Ethiopia’s Malware Attacks on Dissidents in Other Countries

Ethiopia Malware Attacks

Ethiopia continues to carry out targeted malware attacks on dissidents and activists located in other countries, according to the research findings published by The Citizen Lab.

Key findings of the research have been published by The Citizen Lab in a report. The report says- “This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer.” It’s also mentioned that one of the authors of the report (it’s authored by Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert) was also targeted during the course of the investigation.

The Citizen Lab, which is based at the Munk School of Global Affairs, University of Toronto did the research by basically analyzing the use of a spyware known as PC Surveillance System (PSS), which, as the report says, is “… a commercial spyware product with a novel exploit-free architecture.”

The PSS, which is offered by Israeli company Cyberbit, is usually bought and used by intelligence and law enforcement agencies. Citizen Lab researchers found a public logfile on this spyware’s command and control server; they then monitored it for over a year. The report says- “We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.”

The Citizen Lab report further says- “We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.”

The report analyzes and describes a well-orchestrated campaign of targeted malware attacks that were “… apparently carried out by Ethiopia from 2016 until the present.” The targets, who happen to click on a link that they get via email, are invited to download/install an Adobe Flash update, which in fact contains the spyware, to view a video. In some instances, it’s a fictitious app called “Adobe PdfWriter”, that the users need to install in order to view a PDF file that they have been sent.

Related Blog:

Kevin Jones951 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like and others.


Leave a Comment

comodo partner

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password