 2010 and operates on donations from members of the expatriate community. The news service mainly employs journalists who left Ethiopia when they faced government harassment, torture or criminal charges. Though avowedly independent, ESAT is seen as close to Ethiopia's opposition forces.

Mekonnen was wary when he received a document through a Skype chat with a person he did not know on December 20. But the file bore the familiar icon of a Microsoft Word file and carried a name, in Ethiopia's Amharic language, suggesting it was a text about the ambitions of a well-known political group there. The sender even used the ESAT logo as his profile image, suggesting the communication was from a friend, or at least a fan.

When the screen filled with a chaotic series of characters, Mekonnen knew he had been fooled. Yet it wasn't clear what exactly was happening to his computer, or why.

That same day, an ESAT employee in Belgium also received mysterious documents over Skype chats. Noticing that the files were of an unusual type, he refused to open them on his work computer. Instead, the ESAT employee uploaded one of the files to a website, VirusTotal, that scans suspicious software for signs of their origins and capabilities.

That website also has a system to alert researchers when certain types of malicious software are discovered. Marczak, the Citizen Lab researcher who had been tracking the spread of spyware from Hacking Team and other manufacturers, soon got an e-mail from VirusTotal reporting that a suspicious file had been found, carrying telltale coding.

Marczak, a doctoral student in computer science at the University of California at Berkeley, contacted ESAT's offices in Alexandria and began looking for signs of Hacking Team software on the news service's computers.

When Citizen Lab analysed the file itself - still embedded in Mekonnen's Skype account - its coding tracked closely to other Hacking Team spyware, Marczak says.

The Citizen Lab team found that the spyware was designed to connect to a remote server that used an encryption certificate issued by a group listed as "HT srl", an apparent reference to Hacking Team. The certificate also mentioned "RCS", which fits the acronym for the company's "Remote Control System" spyware.

The researchers discovered a similar encryption certificate used by a server whose IP address was registered to Giancarlo Russo, who is Hacking Team's chief operating officer. The phone number and mailing address associated with that server's IP address matched the company's headquarters in Milan, Citizen Lab says.

The evidence for Ethiopia's involvement was less definitive - as is common when analysts attempt to learn the origin of a cyberattack - though the Citizen Lab researchers express little doubt about who was behind the attack. The document that Mekonnen downloaded, they noted, had a title in Amharic that referenced Ethiopian politics.

Journalists fear that spies have accessed sensitive contact lists on ESAT computers, which could help the government track their sources back in Ethiopia.

"This is a really great danger for them," Mekonnen says.