Advertisements
jump to navigation

The Citizen Lab report: A campaign of targeted malware attacks apparently carried out by Ethiopia’s regime from 2016 until the present with new commercial spyware, PC Surveillance System offered by Cyberbit December 6, 2017

Posted by OromianEconomist in Uncategorized.
Tags: , , , , , ,
2 comments

Odaa OromooOromianEconomist

HRW: Ethiopia: New Spate of Abusive Surveillance

Spyware Industry Needs Regulation


CHAMPING AT THE CYBERBITETHIOPIAN DISSIDENTS TARGETED WITH NEW COMMERCIAL SPYWARE

Key Findings

  • This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.
  • We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.
  • Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.
  • We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.

1. Executive Summary

This report describes a campaign of targeted malware attacks apparently carried out by Ethiopia from 2016 until the present. In the attacks we document, targets receive via email a link to a malicious website impersonating an online video portal. When a target clicks on the link, they are invited to download and install an Adobe Flash update (containing spyware) before viewing the video. In some cases, targets are instead prompted to install a fictitious app called “Adobe PdfWriter” in order to view a PDF file. Our analysis traces the spyware to a heretofore unobserved player in the commercial spyware space: Israel’s Cyberbit, a wholly-owned subsidiary of Elbit Systems. The spyware appears to be a product called PC Surveillance System (PSS), recently renamed PC 360.

The attacks we first identified were targeted at Oromo dissidents based outside of Ethiopia, including the Oromia Media Network (OMN). Oromia is the largest regional ethnic state of Ethiopia by population and area, comprised mostly of the Oromo people.


Figure 1: Oromia Region, Ethiopia

We later discovered that the spyware’s command and control (C&C) server has a public logfile that appears to show both operator and victim activity, allowing us to gain insight into the identity of the operators and the targets. Based on our analysis of the logfile, it appears that the spyware’s operators are inside Ethiopia, and that victims also include various Eritrean companies and government agencies.

We scanned the Internet for similar C&C servers and found what appear to be several servers used by Cyberbit. The public logfiles on those servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to various potential clients. The logfiles appear to place Cyberbit employees at IP addresses associated with the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos to clients we could not identify in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.


Figure 2: Countries with Ethiopian Cyberbit targets.

This report is the latest in a growing body of work that shows the wide abuse of nation-state spyware by authoritarian leaders to covertly surveil and invisibly sabotage entities they deem political threats. After FinFisher, Hacking Team, and NSO Group, Cyberbit is the fourth vendor of nation-state spyware whose tools we have seen abused, and the second based in Israel.  Cyberbit’s PSS is also not the first spyware that Ethiopia has abused outside of its borders: in 2015, we discovered that Ethiopia’s Information Network Security Agency (INSA) was using Hacking Team’s RCS spyware to target US-based journalists at the Ethiopian Satellite Television Service (ESAT). Ethiopia has also previously targeted dissidents using FinFisher’s FinSpy spyware.

Citizen Lab has published a companion post outlining some of the legal and regulatory issues raised by this investigation. We also sent letters to Cyberbit and Adobe concerning the misuse of their respective products. Cyberbit responded on December 5, 2017, stating in part: “we appreciate your concern and query and we are addressing it subject to the legal and contractual confidentiality obligations Cyberbit Solutions is bound by.” Adobe respondedon December 6, 2017, stating in part: “we have taken steps to swiftly address this issue, including but not limited to contacting Cyberbit and other relevant service providers.”

2. Background

2.1. Oromo Protests and Diaspora Media Outlets

Largely peaceful protests erupted in the Ethiopian state of Oromia in November 2015, in response to a government decision to pursue a development project involving the razing of a forest and football field. Protesters coalesced around opposition to a larger plan, the Addis Ababa Master Plan, which they feared would displace some of the 2 million Oromo residents living around Addis Ababa. The government labeled the protesters terrorists and responded with lethal force and arbitrary arrests. Over the next year, security forces killed over 1000 people, many of them from Oromia, during anti-government protests. This culminated in a state of emergency that was called in October 2016 that lasted over 10 months.

Oromia Media Network (OMN) is a US-based media channel that describes itself as an “independent, nonpartisan and nonprofit news enterprise whose mission is to produce original and citizen-driven reporting on Oromia, the largest and most populous state in Ethiopia.”  OMN broadcasts via satellite, and also has an Internet and social media presence. According toHuman Rights Watch, OMN “played a key role in disseminating information throughout Oromia during the protests.” The government has “reportedly jammed OMN 15 times since it began operations in 2014” and arrested individuals for providing information to OMN or displaying the channel in their businesses.

2.2. Cyberbit and PSS

Cyberbit is an Israel-based cyber security company and a wholly-owned subsidiary of Israeli defense and homeland security manufacturer and contractor Elbit Systems. Cyberbit was established in 2015 in order to consolidate Elbit Systems’ activities relating to the Cyber Intelligence and Cyber Security markets.” Cyberbit merged with the NICE Cyber and Intelligence Division in 2015 after Elbit acquired that entity for approximately $158 million, with Cyberbit reportedly taking on the division’s employees. Elbit had previously acquiredC4 Security in June 2011 for $10.9 million; C4 described itself as “specializ[ing] in information warfare, SCADA and military C&C systems security.  According to one employee’s LinkedIn page, C4 also developed a product called “PSS Surveillance System,” billed as a “solution[] for intelligence and law enforcement agencies.” Cyberbit marketing materials1 refer to what appears to be the same system: “CYBERBIT PC Surveillance System (PSS).” PSS is also referenced on Elbit’s website as a solution “for collection from personal computers.” Elbit reportedly will be reorganizing Cyberbit, effective as of 2018, to separate its defense and commercial businesses, with Cyberbit continuing to operate the “C4i division and commercial cyber business.” Elbit’s major subsidiaries are located in Israel and the United States, and Elbit is listed on the NASDAQ and the Tel Aviv Stock Exchange.


Figure 3: Screenshot of PSS Console (Source: 
Cyberbit Marketing Materials).

Cyberbit is the second Israel-based nation-state spyware vendor we have identified and analyzed, the other being NSO Group. The two companies operate in the same market and have even been connected with the same clients. In an extradition request for former Panamanian President Martinelli, Panama alleged that Martinelli had directed the purchase of two spyware products: PSS and NSO Group’s Pegasus. Additionally, a leaked Hacking Team email about NSO claims that: “NSO only has mobile agents … Apparently the pc part is handled by another company, PSS.”

Cyberbit describes PSS as “a comprehensive solution for monitoring and extracting information from remote PCs.” As is standard in the marketing materials for spyware companies, Cyberbit represents that their design “eliminat[es] the possibility that the operation will be traced back to the origin.”


Figure 4: Data exfiltrated by PSS (Source: 
Cyberbit Marketing Materials).

Cyberbit says that PSS “helps LEAs and intelligence organizations to reduce crime, prevent terrorism and maintain public safety by gaining access, monitoring, extracting and analyzing information from remote PCs.”  Information that PSS can monitor and extract includes “VoIP calls, files, emails, audio recordings, keylogs and virtually any information available on the target device.”

3. Targeting of Jawar Mohammed

Jawar Mohammed is the Executive Director of the Oromia Media Network (OMN). He is also a prolific activist, with more than 1.2 million followers on Facebook. October 2, 2016 was the annual Irreecha cultural festival, the most important Oromo cultural festival. Millions of people each year gather at the festival site in Bishoftu, near Addis Ababa. In 2016, “scores of people” died at the festival “following a stampede triggered by security forces’ use of teargas and discharge of firearms in response to an increasingly restive crowd.” Jawar was active at the time on social media in stoking the passions of Oromo on the ground, circulating both verified and unverified information. On October 4, 2016, while in Minneapolis, USA, Jawar received the email in Figure 5.  He forwarded the email to Citizen Lab for analysis.

From: sbo radio <sbo.radio88[@]gmail.com>
Date: Tue, 4 Oct 2016 16:50:13 +0300
Subject: Fw: Confidential video made publicWhat do you think of this video ? In case you don’t have the right version of adobe flash and can’t watch the video, you can get the latest version of Adobe flash from Here
http://getadobeplayer%5B.%5Dcom/flashplayer/download/index7371.html.———- Forwarded message ———-
From: sbo radio <sbo.radio88[@]gmail.com>
Date: Tue, Oct 10, 2014 at 4:23 PM
Subject: Video hints Eritrea and Ethiopia war is highly likely to continueDear Excellencies,Video : Eritrea and Ethiopia war likely to continue
http://www.eastafro%5B.%5Dnet/eritrea-ethiopia-border-clash-video.html

regards,Sbo Radio
Mit freundlichen Grüßen

Figure 5: An email sent to Jawar on October 4, 2016. The sender most likely crafted the email to make it appear that this was a forwarded message.
The site eastafro[.]net appears to impersonate the (legitimate) Eritrean video website eastafro.com. When a target clicks on an operator-generated link to eastafro[.]net, JavaScript on the site checks to see whether the target is using Windows and whether their Adobe Flash Player is up to date. If the script detects a Windows user with an out-of-date Flash Player, it displays a message asking the user to update their Flash Player. If clicked, or after 15 seconds, the user is redirected to a page on getadobeplayer[.]com, which offers the user a real Flash Player update bundled with spyware.
Figure 6: Message displayed when a target clicks on a link to eastafro[.]net.

If the user downloads and installs the malicious Flash update, their computer is infected. It is clear that this is a targeted attack: if a user simply types in eastafro[.]net into their browser’s address bar, they are redirected to the legitimate site, eastafro.com. If a user does the same with getadobeplayer[.]com, they are served a “403 Forbidden” message. Both sites have robots.txt files instructing search engines not to crawl them. Access to the spyware is granted only if the user clicks on a link sent by the operator.

In all, Jawar received eleven emails between 5/30/2016 and 10/13/2016, and one more than a year later on 11/22/2017. Each email contained links to what were purportedly videos on eastafro[.]net, or Adobe Flash Player updates on getadobeplayer[.]com. The 11/22/2017 email contained a link to eastafro[.]net that asked the target to install “Adobe’s PdfWriter,” a fictitious product. The download contained the same spyware as the malicious Adobe Flash Player updates, but was packaged with CutePDF Writer, “a proprietary Portable Document Format converter and editor for Microsoft Windows developed by Acro Software,” with no connection to Adobe.


Figure 7: “Adobe PdfWriter” Installation Prompt.

In many cases, the operators appear to have registered their own accounts to send the infection attempts. However, the email address sbo.radio88[@]gmail.com used by operators to target Jawar is associated with the radio station of the Oromo Liberation Front (OLF). The account may have been compromised.

Table 1: Malicious emails received by Jawar.

Date Subject Sender
5/30/2016 Ethiopia Struggling with inside Challenges! eliassamare[@]gmail.com
6/15/2016 Tsorona Conflict Video! eliassamare[@]gmail.com
6/29/2016 UN Report and Diaspora Reaction! eliassamare[@]gmail.com
8/4/2016 Ethiopia and Current Options! eliassamare[@]gmail.com
8/15/2016 Fwd: Triggering Ethiopia Protests! eliassamare[@]gmail.com
9/5/2016 Saudi-Iran and the Red Sea! eliassamare[@]gmail.com
9/6/2016 Congrats – የኢሳት ፍሬዎች wadewadejoe[@]gmail.com
9/22/2016 Is Funding Ethiopia the Right time Now? eliassamare[@]gmail.com
10/4/2016 Fw: Confidential video made public sbo.radio88[@]gmail.com
10/10/2016 Egypt-Ethiopia new tension! awetnaeyu[@]gmail.com
10/13/2016 Confidential Videos made public wadewadejoe[@]gmail.com
11/22/2017 Gov official interrogated following leakage of national security meeting minutes lekanuguse2014[@]gmail.com

The Ethiopian Government charged Jawar with terrorism in February 2017 under the criminal code; Jawar and OMN denied all charges.

4. Investigation to Find Additional Targets

We set out to find additional targets. We conducted targeting testing of members of the Oromo community using Himaya, our email scanning tool, to determine whether they had received any similar malicious messages. We also found a public logfile on the spyware’s C&C server (Section 5.2); the logfile listed IP addresses of infected devices and we were able to identify additional victims based on their IP.

4.1. Other Targets

Etana Habte is a PhD student at SOAS University of London. He is a frequent commentator on Ethiopian issues and appears regularly on OMN.

Table 2: Malicious emails received by Etana.

Date Subject Sender
12/9/2016 Let’s stop EU & the World Bank from funding $500 m to Ethiopia shigut.gelleta[@]gmail.com
1/11/2017 Fwd: MONOSANTO (A multinational company)’s plan on Oromia networkoromostudies2015[@]gmail.com

The address shigut.gelleta@gmail.com appears to be an account created by attackers designed to impersonate Shigut Geleta, a member of the OLF.

Dr. Henok Gabisa is a Visiting Academic Fellow who teaches at Washington and Lee University School of Law and is the founder of the Association of Oromo Public Defenders (Public Interest Lawyers Association) in Oromia.

Table 3: Malicious emails received by Henok.

Date Subject Sender
3/6/2017 Why did MONOSANTO target the Oromiya region? networkoromostudies2015[@]gmail.com
3/13/2017 Democracy in Ethiopia: Can it be saved? networkoromostudies2015[@]gmail.com

Bill Marczak is a researcher at Citizen Lab and an author of this report. Marczak was targeted after he asked another target to forward an email sent by operators. At the time, the target’s email account was compromised (the target had been previously infected with this spyware).  On March 29, 2017, while in San Francisco, USA, Marczak received a message entitled “Martin Plaut and Ethiopia’s politics of famine,” from networkoromostudies2015[@]gmail.com. The email contained a link to eastafro[.]net.


Figure 8: Message received by Citizen Lab Senior Research Fellow Bill Marczak. The use of the Comic Sans font is due to the attacker’s font selection.

Other Targets: Several malicious emails we found were sent to multiple receipients, according to their headers.  We found 39 additional email addresses of targets using this method; at least 12 addresses appear to be linked to targets active on Oromo issues, or working for Oromo groups.

4.2. Logfile Analysis

Peculiarly, we found a public logfile on the spyware’s C&C server; the logfile recorded activity that allowed us to geolocate (or in some cases, identify) victims. We analyzed more than a year of logs showing victim (and operator) activity. Each logfile entry contains a unique identifier (a GUID) associated with the infection, a value indicating whether the entry records victim or operator activity, the IP address that the infected device (or operator) connected to the C&C server from, and finally a timestamp showing when the communication took place (for more details on the logfile, see Section 4.3). The format of the logfile allowed us to track infections as they moved between different IP addresses, such as when an infected target carried their laptop between home and work, or while traveling.

During more than a year of monitoring the server’s logfiles, we observed 67 different GUIDs.  All infections were operated by the same operator, who only ever used one IP address, which belongs to a satellite connection (except for a three hour period on a single day when the operator’s activity “failed over” to two other IP addresses, one address in Ethiopia and one VPN, perhaps due to transient satellite connection failure). We identified 11 of the 67 GUIDs as likely resulting from testing by the operator, or execution by researchers, based on their apparent short duration. Further, we noted that some GUIDs likely referenced the same infected device, as they represented consecutive, non-overlapping infections whose IP addresses corresponded with the same Internet Service Provider (ISP). This was the case for two GUIDs in the UK, two in South Sudan, and 12 in Uganda.

We arrived at 43 GUIDs that we believe represent distinct infected devices. We then sought to geolocate each infection to a country. We first ran the MaxMind GeoLite 2 Countrydatabase on each IP and associated a set of countries with each infection. For each infection that had only one country associated with it, we examined a small number of IP addresses from the infection, to see whether those IPs looked like they were actually in that country, or whether geolocation may have been incorrect due to the IP being associated with a VPN or satellite connection.

For infections that MaxMind associated with multiple countries, we determined the dominant country, based on the country with the largest number of logfile entries for that infection. For the dominant country, we checked a small number of IP addresses to make sure the geolocation was correct. For the other countries, we checked each IP in an attempt to eliminate incorrect geolocation. We noted four infections that predominantly connected from satellite connections, which MaxMind geolocated to UK or UAE; we changed the geolocation of these devices to Eritrea, as the infections either “failed over” to IPs registered to EriTel, or shared the same satellite IP address as other infections that “failed over” to EriTel IPs.

Table 4: Number of infections we geolocated to each country, for countries where we geolocated more than one infection.

Country # Infected Devices
Eritrea 7
Canada 6
Germany 6
Australia 4
USA 4
South Africa 2

Other countries in which we saw only a single infected device were: Belgium, Egypt, Ethiopia, UK, India, Italy, Japan, Kenya, Norway, Qatar, Rwanda, South Sudan, Uganda, and Yemen.

After we eliminated VPN IPs, and geolocated the four infections that predominantly connected from satellite connections, we found that 40 of 43 infections only ever communicated from a single country. The remaining three devices appear to have travelled between several countries. The three infections that traveled internationally are as follows:

  • A device that twice travelled from Eritrea (via Germany) to the United Nations in Geneva.  We geolocated this device to Eritrea.
  • A device that predominantly connected from the University of Tsukuba in Japan that travelled to Eritrea. We geolocated this device to Japan.
  • A device that predominantly connected from York University in Canada that travelled to Eritrea. We geolocated this device to Canada.

We were able to trace six of the infections (five in Eritrea, one abroad) to Eritrean government agencies or companies, suggesting that operators are likely targeting members of the Eritrean government in addition to Ethiopian dissidents.

4.3. Other Attacker Sites

During our analysis we, identified two other websites sharing the same IP address as getadobeplayer[.]com, which also appear to have been used by the same attackers to target victims with the same spyware: diretube.co[.]uk (impersonating diretube[.]com, an Ethiopian video site), and meskereme[.]net (impersonating meskerem[.]net, an Eritrean opposition website).

The diretube.co[.]uk site used the same Adobe Flash update ploy to direct users to malware on getadobeplayer[.]com, whereas the meskereme[.]net site displays a message saying “Problem reading Tigrinya? Install these fonts,” with links to the fonts bundled with spyware.  The legitimate website, meskerem[.]net displays the same message, but links to fonts without the spyware.

5. Attribution to Cyberbit and Ethiopia

This section describes how we attributed the spyware to Cyberbit and Ethiopia.

5.1. Digital Signature Points to Cyberbit

By monitoring getadobeplayer[.]com, we found and analyzed five samples of the spyware as it was updated over time.

Table 5: The samples from getadobeplayer[.]com that we analyzed.

MD5 Name
568d8c43815fa9608974071c49d68232 flashplayer20_a_install.exe
80b7121c4ecac1c321ca2e3f507104c2 flashplayer21_xa_install.exe
8d6ce1a256acf608d82db6539bf73ae7 flashplayer22_xa_install.exe
840c4299f9cd5d4df46ee708c2c8247c flashplayer23_xa_install.exe
961730964fd76c93603fb8f0d445c6f2 flashplayer24_xa_install.exe

Each sample communicates with two command and control (C&C) servers: time-local[.]comand time-local[.]net.

We found a structurally similar sample (see Section 7 for details on structural similarities) in VirusTotal:

MD5: 376f28fb0aa650d6220a9d722cdb108d
SHA1: c7b4b97369a2ca77e916d5175d162dc2b823763b
SHA256: c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116

That sample communicated with a C&C server at the following URL: pssts1.nozonenet[.]com/ts8/ts8.php (note the use of “PSS” in the URL). The sample also drops an EXE file containing a digital signature (valid as of the date submitted to VirusTotal) produced by a certificate with the following details:

CN = C4 Security
O = C4 Security
STREET = 13 Noach Mozes St
L = Tel aviv
S = Gush Dan
PostalCode = 67442
C = IL
RFC822 Name=tal.barash@c4-security.com

Note that c4-security.com was the official website of C4 security, according to a brochureposted on the website of the Israeli Export Institute.

5.2. Public Logfile Analysis Points to Ethiopia and Cyberbit

While monitoring additional PSS C&C servers that we discovered during scanning (Section 6.1), we found that one of these servers temporarily exposed a directory listing in response to a normal GET / HTTP/1.1 request (Figure 9). The directory listing contained the text: “Apache/2.4.7 (Ubuntu) Server at cyberbitc[.]com Port 80,” indicating that the server was associated with Cyberbit. The website cyberbitc[.]com is owned by Cyberbit and was used by Cyberbit before they acquired cyberbit[.]com in March 2017.2


Figure 9: Directory listing on one of the servers that earlier matched our fingerprint.

This directory listing also revealed the existence of several files, including a file called rec.dat, which at first glance we noticed was encoded in binary format. We suspected that rec.dat might be a logfile, as it appeared to be constantly updated on the C&C servers. We noticed that rec.dat existed on all of the C&C servers we detected in our scanning and were able to test (Section 6.1), including on time-local[.]com and time-local[.]net, the C&C servers associated with the spyware samples sent to Oromo targets.

5.2.1. Logfile Analysis Shows Ethiopian Operator

To verify our logfile hypothesis, we performed a test infection of a virtual machine using one of the samples sent to Oromo targets and we allowed the virtual machine to communicate with the C&C server. The traffic comprised HTTP POST requests (Section 7.7), each of which contained an agentid, a GUID initially {00000000-0000-0000-0000-000000000000} and later nonzero.

After the infection, we downloaded rec.dat and found that it contained a series of records, several with our IP address, and our agentid GUID, in binary form. Each record of the logfile is delimited by the string \x41\x41\x41 (‘AAA’) and can be parsed with the following regular expression:

‘(.{4})\x00\x00(.)(.{4})(.{16})AAA’

The first group of four bytes is a UNIX timestamp, the second group of 1 byte is a type value (which, in our testing was always 2, 17, 21, 33, or 37), the third group of 4 bytes is an IP address, and the fourth group of 16 bytes is a GUID. The file appears to be a circular (i.e., size-capped) logfile stored in binary format whose maximum size is defined in config.ini to be 10MB. Old entries are removed from the front of the file as new entries are written to the end.

Peculiarly, we noticed additional entries in rec.dat with our GUID but with a different IP address, 207.226.46.xxx. We noticed that 207.226.46.xxx was also associated with every other GUID in rec.dat. We determined that this IP address is associated with a satellite connection.

Over a period of more than a year, we downloaded and analyzed this file at regular intervals, obtaining a total of 388 rec.dat samples from each of time-local[.]com and time-local[.]net (we also began pulling samples of rec.dat from new servers we detected in scanning). Our rec.dat files from time-local[.]com contain more than 32 million entries (more than 28 million entries are operator interactions and approximately 4 million are victim interactions).

In all of our rec.dat samples from time-local[.]com and time-local[.]net, we noted that entries in the logfile for all GUIDs with types 2, 21, and 33 only ever involved the IP address 207.226.46.xxx (except for a brief period of three hours on a single day, where we saw the activity “fail over” between 207.226.46.xxx and two other IP addresses, one VPN address, and one address in Ethiopia). Thus, we suspect that types 2, 21, and 33 represent interaction by the operator. We suspect that types 17 and 37 correspond to interactions by infected devices.

Table 6: IP addresses that the Ethiopian operator connected from.

IP Provider
207.226.46.xxx Satellite Connection
197.156.86.xxx Ethio Telecom
192.186.133.xxx CyberGhost VPN

That the attacker’s activity “failed over” between their satellite IP and an Ethio Telecom address suggests that the operator is inside Ethiopia.

5.2.2. Thirteen Servers Show a Cyberbit Nexus

Our scanning found 15 PSS C&C servers in all. Of those, two were the Ethiopia servers. Of the remaining 13 we found, we suspect all are operated by Cyberbit, perhaps as demonstration or development servers. Ten of the servers’ logfiles included the IP address 37.142.120.xxx, which is pointed to by a subdomain of cyberbit[.]net. Two other servers’ logfiles included the IP address 64.251.13.xxx, which also appeared in the logfile of one of the seven servers, as an operator of infections connecting back from 37.142.13.xxx, an IP address pointed to by a subdomain of cyberbit[.]net.

One of the servers, pupki[.]co, was unavailable when we tried to fetch rec.dat. The domain name was registered to a “Yevgeniy Gavrikov”. An individual by this name currently works as an “integration specialist” for Cyberbit, according to LinkedIn.

6. Other PSS Activity

6.1. Scanning for More C&C Servers

We fingerprinted the command and control (C&C) servers used by the spyware, time-local[.]com and time-local[.]net, based on the fact that they typically returned the following distinctive message upon a normal GET / HTTP/1.1 request:

PHP Configuration Error. Can not fetch xml request string

Over the course of our scanning, we found a total of 15 IP addresses matching this same fingerprint.

Table 7: PSS C&C servers we found in IPv4 scanning.

C&C IP Address Domain Name3
51.15.48.xxx
80.82.64.32 time-local[.]com
80.82.67.xxx
80.82.79.44 time-local[.]net
89.248.170.xxx
93.174.89.xxx
93.174.91.xxx
93.174.91.xxx
94.102.53.xxx
94.102.60.xxx
94.102.63.xxx
104.236.23.3 pupki[.]co
111.90.147.xxx
185.125.230.xxx
185.125.230.xxx

6.2. Demonstration Websites

By examining sites on the same IP address as eastafro[.]net, we found two additional sites: one site impersonating Download.com and one website impersonating the homepage of Avira Antivirus. These sites contained versions of several apps bundled with PSS, including Avira Antivirus, Ventrilo, Avast AntiVirus, and CCleaner. The versions of PSS we found talked to C&C servers in the list above that we identified as Cyberbit-run servers.

6.3. Public Logfile Analysis of Other Servers

In addition to the Ethiopia servers (Section 5.2), we analyzed the logfiles of 12 of the 13 other servers. We were able to identify what we believe are several product demonstrations to various clients around the world. Most of the demonstrations show similar patterns: activity during business hours from IP addresses that appear to belong to potential clients and activity off-hours at IP addresses that appear to belong to hotels. In a few cases, the activity is preceded or followed by activity from what appears to be airport Wi-Fi access points.


Figure 10: Cyberbit product demonstrations suggested by C&C logfiles.

In our analysis here, we introduce a notion of a period of activity to try and abstract away gaps between logfile entries that may be uninteresting. We say that a spyware infection is active between two logfile entries (we only include activity from the infected device here, i.e., types 17 and 37) if there is no more than an hour in between the entries. We omit periods of activity that are less than one minute from our consideration (except if they provide evidence that the infected device has moved). In each country case we present here, we are listing all the activity we found across the nine Cyberbit-operated C&C servers (perhaps excluding periods of activity less than a minute).

6.3.1. Timeline of Suspected Demonstrations

3/2016: Thailand (2 days). We found infections in Thailand from the IP 202.29.97.X, in AS4621, which appears to be an ASN used by various Thai universities. Tracerouting to 202.29.97.X yields the hop (royal-thai-army-to-902-1-5-gi-09-cr-pyt.uni.net.th). The IPs 202.29.97.(X-3) and 202.29.97.(X-1) return a TLS certificate whose CN is a subdomain of signalschool[.]net, which is registered to the Royal Thai Army’s Signal School. We did note that 202.29.97.X also appears to be a VPN. Nevertheless, it seems that the IP is under the control of the Royal Thai Army. We also observed each infection changing between several IPs that appear to belong to various mobile data providers.

The table below lists periods of activity for each infection; the first column (#) indicates the number of the infection; the second and third columns provide the minimum and maximum date and time of the period of activity (in the country’s local time, accounting for DST); the fourth column provides the duration of the period of activity (H:MM:SS); and the fifth column lists the location where the activity took place (or the likely identity of the agency receiving the demonstration).

Table 8: March 2016 suspected demo to Royal Thai Army.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 09:22:17 Day 1 10:07:05 0:44:48 Royal Thai Army
2 Day 1 14:52:10 Day 1 15:38:13 0:46:03 Royal Thai Army
3 Day 2 14:45:51 Day 2 17:01:11 2:15:20 Royal Thai Army

3/2016: Uzbekistan (3 days). We found four infections in Uzbekistan. The first two were from an IP address pointed to by a subdomain of rdhotel[.]uz, which is registered by an individual who is listed on LinkedIn as the manager of the Radisson Blu in Tashkent. The latter two were from an IP address linked to Uzbekistan’s National Security Service by the leaked Hacking Team emails.

Table 9: March 2016 suspected demo to Uzbekistan National Security Service.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 23:26:52 Day 2 00:10:00 0:43:08 Radisson Blu Tashkent
2 Day 2 08:46:20 Day 2 09:06:36 0:20:16 Radisson Blu Tashkent
3 Day 2 15:40:02 Day 2 15:45:52 0:05:50 National Security Service
3 Day 2 17:16:32 Day 2 18:24:42 1:08:10 National Security Service
4 Day 3 12:09:17 Day 3 12:41:35 0:32:18 National Security Service
4 Day 3 14:27:04 Day 3 14:53:39 0:26:35 National Security Service

10/2016: France (1 day). We found two infections in France on the same day in October 2016.  The first appeared to be from an IP address associated with the airport Wi-Fi at Paris’s Charles De Gaulle (CDG) airport. The second was from what appeared to be a landline IP address in Paris, which we could not attribute.

Table 10: October 2016 suspected demo to unknown clients in France.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 11:19:15 Day 1 11:24:04 0:04:49 CDG Airport Wi-Fi
2 Day 1 15:24:55 Day 1 16:08:03 0:43:08 86.245.198.xxx

11/2016: Vietnam (2 days). We found three infections in Vietnam. One was linked to an IP address that is numerically adjacent to another IP address that returns a web interface for an “HP MSM760 Controller” that displays the following information:

System name: Hilton Gardent Inn-HANOP
Location: Hanoi

We suspect that this activity is associated with the Hilton Garden Inn Hotel in Hanoi. The other activity appears to be from mobile broadband IP addresses; the identity of the potential client is not indicated by the data.

Table 11: November 2016 suspected demo to unknown clients in Vietnam.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 16:34:36 Day 1 18:52:09 2:17:33 Hilton Garden Inn Hanoi
1 Day 1 18:52:48 Day 1 19:01:12 0:08:24 (Mobile Broadband)
1 Day 1 19:35:50 Day 1 19:41:14 0:05:24 Hilton Garden Inn Hanoi
2 Day 2 11:34:24 Day 2 12:12:26 0:38:02 (Mobile Broadband)
3 Day 2 15:32:15 Day 2 17:13:41 1:41:26 (Mobile Broadband)

12/2016: Kazakhstan (1 day). We found an infection from an IP address registered (according to WHOIS information) to “Saad Hotel LLP” with an address matching the Marriott Hotel in Astana.

Table 12: December 2016 suspected demo to unknown clients in Kazakhstan.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 14:20:07 Day 1 14:35:39 0:15:32 Marriott Hotel Astana

12/2016: Zambia (2 days). Most of the activity was from mobile broadband IPs. However, the second infection was from an IP pointed to by a subdomain of fic.gov[.]zm, the website for Zambia’s Financial Intelligence Centre.

Table 13: December 2016 suspected demo to Zambia Financial Intelligence Centre.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 21:23:21 Day 1 21:57:52 0:34:31 (Mobile Broadband)
1 Day 2 05:20:05 Day 2 05:43:38 0:23:33 (Mobile Broadband)
2 Day 2 11:00:52 Day 2 11:29:37 0:28:45 Financial Intelligence Centre

1/2017: Rwanda (2 days). We could not attribute any of the IPs in Rwanda.

Table 14: January 2017 suspected demo to unknown clients in Rwanda.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 17:10:48 Day 1 18:28:47 1:17:59 (Unknown Loc 1)
1 Day 1 22:49:12 Day 1 23:27:30 0:38:18 (Unknown Loc 2)
2 Day 1 23:30:16 Day 2 04:18:06 4:47:50 (Unknown Loc 2)
3 Day 2 09:14:59 Day 2 09:27:34 0:12:35 (Unknown Loc 1)
4 Day 2 09:54:15 Day 2 10:51:47 0:57:32 (Unknown Loc 1)
5 Day 2 10:01:45 Day 2 12:54:13 2:52:28 (Unknown Loc 1)

2/2017: Philippines (5 days). We found an infection in February 2017 at 116.50.244.15. The IPs 116.50.244.10, 116.50.244.7, and 116.50.244.8 are pointed to by manila.newworldhotels.com or subdomains thereof. 116.50.244.7 is a Cisco VPN login page, which lists the “Group” as “New_World_Makati.” We assume that the Manila New World Makati Hotel is also the owner of 116.50.244.15.

This was followed by an infection one day later at an IP address pointed to by a subdomain of malacanang.gov[.]ph, which is the website of Malacañang Palace. The palace is the primary residence and offices of the Philippine President (Rodrigo Duterte as of the date of the demo).  The Malacañang Palace infection was followed by an infection from two other IP addresses in the Philippines.

Table 15: February 2017 suspected demo to Philippines Presidency.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 18:40:13 Day 1 18:55:01 0:14:48 New World Makati Hotel Manila
2 Day 2 12:01:08 Day 2 12:25:50 0:24:42 Malacañang Palace
3 Day 3 11:32:08 Day 3 11:53:13 0:21:05 112.198.102.xxx
3 Day 5 21:52:32 Day 5 22:28:55 0:36:23 202.57.61.xxx

3/2017: Kazakhstan (1 day). We found an infection from an IP address pointed to by kazimpex[.]kz. According to an article on IntelligenceOnline, Kazimpex is said to be closely linked with the “National Security Committee of the Republic of Kazakhstan” (KNB), an intelligence agency in Kazakhstan.

Table 16: March 2017 suspected demo to Kazimpex in Kazakhstan.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 11:29:55 Day 1 12:03:32 0:33:37 Kazimpex

3/2017: Serbia (2 days). We found activity from Serbia on a single IP address registered to “NBGP Properties Doo,” which is the trading name of an apartment complex and business centre located adjacent to the Crowne Plaza in Belgrade. Both NBGP and the Crowne Plaza are owned by Delta Holding, a major Serbian company. It is possible that activity from the IP 79.101.39.101 includes activity from both NBGP and the Crowne Plaza.

Table 17: March 2017 suspected demo to unknown clients in Serbia.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 12:20:42 Day 1 12:55:11 0:34:29 Delta Holding Complex
1 Day 2 00:15:30 Day 2 00:33:06 0:17:36 Delta Holding Complex
2 Day 2 00:51:04 Day 2 01:15:15 0:24:11 Delta Holding Complex
2 Day 2 06:58:53 Day 2 07:41:58 0:43:05 Delta Holding Complex

3/2017: Nigeria (2 days). We found one infection in Nigeria from two IPs. We could not identify the IPs.

Table 18: March 2017 suspected demo to unknown clients in Nigeria.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 16:38:52 Day 1 17:11:57 0:33:05 (Unknown Loc 1)
1 Day 1 18:21:41 Day 1 19:13:24 0:51:43 (Unknown Loc 1)
1 Day 2 10:26:20 Day 2 11:43:28 1:17:08 (Unknown Loc 2)

4/2017: Kazakhstan (1 day). We found an infection from the Marriott hotel in Astana, followed by an infection from an IP pointed to by a subdomain of mcmr[.]kz, the website of “Mobil Realty,” a commercial real estate management company.

Table 19: April 2017 suspected demo to unknown clients in Kazakhstan.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 12:26:04 Day 1 12:37:55 0:11:51 Marriott Hotel Astana
2 Day 1 18:09:50 Day 1 18:21:54 0:12:04 Mobil Realty

6/2017: ISS World Europe (2 days). We saw four infections between 6/14/2017 and 6/15/2017 from IP address 82.142.85.165 in the Czech Republic. ISS World Europe 2017 was held in Prague, Czech Republic from 6/13/2017 – 6/15/2017, and Cyberbit gave a presentation on 6/13/2017, according to the schedule. This same IP address appears in the headers of leaked Hacking Team emails sent by two employees on 6/3/2015 and 6/4/2015. These employees mentioned that they would be attending ISS World Europe on 6/3/2015, held at the same venue as the 2017 ISS World Europe. The IP address 82.142.85.165 may be associated with the Clarion Congress Hotel in Prague (the ISS World Europe venue).

Table 20: June 2017 suspected demo at ISS World Europe in Prague.

# Activity Start (Local) Activity End (Local) Duration Location
1 2017-06-14 13:17:46 2017-06-14 13:52:04 0:34:18 ISS World Europe
3 2017-06-14 16:45:04 2017-06-14 17:27:33 0:42:29 ISS World Europe
3 2017-06-15 07:18:23 2017-06-15 07:19:38 0:01:15 ISS World Europe
4 2017-06-15 08:17:18 2017-06-15 09:36:03 1:18:45 ISS World Europe

6/2017: Zambia (2 days). Most of the activity was from mobile broadband IPs.

Table 21: June 2017 suspected demo to unknown clients in Zambia.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day 1 19:00:54 Day 1 19:38:34 0:37:40 (Mobile Broadband)
2 Day 2 09:44:48 Day 2 10:22:28 0:37:40 (Mobile Broadband)
3 Day 2 14:36:18 Day 2 15:00:00 0:23:42 (Mobile Broadband)
3 Day 2 21:59:59 Day 2 22:19:09 0:19:10 (Mobile Broadband)

11/2017: Philippines (6 days). In November 2017, we observed what appeared to be two different Cyberbit employees travelling together from Israel to the New World Makati Hotel in Manila.

The infections started out in Israel, one on 10/15/2017 and one on 11/2/2017. While in Israel, and during the workweek (Sunday to Thursday), both infections connected from what appears to be Cyberbit’s office (37.142.13.xxx, pointed to by two subdomains of cyberbit[.]net) during business hours (roughly 09:00 – 18:00 local time). After hours, the infections connected back from what we believe are home IP addresses of the employees. Each infection connected back from different home IPs during overlapping periods, which leads us to believe that the two infections represent different Cyberbit employees. It appears that each employee was carrying an infected laptop between home and the office each day (perhaps for spyware development and testing purposes).

After they last connected from Israel, one infection connected 15 hours later from Hong Kong for six minutes, between 14:52 and 14:58 local time. The infections then connected from the Philippines (116.50.244.xxx) as early as 22:41 local time, suggesting a flight itinerary from Tel Aviv to Manila, by way of Hong Kong.

Table 22: Employee #1 traveling from Israel to Manila; suspected demo to unknown clients.

# Activity Start (Local) Activity End (Local) Duration Location
1 Day -1 15:46:24 Day -1 15:46:24 0:00:00 (DSL IP in Israel)
1 Day 1 14:52:15 Day 1 14:58:04 0:05:49 (Hong Kong)
1 Day 1 23:00:03 Day 1 23:56:11 0:56:08 New World Makati Hotel Manila
1 Day 3 20:19:20 Day 3 21:01:09 0:41:49 New World Makati Hotel Manila
1 Day 4 14:42:43 Day 4 14:44:39 0:01:56 (Mobile Broadband)
1 Day 4 16:14:21 Day 4 18:31:40 2:17:19 (Mobile Broadband)
1 Day 4 20:54:47 Day 5 08:00:09 11:05:22 New World Makati Hotel Manila
1 Day 9 09:05:14 Day 9 12:59:54 3:54:40 Cyberbit

 

Table 23: Employee #2 traveling from Israel to Manila; suspected demo to unknown clients.
# Activity Start (Local) Activity End (Local) Duration Location
2 Day -1 15:00:24 Day -1 17:32:38 2:32:14 (DSL IP in Israel)
2 Day 1 22:41:32 Day 2 00:00:08 1:18:36 New World Makati Hotel Manila
2 Day 3 20:49:07 Day 3 21:07:51 0:18:44 New World Makati Hotel Manila
2 Day 4 10:30:03 Day 4 18:24:22 7:54:19 (Mobile Broadband)
2 Day 5 10:32:42 Day 5 10:56:48 0:24:06 (Mobile Broadband)
2 Day 5 13:04:42 Day 5 15:43:05 2:38:23 (Mobile Broadband)
2 Day 6 15:56:27 Day 6 17:47:18 1:50:51 New World Makati Hotel Manila
2 Day 9 09:13:20 Day 9 18:56:35 9:43:15 Cyberbit

11/2017: Milipol Paris (4 days): From 11/21/2017 – 11/24/2017, we found an infection active from an IP address 185.113.160.20, which appears to be associated with the Paris Nord Villepinte exhibition center. The IP is pointed to by several subdomains of villepinte2017.dynu[.]net and also by pnv.vipnetwork[.]fr. The Milipol Paris 2017 exhibition was held between 11/21 and 11/24 and the Paris Nord Villepinte exhibition center. Thus, it appears that Cyberbit employees were performing demos there.

Table 24: November 2017 suspected demo at Milipol Paris.

# Activity Start (Local) Activity End (Local) Duration Location
3 Day 1 08:15:24 Day 1 09:18:21 1:02:57 Milipol Paris
3 Day 1 10:44:02 Day 1 13:21:09 2:37:07 Milipol Paris
3 Day 1 14:50:25 Day 1 15:32:46 0:42:21 Milipol Paris
3 Day 2 08:29:27 Day 2 17:01:11 8:31:44 Milipol Paris
3 Day 3 08:10:28 Day 3 09:34:09 1:23:41 Milipol Paris
3 Day 3 13:02:05 Day 3 14:59:37 1:57:32 Milipol Paris
3 Day 3 15:43:03 Day 3 17:02:29 1:19:26 Milipol Paris
3 Day 4 08:31:07 Day 4 10:43:35 2:12:28 Milipol Paris

6.3.2. Suspected Researcher Activity

We found several short-lived infections on Cyberbit-operated servers that seem less likely to be purposeful infections and more consistent with activity by cybersecurity researchers or other testing activity. We group activity that is temporally similar below, though it is unclear if this activity is related.

We found one infection in the UK on 11/10/2016 lasting ~15s.

We found one infection from Google on 2/7/2017 (lasting 11m), followed by three infections in Germany on 2/7/2017 and 2/8/2017. In Germany, there was one initial infection 14 minutes after the Google infection, with a single pingback. 2h10m later, there was an infection lasting 1 minute. 13h later, there was an infection with a single pingback.

We found an infection with a single pingback from an IP address in Everett, Washington, USA on 10/17/2017. We found two overlapping infections in Russia on 10/18/2017 (~2m each), followed 20 minutes later by two infections in China, 45 minutes apart (~30s each). We found a ~20s infection in Canada on 10/19/2017.

We found an infection with a single pingback from an IP address registered to Brandon University in Canada on 10/31/2017. We found two infections in Norway on 11/1/2017 (one infection with a single pingback, and one infection 3m30s later lasting for ~20s).

6.3.3. Unexplained Activity

We found several infections on the Cyberbit-operated PSS C&C servers that were long-running, and not from VPN connections or from countries where Cyberbit has a known presence. Thus, this activity did not immediately seem to represent demonstrations or development activity. We found one infection in Iran between 9/20/2016 and 11/22/2016. We found one infection in Canada between 3/7/2017 and 11/22/2017. We found one infection in Finland between 5/26/2017 and 11/28/2017. We found one infection in Indonesia from 10/28/2017 to 11/10/2017. We found one infection in Slovakia from a single IP address active between 11/1/2017 and 12/1/2017. We found one infection in Ethiopiafrom 10/25/2017 to 12/1/2017, with no known overlap with the Ethiopia client’s IP address space.

6.4. Spoofed Code Signing Certificates?

We identified several cases where we suspect that the spyware operators, or Cyberbit themselves, obtained digital certificates in the names of real companies, including an Israeli intellectual property law firm.

One malicious Adobe Flash executable we found used by the Ethiopian operator was signed by an authenticode certificate issued by Comodo to a named entity called “Flashpoint IP.”

CN = Flashpoint IP
O = Flashpoint IP
STREET = 2nd Raban Gamliel
L = Elad
S = Israel
PostalCode = 40800
C = IL
RFC822 Name=ben.wiseman@flashpoint-ip.com

We found a company called “Flash Point IP,” with the same street address as in the digital certificate, included the Patent Attorneys Ledger published by Israel’s Ministry of Justice. The website listed by the Ministry of Justice for the firm is flashpointip.com. However, the website in the certificate’s RFC822 name appears to be a lookalike domain that is subtly differentflashpoint-ip[.]com.

We examined the WHOIS registration of the lookalike domain flashpoint-ip[.]com:

Registrant Name: BEN WISEMAN
Registrant Organization: FLASHPOINT IP LTD
Registrant Street: RABAN GAMLIEL 2
Registrant City: ELAD
Registrant State/Province: SHOMRON
Registrant Postal Code: 40800
Registrant Country: IL
Registrant Phone: +972.525649427
Registrant Email: BENWISEMAN99@GMAIL.COM

The firm’s website, flashpointip.com, has a New York registration address, a different registrant name, and a @bezeqint.net contact address.

We found one additional domain, cd-media4u[.]com, registered with the same phone number as flashpoint-ip[.]com. The WHOIS information is:

Registrant Name: DAN WISEMAN
Registrant Organization: C. D. MEDIA LTD
Registrant Street: BEN YEHUDA 60
Registrant City: TEL AVIV
Registrant State/Province: TEL AVIV
Registrant Postal Code: 6343107
Registrant Country: IL
Registrant Phone: +972.525649427
Registrant Email: DANWISEMAN99@GMAIL.COM

Note the similar names Dan Wiseman and Ben Wiseman and the similar email addresses danwiseman99@gmail.com and benwiseman99@gmail.com. We found one reference to “CD Media Ltd” which appears to be an Israeli software publisher (http://www.cd-media.co.il/).

Given that we found two instances where the same entity (WHOIS phone number +972.525649427) registered what appear to be lookalike domains for two different Israeli companies, it is possible that these certificates may have been improperly obtained. This is not the first instance in which improperly obtained digital certificates may have been used with commercial spyware. Hacking Team appears to have obtained several digital certificates in the names of people whose passport photos appeared on a now-defunct site, thewhistleblowers[.]org.4

We identified two further digital certificates used by the operators, in the names of “Etefaq Consulting Ltd,” and “Emerging European Capital.” These certificates were on samples we downloaded from getadobeplayer[.]com, as well as samples from the Avira Antivirus and Download.com impersonation websites (Section 6.2). Unfortunately, the signatures did not contain the RFC822 Name field, so we do not have any indications as to their legitimacy.

CN = Emerging European Capital
O = Emerging European Capital
STREET = Svaetoplukova 12
L = Bojnice
S = Slovakia
PostalCode = 97201
C = SK

We found what appears to be the website of “Emerging European Capital” (http://ee-cap.com), which is described as a company offering “Private Banking services to High Net Worth Individuals in Central and Eastern Europe.” The address in the digital certificate matches an address listed on the website. The individual mentioned on the website, Martin Masar, appears to be a real individual, and is listed as serving on the Supervisory Board of Petrocommerce Ukraine Bank. However, without more information, we cannot know whether the digital certificate is legitimate or not.

CN = ETEFAQ CONSULTING LIMITED
O = ETEFAQ CONSULTING LIMITED
STREET = 1 MYKONOS STREET
L = NICOSIA
S = NICOSIA
PostalCode = 1045
C = CY

We found an “ETEFAQ CONSULTING LIMITED” in the Cyprus corporate registry (# ΗΕ 329071). However, the registered address did not match the address in the digital certificate. The company’s line of business is unclear, and it appears to maintain a simple (hacked) website with a “Contact Us” form (http://etefaqconsulting.com/).

7. Technical Analysis of the Spyware

Altogether, we analyzed nine samples. This includes the sample from VirusTotal signed by the “C4 Security” certificate (Section 5.1), as well as five samples gathered from getadobeplayer[.]com, and three samples gathered from the Avira Antivirus and Download.com impersonation websites (Section 6.2).

Based on strings found during our analysis of configuration files used by the spyware, these samples cover versions of PSS ranging from v4.3.3 to 6.1.0. Major version changes contain changes to obfuscation techniques, overall structure, and general functionality, while minor version changes seem to contain smaller, less noticeable changes. The following analysis covers the general behavior and characteristics of PSS, with version-specific differences noted where appropriate.

Table 25: Versions of PSS we analyzed

MD5 Source PSS Version
376f28fb0aa650d6220a9d722cdb108d VirusTotal 4.3.3
568d8c43815fa9608974071c49d68232 getadobeplayer[.]com 5.7.5
80b7121c4ecac1c321ca2e3f507104c2 getadobeplayer[.]com 5.1.0
8d6ce1a256acf608d82db6539bf73ae7 getadobeplayer[.]com 5.9.7
840c4299f9cd5d4df46ee708c2c8247c getadobeplayer[.]com 6.0.0
961730964fd76c93603fb8f0d445c6f2 getadobeplayer[.]com 6.0.0
0488cf9c58f895076311bf8e2d93bf63 Avira Antivirus Impersonation Website 6.0.0
ca782d91daea6d67dfc49d6e7baf39b0 Download.com Impersonation Website 6.0.0
f483fe294b4c3af1e3c8163200d60aae Download.com Impersonation Website 6.1.0

7.1. Overview

Overall, the samples we analyzed are made up of four main components: the AgentLnkProxyPayload DLL, and Pipeserver. The Agent is the main program responsible for providing operators remote access to an infected machine and carries out most activity after infection. If the Agent is not installed with administrator privileges, then the LnkProxyfacilitates the replacement of shortcut (lnk) and executable (exe) files with malicious versions that will try to trick the user into granting administrator privileges to the Agent. The Payload DLL is a small DLL file that is used to infect certain whitelisted DLLs as a persistence mechanism, to ensure that the Agent is running. Finally, the Pipeserver is used to coordinate access to global handles and perform network communication.

Each of these four components is packed and stored inside the initial spyware payload. The earliest version we analyzed (4.3.3) stored these files as either plaintext or as zlib compressed data. Later versions added AES-256-CBC encryption and the use of different keys per dropped component for additional obfuscation (Section 7.3).

7.2. Installation and Persistence

Once a victim executes one of the initial payloads (e.g., a fake Adobe Flash update), the spyware unpacks the Agent component (described in Section 7.4) and saves it to %TEMP%\Profile. Then, the spyware checks to see if it is running with administrator privileges.  If so, then the spyware executes the dropped Agent; if not, then the spyware unpacks and installs the LnkProxy component (described in Section 7.5) in an attempt to trick the user into giving it administrator privileges.

Once the dropped Agent has been executed with administrator privileges, either via the main installer or by tricking the user via the LnkProxy technique, the Agent unpacks its configuration file into memory. Next, the Agent checks to see if there is already a version of PSS installed on the victim’s system by checking for the existence of the storage directory used by the spyware. Depending on the configuration of the current and previous Agents, the Agent may either replace the existing agent or attempt to upgrade the old version. If PSS is not already installed, then the Agent begins installation.

The Agent creates its main storage directory at %CommonAppData%\Profile. Then, it writes its configuration file into the storage directory, using a name defined in the configuration file (versions 4.x and 5.x use the filename diskdrv.dll, while version 6.x uses igfxcls.cfg). The Agent then copies itself into the storage directory (versions 4.x and 5.x use the filename crisvc.exe for the agent, while version 6.x use the filename igfxcri.exe) while deleting the dropped copy from %TEMP%\Profile.

Next, the Agent unpacks and drops 32- and 64-bit versions of the PipeServer component into the storage directory. These files are named mssvt.dll and mssvt64.dll across all versions of PSS that we have analyzed.

After it has created the necessary files, the spyware sets up its persistence mechanism by infecting copies of certain DLLs on the system with the Payload DLL (which is not saved to disk as a standalone file). The infected copies are placed in the same folder as the executable that will load them, ensuring that the infected DLLs are loaded instead of their legitimate counterparts that may be in other folders (Windows will search the folder containing the application first). The DLLs we saw chosen for infection are related to common web browsers including Chrome, Firefox, and Internet Explorer. Since web browsers are some of the most commonly used applications on computers, these DLLs are a good choice to ensure that the spyware is running most of the time that the target device is being used.

Finally, the spyware initializes the appropriate PipeServer component by creating a new Desktop, referred to as a “HiddenDesktop” by the spyware and launching one or more of the EXEs whose DLLs have been replaced with infected versions on this new desktop. When an infected DLL is loaded (Section 5.6), it launches the PipeServer if not already running; the PipeServer in turn launches the Agent if not already running. The Agent then enters into its main command handling loop.

7.3. Obfuscation

The first version of the spyware we analyzed (4.3.3) stored most components as either plaintext data or as zlib compressed binary data. Version 5.x of PSS introduced the additional use of AES-256-CBC encryption for the components. Components obfuscated in this manner contain a short header struct followed by the AES-256-CBC encrypted, zlib compressed data:

struct HEADER {
char[6]: magic_number
uint32:  iv
uint32:  checksum
uint32:  length
}

In this header struct, magic_number is the magic_number for a 7z file [0x37, 0x7a, 0xbc, 0xaf, 0x27, 0x1c], iv is the first 4 bytes of the initialization vector used in the AES cipher, checksum is a CRC32 checksum of the data, and length is the length of the encrypted data. The initialization vector is padded with null bytes to the correct length for the AES-256-CBC cipher. Version 6.x added an additional data format for AES-256-CBC encrypted data that removes the magic_number. For all versions, the AES key is hardcoded in the executable performing the decryption. Beginning with version 6.x, the spyware additionally began to obfuscate strings, deobfuscating them only when needed.

Version 4.x drops all of its various components directly to disk in an unpacked form when installed. Starting with version 5.x, the spyware began to drop intermediate loader executables instead of final components. These loader executables store a component, often the Agent, in the same AES-256-CBC encrypted, zlib compressed format as above. When executed, these loaders mimic the Windows executable loader by unpacking their stored payload, mapping the unpacked PE file’s sections into memory, and resolving any imports before jumping to the PE’s entrypoint. This technique of storing the unpacked component only in memory is likely an attempt to evade static, file-based analysis and detection techniques.

Within the Agent component, the configuration file is an SQLite database obfuscated using bzip compression, followed by XOR encryption using both the current and previous bytes, along with one byte from the key. This obfuscation format, and an unusual 36-byte XOR key, the string DC615DA9-94B5-4477-9C33-3A393BC9E63F, are shared across all the samples we analyzed.

7.4. The Agent

The Agent is the central component of the spyware and is responsible for carrying out most of the behavior of PSS. The Agent is a feature-rich spyware capable of a wide range of behaviors. Across all samples we analyzed, we have seen the following capabilities:

  • Audio/Video recording including scheduling recordings for a later time
  • Reading browser history and stored passwords
  • Filesystem operations including creating, deleting, moving, renaming, uploading, and downloading files
  • Editing/Querying registry keys
  • Geolocation based on available wifi networks
  • Accessing Skype databases, call logs, and contacts
  • Listing network connections and devices
  • Starting/Stopping processes
  • Taking screenshots
  • Keylogging
  • Accessing clipboard data
  • Accessing recently used file list

7.5. LnkProxy

The LnkProxy component is only used when the spyware is initially installed without Administrator privileges. In this scenario, the spyware searches through the Windows Desktop, Start Menu, and Quick Launch folders looking for lnk and exe files. Any files it finds are replaced with malicious copies designed to request administrator privileges, launch the legitimate application, and then launch the spyware. This process is designed to trick the user into giving PSS administrator privileges.

The LnkProxy makes a backup of all replaced files, which are restored upon spyware uninstallation or when the user unwittingly grants the spyware administrator privileges.

7.6. Payload DLL

The Payload component of the spyware is a short DLL that is used to infect whitelisted DLLs on the victim’s system as a persistence mechanism. During installation, the spyware searches the victim’s computer for targeted DLLs and for each that it finds it appends the Payload component to the targeted DLL’s .text section. The entrypoint of the DLL is then changed to point to this appended code and the infected file is copied to the same directory as the application that uses the DLL. This ensures that the infected DLL is loaded by the application instead of the original, uninfected version. Figure 11 shows an example of a modified binary infected with the Payload component.


Figure 11: Comparison of entrypoint before and after Payload infection.

The infected DLL starts by checking to ensure that the infected DLL is being loaded by the target program only. It does this by calling the original entrypoint for the infected DLL to get the ImagePathName field of the ProcessParameters struct in the Process Environment Block (PEB). The ImagePathName contains the path of the currently running executable. This is then compared to a hardcoded checksum value stored in the DLL as part of the infection process.

If this check succeeds, the Payload then performs its functions. It first checks to see if the PipeServer is currently loaded. It does this by decrypting an XOR-encrypted string in the DLL containing the location of the PipeServer component, calculating a checksum of this string, and then walking the InMemoryOrder list of loaded modules, checksumming the ImagePathName of each and comparing it to the checksum of the PipeServer’s path. If the PipeServer is not currently loaded, the infected DLL loads the PipeServer component and transfers execution to it.

7.7. PipeServer

The PipeServer component starts by unpacking and loading a small configuration file. This is a small file containing ASCII strings separated by \x00’s that define various config options used by the PipeServer. In version 6.x, this file is zlib compressed and encrypted using AES-256-CBC. After loading the configuration file, the PipeServer creates a series of threads, global events, and mutexes that are used to synchronize actions between components of the spyware, log messages, and communicate with the command and control server. Next, the PipeServer creates a named pipe for communication with running Agent components. Finally, the PipeServer starts an instance of the Agent if one is not already active before entering a main command handling loop. The spyware uses a XML-based networking protocol for command and control communication. Each request and response is sent as a “transaction.” An example of the XML format used is given below.

<?xml version=”1.0″>
<transaction
type=”fromagent”
agentid=”<ID>”
sn=”<NUM>”
crc=”<CRC>”
encoding=”base64″
encryption=”aes-256″
compression=”<zip|none>”>
<DATA>
</transaction>

DATA is the information to be communicated and is compressed, encrypted, and encoded as described in the response attributes. The AES key used can be either a master key included in the Agent’s configuration or an individual private key created after the malware has been installed and initialized. The master key is hard-coded and is the same across all samples we analyzed.

8. Conclusion

We have uncovered the use of PC Surveillance System (PSS) spyware by what appears to be agencies of the Ethiopian government to target dozens of individuals. Our investigation shows these targets include an Oromo media outlet based in the United States, OMN, a PhD student, and a lawyer who have worked on Oromo issues, as well as a Citizen Lab Research Fellow, Bill Marczak. Our analysis also indicates apparent demonstrations of the spyware in several other countries where leaders have exhibited authoritarian tendencies, and/or where there are political corruption and accountability challenges, such as Nigeria, Philippines, Rwanda, Uzbekistan, and Zambia.

The habitual misuse of spyware by the Ethiopian government against civil society targets is testament to the lack of repercussions for such behavior by states and complicity within the commercial spyware industry that supplies them. Evidence indicating the Ethiopian government’s misuse of spyware (including Hacking Team’s RCS and Gamma Group’s FinSpy) against journalists, activists, and others has been laid out in prior research over multiple years, as well as in a lawsuit filed in US federal court. In a portentous ruling, that suit was dismissed on grounds that a tort is not committed entirely in the US — a showing of which was required to obtain jurisdiction over a foreign sovereign — when a government’s digital espionage is conceived of and operated from overseas, despite the fact that the infection occurs and harm is experienced within the US. The digital nature of the tort essentially allowed a foreign government to violate US laws with impunity. Unsurprisingly, as this report makes clear, the extraterritorial targeting continues, as do spyware sales to Ethiopia.

This report also uncovers another player in the nation-state spyware business: Cyberbit, the company that provides PSS. As a provider of powerful surveillance technology, Cyberbit has the responsibility under both Israel’s export control regime as well as the UN Guiding Principles on Business and Human Rights to concern itself with the potential for human rights abuses facilitated through use of its product. The fact that PSS wound up in the hands of Ethiopian government agencies, which for many years have demonstrably misused spyware to target civil society, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the effectiveness of Israel’s export controls in preventing human rights abuses. The apparent locations of PSS demonstrations reinforce those concerns. Moreover, the manner in which the PSS spyware operates suggests that, to achieve infection, the spyware preys on user trust in legitimate third-party companies and software, such as Adobe Systems, or the code-signing certificate verification process. These techniques undermine security in the larger digital ecosystem and contravene terms of service as well as clear legal standards that exist in many jurisdictions to prevent appropriation of intellectual property. If spyware companies themselves incorporate such techniques in order to build a successful product, action is necessary to address the negative externalities that result. We have sent a letter to Cyberbit regarding these issues and received a response.

As we explore in a separate analysis, while lawful access and intercept tools have legitimate uses, the significant insecurities and illegitimate targeting we have documented that arise from their abuse cannot be ignored. In the absence of stronger norms and incentives to induce state restraint, as well as more robust regulation of spyware companies, we expect that authoritarian and other politically corrupt leaders will continue to obtain and use spyware to covertly surveil and invisibly sabotage the individuals and institutions that hold them to account.

9. Acknowledgements

This work was supported in part by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley. Thanks also to Erik Zouave, Masashi Crete-Nishihata, Lex Gill, Etienne Maynier, Adam Senft, Miles Kenyon, Jawar Mohammed, Etana Habte, Henok Gabisa, and Felix Horne and Cynthia Wong from Human Rights Watch.

Footnotes

  1. We found these materials in a Google search. The materials are hosted in an Amazon S3 bucket whose name is cyberbit. Inspecting the source code of Cyberbit’s website (https://web.archive.org/web/20170930094240/https://www.cyberbit.com/) yields several references to the same S3 bucket.  Thus, we assume Cyberbit controls the S3 bucket named cyberbit and that the marketing materials are Cyberbit originals.
  2. In January 2016, Cyberbit attempted to convince the WIPO Arbitration and Mediation Center to transfer the domain to it from Cyberbit A/S, but the panel refused and declared that Cyberbit had engaged in reverse domain name hijacking by bringing its complaint in bad faith. However, Cyberbit apparently purchased the domain in March 2017, judging by WHOIS records.
  3. We redact the domain names of non-Ethiopia servers that are still online.
  4. e.g., https://web.archive.org/web/20150710202350/http://www.thewhistleblowers.org:80/?cat=3874

Advertisements

Ethiopia in 2017: The enemy of Internet and freedom: Ethiopia is the 2nd worst in the world in the Internet freedom after China and a continuous deteriorating trend. Syria (3rd) November 18, 2017

Posted by OromianEconomist in Censorship, Internet Freedom, Uncategorized.
Tags: , , , , , , ,
1 comment so far

Odaa Oromoooromianeconomist

Freedom House Freedom on the Net 2017 Ethiopia Country Profile STATUS:

NOT FREE

Ethiopia the 2nd worst in the world in Internet freedom in 2017

 The prominent opposition activist Yonatan Tesfaye, was found guilty of terrorism based on Facebook posts that criticized the government’s handling of the Oromia protests.

Key Developments: 

JUNE 2016–MAY 2017

  • Internet and mobile phone networks were deliberately disrupted during antigovernment protests and student exams; social media and communications platforms were periodically blocked throughout the year (see Restrictions on Connectivity and Blocking and Filtering).
  • Self-censorship heightened following the state of emergency instituted in October 2016 (see Media, Diversity, and Online Manipulation).
  • The state of emergency eroded fundamental rights and restricted certain online activities, including supporting protests on social media (see Legal Environment).
  • The Computer Crime Proclamation enacted in June 2016 criminalizes online defamation and incitement and strengthened the government’s surveillance capabilities by enabling real-time monitoring or interception of communications (see Legal Environment and Surveillance, Privacy, and Anonymity).
  • Numerous individuals were arrested for online speech or protests; two were convicted and handed multi-year prison sentences (see Prosecutions and Detentions for Online Activities).
Introduction:

Internet freedom declined dramatically in the past year as the government imposed emergency rule to crack down on antigovernment protests and the digital tools citizens used to organize them.

The authoritarian government declared a six-month state of emergency in October 2016 following months of escalating protests. Starting in the Oromia region in November 2015 as a protest against the government’s plan to infringe on land belonging to the marginalized Oromo people, the protests spread across the country throughout 2016, turning into unprecedented demonstrations seeking regime change and democratic reform. Emergency rule derogated fundamental rights in violation of international standards,1 banned unauthorized protests, and allowed the authorities to arbitrarily arrest and detain citizens without charges. More than 21,000 people were arrested before the state of emergency was lifted in August 2017.

The state of emergency restricted certain online activities and the internet was shut down for several days. The authorities criminalized accessing or posting content related to the protests on social media, displaying antigovernment symbols or gestures, as well as efforts to communicate with “terrorist” groups—a category that includes exiled dissidents. Penalties included prison terms of between three and five years.

Numerous individuals were arrested for online activities, and two were convicted to long prison sentences. In May 2017, a prominent opposition activist, Yonatan Tesfaye, was sentenced to six and a half years in prison on terrorism charges based on Facebook posts in which he criticized the government’s handling of the Oromia protests. Also in May, Getachew Shiferaw, editor-in-chief of opposition outlet Negere Ethiopia, was sentenced to one and a half years in prison on subversion charges for Facebook comments published in support of an exiled journalist. He was released on time served.

The legal environment for internet freedom became more restrictive under the Computer Crime Proclamation enacted in June 2016, which criminalizes defamation and incitement. The proclamation also strengthens the government’s surveillance capabilities by enabling real-time monitoring or interception of communications.

Obstacles to Access:

(Freedom on the Net Score: 0=Most Free, 100=Least Free)

Internet and mobile phone networks were deliberately disrupted during antigovernment protests and student exams throughout the year. Meanwhile, poor infrastructure, obstructionist telecom policies, and a government monopoly on the information and communication technology (ICT) sector make ICT services prohibitively expensive for the majority of the population.

Availability and Ease of Access

Ethiopia is one of the least connected countries in the world with an internet penetration rate of only 15 percent in 2016, up from 12 percent the previous year, according to the latest data from the International Telecommunications Union (ITU).2 Mobile phone penetration is also low at 51 percent, up from 43 percent in 2015.3 Low penetration rates stem from underdeveloped telecommunications infrastructure, which is almost entirely absent from rural areas, where about 85 percent of the population resides. A handful of signal stations service the entire country, resulting in network congestion and frequent disconnection.4 In a typical small town, individuals often hike to the top of the nearest hill to find a mobile phone signal.

Access to ICT services remains prohibitively expensive for most Ethiopians, largely due to the government’s monopoly over the telecom sector, which provides consumers with few options. Prices are set by state-controlled EthioTelecom and kept artificially high.5 William Davison, Bloomberg’s Ethiopia correspondent, described the issue on Facebook in March 2016: “It cost me 44 birr ($2.05) to watch Al Jazeera’s latest 3-minute dispatch on Oromo protests using 4G network on my phone, which is not that much less than the average daily wage of a daily laborer in Ethiopia.”6 Ethiopians can spend an average of US$85 per month for limited mobile or fixed wireless internet access. Better quality services in neighboring Kenya and Uganda cost less than US$30 a month. One comparative assessment of internet affordability put Ethiopia among the world’s most expensive countries for access.7

Telecommunication devices, connection fees and other related costs are also beyond the means of many Ethiopians. As a result, Ethiopia has one of the lowest smartphone ownership rates in the world at only 4 percent, according to a 2016 Pew survey.8 Consequently, the majority of internet users rely on cybercafes for internet access. A typical internet user in the capital, Addis Ababa, pays between ETB 5 and 7 (US$ 0.25 to 0.35) for an hour of access. Because of the scarcity of internet cafes outside urban areas, however, rates in rural cybercafes are higher. In addition, digital literacy rates are generally low.

Connection speeds have been painstakingly slow for years, despite the rapid technological advances improving service quality in other countries. According to Akamai, the average connection speed in Ethiopia was 3 Mbps in the first quarter of 2017, significantly lower than the global average of 7.0 Mbps. In practice, such speeds result in extremely sluggish download times for even simple images. Logging into an email account and opening a single message can take as long as five minutes at a standard cybercafe with broadband in the capital, while attaching documents or images to an email can take eight minutes or more.9

Restrictions on Connectivity

Throughout 2016 and 2017, network traffic in and out of Ethiopia registered a significant decline as a result of continual throttling and repeated internet shutdowns.

Network shutdowns occurred several times during the coverage period:

  • During widespread antigovernment protests on August 6 and 7, 2016, internet services were completely inaccessible in the Amhara, Addis Ababa, and Oromia regions. The government responded to the protests with excessive force, resulting in the deaths of at least 100 people.10
  • In October 2016, mobile internet services were shut down for several days when the government declared a state of emergency.11 Mobile internet service and social media remained intermittently accessible for months (see Legal Environment).
  • The government shut down all telecommunications networks from May 30 to June 8 following the conviction of two human rights activists for online expression in May 2017 (see Prosecutions and Detentions for Online Activities).12
  • In separate incidents in July 2016, August 2016, and June 2017, the authorities shut down fixed and mobile internet services in select regions to prevent students from cheating during national university exams.13

The ICT shutdowns were costly. According to October 2016 research by the Brookings Institution, network disruptions between July 1, 2016 and June 30, 2017 cost Ethiopia’s economy over USD $8.5 million.14 September 2017 research by the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) calculated the economic cost of Ethiopia’s internet disruptions between 2015 and 2017 at nearly USD $3.5 million a day. Calculated separately, disruptions to apps cost nearly USD $875,000 a day.15

The Ethiopian government’s monopolistic control over the country’s telecommunications infrastructure via EthioTelecom enables it to restrict information flows and access to internet and mobile phone services. As a landlocked country, Ethiopia has no direct access to submarine cable landing stations; thus, it connects to the international internet via satellite, a fiber-optic cable that passes through Sudan and connects to its international gateway, and the SEACOM cable that connects through Djibouti to an international undersea cable. All connections to the international internet are completely centralized via EthioTelecom, enabling the government to cut off the internet at will.

ICT Market

State-owned EthioTelecom holds a firm monopoly over internet and mobile phone services as the country’s sole telecommunications service provider. Despite repeated international pressure to liberalize telecommunications in Ethiopia, the government refuses to ease its grip on the sector.16 The space for independent initiatives in the ICT sector, entrepreneurial or otherwise, is extremely limited.17

China is a key investor in Ethiopia’s telecommunications industry,18 with Zhongxing Telecommunication Corporation (ZTE) and Huawei currently serving as contractors to upgrade broadband networks to 4G in Addis Ababa and expand 3G networks elsewhere.19 The partnership has enabled Ethiopia’s authoritarian leaders to maintain their hold over the telecom sector,20 though the networks built by the Chinese firms have been criticized for their high cost and poor service.21 Furthermore, the contracts have led to increasing fears that the Chinese may also be assisting the authorities in developing more robust ICT censorship and surveillance capacities (see Surveillance, Privacy, and Anonymity).22 In December 2014, the Swedish telecom group Ericsson also partnered with the government to improve and repair the mobile network infrastructure,23 though ZTE remains the sector’s largest investor.

Onerous government regulations also stymie other aspects of the Ethiopian ICT market. For one, imported ICT items are tariffed at the same high rate as luxury items, unlike other imported goods such as construction materials and heavy duty machinery, which are given duty-free import privileges to encourage investments in infrastructure.24Ethiopians are required to register their laptops and tablets at the airport with the Ethiopian customs authority before they travel out of the country, ostensibly to prevent individuals from illegally importing electronic devices, though observers believe the requirement enables officials to monitor citizens’ ICT activities by accessing the devices without consent.25

Local software companies also suffer from heavy-handed government regulations, which do not prescribe fair, open, or transparent ways of evaluating and awarding bids for new software projects.26 Government companies are given priority for every kind of project, while smaller entrepreneurial software companies are completely overlooked, leaving few opportunities for local technology companies to thrive.

Cybercafes are subject to burdensome operating requirements under the 2002 Telecommunications (Amendment) Proclamation,27 which prohibit them from providing Voice-over-IP (VoIP) services, and mandate that owners obtain a license from EthioTelecom via an opaque process that can take months. In the past few years, EthioTelecom began enforcing its licensing requirements more strictly in response to the increasing spread of cybercafes, reportedly penalizing Muslim cafe owners more harshly. Violations of the requirements entail criminal liability, though no cases have been reported.28

Regulatory Bodies

The Ethiopian Telecommunications Agency (ETA) is the primary regulatory body overseeing the telecommunications sector. In practice, government executives have complete control over ICT policy and sector regulation.29 The Information Network Security Agency (INSA), a government agency established in 2011 and controlled by individuals with strong ties to the ruling regime,30 also has significant power to regulate the internet under its mandate to protect communications infrastructure and prevent cybercrime.

Limits on Content:

(Freedom on the Net Score: 0=Most Free, 100=Least Free)

Social media and communications platforms were repeatedly blocked throughout the coverage period. Self-censorship heightened following the state of emergency instituted in October 2016, which placed restrictions on the use of social media for certain types of speech.

Blocking and Filtering

One of the first African countries to censor the internet,31 Ethiopia has a nationwide, politically motivated internet blocking and filtering apparatus that is reinforced during sensitive political events.

Tests conducted by the Open Observatory of Network Interference (OONI) in December 2016 found a wide range of websites blocked in Ethiopia, including the websites of Ethiopian news outlets known for critical reporting, political opposition groups, LGBTI (lesbian, gay, bisexual, transgender, or intersex) groups, human rights organizations, and circumvention tools. In total, at least one hundred websites were inaccessible.32 OONI tests also found the mobile version of WhatsApp completely blocked.33

Other social media platforms such as Facebook and Twitter were repeatedly blocked for periods of time throughout 2016 and 2017, limiting their utility for political organizing even when the internet had not been completely shut down.34 In one case unrelated to political unrest, the authorities also blocked access to Facebook, Twitter, Instagram, Viber, IMO, and Google+ to prevent cheating during university examinations in July 2016.35 The blocks followed a full internet blackout for the same reason (see Restrictions on Connectivity). A government spokesperson stated that blocking social media during the exam would help students concentrate.

However, some progovernment media organizations and commentators seemed to have exclusive access to social media during the block,36 which reinforced the popular belief that government supporters are not disadvantaged during shutdowns to the extent that citizens are. Tools that help internet users bypass censorship are frequently blocked in Ethiopia, but some may remain available for approved uses. When social media platforms were blocked in the past year, diaspora-based activists publicized virtual private networks (VPNs) to circumvent the censorship, but certain VPNs were also subsequently blocked.37 Local sources suspected progovernment commenters were reporting some tools to the authorities for enabling censorship circumvention.

Digital security tools and information are also blocked. The Amharic translation of the Electronic Frontier Foundations’ “Surveillance Self-Defense” web guide was blocked two weeks after it was published in October 2015.38 One source reported that keywords such as “proxy” yield no search results on unencrypted search engines,39 reflecting the government’s efforts to limit users’ access to proxy servers and other circumvention tools. Tor, a circumvention tool that enables users to browse anonymously, has been subject to restrictions since May 2012.40

To filter the internet, specific internet protocol (IP) addresses or domain names are generally blocked at the level of the EthioTelecom-controlled international gateway. Deep packet inspection (DPI), which blocks websites based on a keyword in the content of a website or communication, is also employed.41

There are no procedures for determining which websites are blocked or why, precluding any avenues for appeal. There are no published lists of blocked websites or publicly available criteria for how such decisions are made, and users are met with an error message when trying to access blocked content. The decision-making process does not appear to be controlled by a single entity, as various government bodies—including the Information Network Security Agency (INSA), EthioTelecom, and the ICT ministry—seem to be implementing their own lists, contributing to a phenomenon of inconsistent blocking. This lack of transparency is exacerbated by the fact that the government denies implementing censorship. Government officials flatly deny blocking websites or jamming international satellite operations, while also stating that the government has a legal and a moral responsibility to protect the Ethiopian public from extremist content.

Content Removal

Political content is often targeted for removal, often by way of threats from security officials who personally seek out users and bloggers to instruct them to take down certain content, particularly critical content on Facebook. The growing practice suggests that at least some voices within Ethiopia’s small online community are closely monitored. For instance, during antigovernment protests in Oromia, activists who wrote messages of solidarity for the protestors on Facebook were asked to delete their posts.42

Media, Diversity and Content Manipulation

Increasing repression of journalists and bloggers has had a major chilling effect on expression online, particularly in response to the spate of blogger arrests in the past few years (see Prosecutions and Detentions for Online Activities). Many bloggers publish anonymously to avoid reprisals,43 while fear of pervasive surveillance has also led to widespread self-censorship.

Self-censorship heightened during the state of emergency instituted in October 2016, which explicitly prohibited sharing information about protests through social media platforms, communicating with exiled dissident groups regarded as terrorists, organizing demonstrations, and displaying political gestures (see Legal Environment).

Lack of adequate funding is a significant challenge for independent online media in Ethiopia, as fear of government pressure dissuades local businesses from advertising with politically critical websites. A 2012 Advertising Proclamation also prohibits advertisements from firms “whose capital is shared by foreign nationals.”44 The process for launching a website on the local .et domain is expensive and demanding,45 requiring a business license from the Ministry of Trade and Industry and a permit from an authorized body.46 While the domestic blogosphere has been expanding, most blogs are hosted on international platforms or published by members of the diaspora.

Despite Ethiopia’s extremely low levels of internet access, the government employs an army of trolls to distort Ethiopia’s online information landscape.47 Opposition groups, journalists, and dissidents use the mocking Amharic colloquial term kokas to describe the progovernment commentators.48 Observers say the kokas regularly discuss Ethiopia’s economic growth in favorable terms and post derogatory comments about Ethiopian journalists and opposition groups on Facebook and Twitter. In return, they are known to receive benefits such as money, land, and employment promotions. The government also manipulates online content through propaganda that aims to convince Ethiopians that social media is a dangerous tool co-opted by opposition groups to spread hate and violence.49

Digital Activism

Online tools were essential for the mobilization of antigovernment protests throughout 2016, enabling activists to post information about the demonstrations and disseminate news about police brutality as the government cracked down on protesters.50 Digital activism was muted following the October 2016 state of emergency, which banned demonstrations and online mobilization. Repeated internet shutdowns and blocks on social media platforms also hindered mobilization efforts (see Blocking and Filtering and Restrictions on Connectivity).

Violations of User Rights:

(Freedom on the Net Score: 0=Most Free, 100=Least Free)

A state of emergency declared in October 2016 derogated fundamental rights and restricted certain online activities. The Computer Crime Proclamation enacted in June 2016 criminalizes defamation and incitement; observers say it could be invoked to suppress digital mobilization. The proclamation also strengthens the government’s surveillance capabilities by enabling real-time monitoring and interception of communications. Numerous individuals were arrested for online activities, particularly protests, while two people were sentenced to prison for several years each during the coverage period.

Legal Environment

The government imposed a six-month state of emergency in October 2016 and shut down the internet for several days to quell escalating antigovernment protests. Specific online activities were restricted under emergency rule.51 The authorities criminalized accessing or posting content related to the protests on social media, as well as efforts to communicate with “terrorist” groups, a category that includes exiled dissidents. Penalties included prison terms of three to five years.52 Emergency rule also undermined fundamental rights, banning unauthorized protests, and allowing the authorities to arbitrarily arrest and detain citizens without charge. More than 21,000 people were arrested before the state of emergency was lifted in August 2017, according to news reports.53

Fundamental freedoms are guaranteed for Ethiopian internet users on paper, but the guarantees are routinely flouted in practice. The 1995 Ethiopian constitution provides for freedom of expression, freedom of the press, and access to information, while also prohibiting censorship.54 These constitutional guarantees are affirmed in the 2008 Mass Media and Freedom of Information Proclamation, known as the press law, which governs the print media.55 Nevertheless, the press law also includes problematic provisions that contradict constitutional protections and restrict free expression, such as complex registration processes for media outlets and heavy fines for defamation.56The Criminal Code also penalizes defamation with a fine or up to one year in prison.57

Meanwhile, several laws are designed to restrict and penalize legitimate online activities and speech. Most alarmingly, the 2012 Telecom Fraud Offences Law extends the violations and penalties defined in the 2009 Anti-Terrorism Proclamation and criminal code to electronic communications sent over mobile phone and internet services.58The antiterrorism legislation prescribes prison sentences of up to 20 years for the publication of statements that can be understood as a direct or indirect encouragement of terrorism, which is vaguely defined.59 The law also bans Voice over Internet Protocol (VoIP) services such as Skype60 and requires all individuals to register their telecommunications equipment—including smartphones—with the government, which security officials typically enforce at security checkpoints by confiscating ICT equipment if the owner cannot produce a registration permit, according to sources in the country.

In June 2016, the Ethiopian government passed a new Computer Crime Proclamation that criminalized an array of online activities.61 For example, content that “incites fear, violence, chaos or conflict among people” can be punished with up to three years in prison, which could be abused to suppress digital campaigns.62 Other problematic provisions ban the dissemination of defamatory content, which can be penalized with up to 10 years in prison,63 and the distribution of unsolicited messages to multiple emails (spam), which carries up to five years in prison.64 Civil society expressed concern that the law would be used to further crackdown on critical commentary, political opposition, and social unrest.65

Prosecutions and Detentions for Online Activities

The authorities intensified their crackdown against bloggers, online journalists, and activists during the state of emergency in the past year. The antigovernment protest movement led to thousands of arrests, some for digital activities such as posting or “liking” social media content about the protests. Examples include the following:

  • In October 2016, police arrested Seyoum Teshome, a well-known academic and blogger for the Ethiopian Think Tank Group, who had published an article about the Oromia protest movement in The New York Times.66 Teshome was held in prison for three months, during which he reported suffering severe torture (see Intimidation and Violence).67
  • In November 2016, political activists Anania Sorri and Daniel Shibeshi and journalist Elias Gebru were arrested for posting images of themselves on social media displaying a gesture indicating support for the protest movement. Protest gestures and symbols were banned under emergency rule.68
  • In December 2016, seven musicians behind a popular YouTube music video were arrested and held without charge until June 2017, when they were charged with terrorism. The video was held to incite protests.69

Two cases led to convictions and multi-year prison sentences during the coverage period:

  • In May 2017, the prominent opposition activist Yonatan Tesfaye, was found guilty of terrorism based on Facebook posts that criticized the government’s handling of the Oromia protests.70 He was sentenced to six and a half years in prison.71 Tesfaye’s Twitter handle has been active since his detention, leading to suspicions that the officials were using his account to monitor other dissidents or encourage them to break the law.72
  • Also in May, Getachew Shiferaw, the editor-in-chief of the opposition outlet Negere Ethiopia, was sentenced to one and a half years in prison on subversion charges for Facebook comments were considered to “endorse” an exiled journalist.73 He was released on time served.

Bloggers from the critical Zone 9 blogging collective were repeatedly persecuted during the coverage period, continuing several years of unabated legal troubles and harassment. The bloggers were first arrested in April 2014 and charged with terrorism under the harsh Anti-Terrorism Proclamation.74 They were accused of intent to overthrow the government, an offense under the criminal code, by encrypting their communications to disseminate seditious writings.75 Denied bail and brought to court dozens of times for sham trials,76 the bloggers were eventually acquitted in late 2015, but the prosecutor appealed to the Supreme Court, and they were repeatedly summoned to appear throughout 2016.77 In April 2017, the Supreme Court ruled that two of the Zone9 bloggers, Atnaf Berhane and Natnail Feleke, should be tried on charges of inciting violence through their writing. If convicted, they would face up to 10 years each in prison.78

Other citizens were serving long prison sentences during the coverage period, including blogger Zelalem Workagenehu, who was found guilty of terrorism and sentenced to over five years in prison in May 2016.79 He was first arrested in July 2014 on charges of conspiring to overthrow the government after he facilitated a course on digital security. Well-known dissident journalist and blogger Eskinder Nega is serving an 18-year prison sentence handed down in July 2012 under the draconian anti-terrorism law for criticizing the law itself in an online article.80

Surveillance, Privacy, and Anonymity

Government surveillance of online and mobile phone communications is pervasive in Ethiopia and was strengthened under the new Computer Crime Proclamation enacted in June 2016, which enables real-time monitoring or interception of communications authorized by the Minister of Justice and obliges service providers to store records of all communications and metadata for at least a year.81

There are strong indications that the government has deployed a centralized monitoring system developed by the Chinese telecommunications firm ZTE to monitor mobile phone networks and the internet, according to a 2015 Human Rights Watch report.82 Known for its use by repressive regimes in Libya and Iran, the monitoring system enables deep packet inspection (DPI) of internet traffic across the EthioTelecom network and has the ability to intercept emails and web chats.

A customer management database called ZSmart, also developed by ZTE, has been installed by EthioTelecom. The database provides the government with full access to user information and the ability to intercept SMS text messages and record phone conversations.83 ZSmart also allows security officials to locate targeted individuals through real-time geolocation tracking of mobile phones.84 While the extent to which the government has made use of the full range of ZTE’s sophisticated surveillance systems is unclear, the authorities frequently present intercepted emails and phone calls as evidence during trials against journalists and bloggers or during interrogations as a scare tactic.85

Meanwhile, exiled dissidents have been targeted by surveillance malware. Citizen Lab research published in March 2015 said Remote Control System (RCS) spyware had been used against two employees of Ethiopian Satellite Television Service (ESAT) in November and December 2014. ESAT is a diaspora-run independent satellite television, radio, and online news media outlet, based in Alexandria, Virginia.86 Made by the Italian company Hacking Team, RCS spyware is advertised as “offensive technology” sold exclusively to law enforcement and intelligence agencies, and has the ability to steal files and passwords and intercept Skype calls and chats. 87

While Hacking Team has said that the company does not deal with “repressive regimes,”88 the social engineering tactics used to bait the two ESAT employees made it clear that the attack was targeted. Moreover, analysis of the RCS attacks uncovered credible links to the Ethiopian government, with the spyware’s servers registered at an EthioTelecom address under the name “INSA-PC,” referring to the Information Network Security Agency (INSA), the body established in 2011 to preside over the security of the country’s critical communications infrastructure.89 INSA was already known to be using the commercial toolkit FinFisher to target dissidents and supposed national security threats. FinFisher can secretly monitor computers by turning on webcams, record everything a user types with a key logger, and intercept Skype calls.90

Political commentators use VPNs and anonymizing tools to hide their identities when publishing online and to circumvent filtering, though the tools are also subject to blocking (see Blocking and Filtering).

Anonymity is further compromised by strict SIM card registration requirements. Upon purchase of a SIM card through EthioTelecom or an authorized reseller, individuals must provide their full name, address, government-issued identification number, and a passport photograph. EthioTelecom’s database of SIM registrants enables the government to terminate SIM cards and bar individuals from registering for new ones. Internet subscribers are also required to register their personal details, including their home address, with the government. During the antigovernment protests in 2016, state-owned ICT provider EthioTelecom announced plans to require mobile phones to be purchased from Ethiopian companies and to create a tracking system for all mobile devices in Ethiopia. Though no updates on the plans were reported in 2017, observers believe the plan aims to allow the government to track and identify all communications from subscribers on its network.91

Intimidation and Violence

During escalating antigovernment protests throughout 2016, the authorities routinely harassed, detained, and abused people who used their mobile phones to record footage of demonstrations. Under emergency rule, the authorities reportedly arrested thousands of people, some for their online activities. Imprisoned bloggers reported being held in degrading conditions and tortured by prison guards seeking to extract false confessions.92 In one case, blogger Seyoum Teshome, who was arrested after the publication of his critical New York Times op-ed, reported suffering severe torture while in detention from October to December 2016.93

Government security agents frequently harass and intimidate bloggers, online journalists, and internet users. Independent bloggers are often summoned by the authorities to be warned against discussing certain topics online, while activists report that they are regularly threatened by state security agents.94 Ethiopian journalists in the diaspora have also been targeted for harassment.95

Technical Attacks

There were no reports of technical attacks against human rights defenders or dissidents during the coverage period, though incidents are likely underreported. Opposition critics have faced frequent technical attacks in the past, even abroad. Observers believe similar campaigns against activists persist undetected. Independent research has shown that Ethiopian authorities use sophisticated surveillance spyware to target exiled dissidents.96

Notes:

1 Human Rights Watch, “Legal Analysis of Ethiopia’s State of Emergency,” October 30, 2016, https://www.hrw.org/news/2016/10/30/legal-analysis-ethiopias-state-emergency

2 International Telecommunication Union, “Percentage of Individuals Using the Internet, 2000-2016,” http://bit.ly/1cblxxY

3 International Telecommunication Union, “Mobile-Cellular Telephone Subscriptions, 2000-2016,” http://bit.ly/1cblxxY

4 Endalk Chala, “When blogging is held hostage of Ethiopia’s telecom policy,” in “GV Advocacy Awards Essays on Internet Censorship from Iran, Venezuela, Ethiopia,” Global Voices (blog), February 3, 2015,http://bit.ly/1OpDvzz

5 Ethiopia – Telecoms, Mobile, Broadband and Forecasts, Paul Budde Communication Pty Ltd.: June 2014, http://bit.ly/1ji15Rn

6 William Davison’s Facebook post, March 26, 2016, https://www.facebook.com/william.davison.33/posts/10153956834545792?pnref=story

8 Jacob Poushter, “Smartphone Ownership and Internet Usage Continues to Climb in Emerging Economies,” Pew Research Center, February 22, 2016, http://www.pewglobal.org/2016/02/22/smartphone-ownership-and-internet-usage-continues-to-climb-in-emerging-economies/

9 According to tests by Freedom House consultant in 2016.

11 Stephanie Busari, “Ethiopia declares state of emergency after months of protests,” CNN, October 11, 2016, http://www.cnn.com/2016/10/09/africa/ethiopia-oromo-state-emergency/; Endalk Chala, “Ethiopian authorities shut down mobile internet and major social media sites,” Global Voices (blog), October 11, 2016, https://globalvoices.org/2016/10/11/ethiopian-authorities-shut-down-mobile-internet-and-major-social-media-sites/

12 “Ethiopia: Third Internet shutdown follows imprisonment of two human rights activists,” Article 19, June 7, 2017, https://www.ifex.org/ethiopia/2017/06/06/internet-shutdown/

13 Paul Schemm, “Ethiopia shuts down social media to keep from ‘distracting’ students,” Washington Post, July 13, 2016, https://www.washingtonpost.com/news/worldviews/wp/2016/07/13/ethiopia-shuts-down-social-media-to-keep-from-distracting-students/http://www.newsweek.com/ethiopia-internet-blocked-618806

14 Darrell M. West, “Internet shutdowns cost countries $2.4 billion last year,” Brookings Institute, Center for Technology Innovation, October 2016, https://www.brookings.edu/wp-content/uploads/2016/10/intenet-shutdowns-v-3.pdf

15 “Economic Impact of Internet Disruptions in Sub-Saharan Africa,” CIPESA, September 2017, https://cipesa.org/2017/09/economic-impact-of-internet-disruptions-in-sub-saharan-africa/

16 “Ethio Telecom to remain monopoly for now,” TeleGeography, June 28, 2013, http://bit.ly/1huyjf7

17 Al Shiferaw, “Connecting Telecentres: An Ethiopian Perspective,” Telecentre Magazine, September 2008, http://bit.ly/1ji348h.

18 Paul Chapman, “New report explores the Ethiopian – telecoms, mobile and broadband – market insights, statistics and forecasts,” WhatTech, May 1, 2015, http://bit.ly/1L46Awu.

19 “Out of reach,” The Economist, August 24, 2013, http://econ.st/1l1UvJO.

20 “Out of reach,” The Economist.

21 Matthew Dalton, “Telecom Deal by China’s ZTE, Huawei in Ethiopia Faces Criticism,” The Wall Street Journal, January 6, 2014, http://on.wsj.com/1LtSCkD.

22 Based on allegations that the Chinese authorities have provided the Ethiopian government with technology that can be used for political repression—such as surveillance cameras and satellite jamming equipment—in the past. See: Addis Neger, “Ethiopia: China Involved in ESAT Jamming,” ECADAF Ethiopian news & Opinion, June 23, 2010, http://bit.ly/1LtSYI9; Gary Sands, “Ethiopia’s Broadband Network – A Chinese Trojan Horse?” Foreign Policy Blogs, Foreign Policy Association, September 6, 2013, http://bit.ly/1FWG8X1.

23 ENA, “Ericsson to take part in telecom expansion in Ethiopia,” Dire Tube, December 18, 2014, http://bit.ly/1PkZfvA.

24 The Embassy of the United Stated, “Doing Business in Ethiopia,” http://1.usa.gov/1LtTExh.

25 World Intellectual Property Organization, “Ethiopia Custom Regulation: No 622/2009,” http://bit.ly/1NveoeB.

26 Mignote Kassa, “Why Ethiopia’s Software Industry Falters,” Addis Fortune 14, no. 700 (September 29, 2013), http://bit.ly/1VJiIWC.

27 “Proclamation No. 281/2002, Telecommunications (Amendment Proclamation,” Federal Negarit Gazeta No. 28, July 2, 2002, http://bit.ly/1snLgsc.

28 Ethiopian Telecommunication Agency, “License Directive for Resale and Telecenter in Telecommunication Services No. 1/2002,” November 8, 2002, accessed October 20, 2014, http://bit.ly/1pUtpWh.

29 Dr. Lishan Adam, “Understanding what is happening in ICT in Ethiopia,” (policy paper, Research ICT Africa, 2012) http://bit.ly/1LDPyJ5.

30 Halefom Abraha, “THE STATE OF CYBERCRIME GOVERNANCE IN ETHIOPIA,” (paper) http://bit.ly/1huzP0S.

31 Rebecca Wanjiku, “Study: Ethiopia only sub-Saharan Africa nation to filter net,” IDG News Service, October 8, 2009, http://bit.ly/1Lbi3s9.

32 Test conducted by an anonymous researcher contracted by Freedom House, March 2016. During the test, some websites opened at the first attempt but were inaccessible when refreshed.

33 Maria Xynou et al., “Ethiopia: Evidence of social media blocking and internet censorship,” OONI, December 14, 2016, https://ooni.torproject.org/post/ethiopia-report/

34 Felix Horne, “Deafening silence from Ethiopia,” Foreign Policy in Focus, April 12, 2016, http://fpif.org/deafening-silence-ethiopia/; Endalk Chala, “Ethiopia locks down digital communications in wake of #OromoProtests,” Global Voices (blog), July 14, 2016, https://advox.globalvoices.org/2016/07/14/ethiopia-locks-down-digital-communications-in-wake-of-oromoprotests/https://phys.org/news/2017-06-internet-social-media-ethiopia-block.html

35 Nicole Orttung, “Why did Ethiopia block social media,” Christian Science Monitor, July 12, 2016, http://www.csmonitor.com/World/2016/0712/Why-did-Ethiopia-block-social-media?cmpid=gigya-tw

36 According to activists who were able to circumvent the blocks and observe the social media activities of progoverment users.

37 Ismail Akwei, “Ethiopia blocks social media to prevent university exam leakage,” Africa News, July 10, 2016, http://www.africanews.com/2016/07/10/ethiopia-blocks-social-media-to-prevent-university-exam-leakage/

38 Endalk Chala, “Defending against overreaching surveillance in Ethiopia: Surveillance Self-Defense now availabile in Amharic,” Electronic Frontier Foundation, October 1, 2015,https://www.eff.org/deeplinks/2015/09/defending-against-overreaching-surveillance-ethiopia-surveillance-self-defense-n-0

39 A 2014 report from Human Rights Watch also noted that the term “aljazeera” was unsearchable on Google while the news site was blocked from August 2012 to mid-March 2013. According to HRW research, the keywords “OLF” and “ONLF” (acronyms of Ethiopian opposition groups) are not searchable on the unencrypted version of Google (http://) and other popular search engines. Human Rights Watch, “They Know Everything We Do,” March 25, 2014, 56, 58, http://bit.ly/1Nviu6r.

40 “Tor and Orbot not working in Ethiopia,” Tor Stack Exchange, message board, April 12, 2016,

http://tor.stackexchange.com/questions/10148/tor-and-orbot-not-working-in-ethiopia; “Ethiopia Introduces Deep Packet Inspection,” Tor (blog), May 31, 2012, http://bit.ly/1A0YRdc; Warwick Ashford, “Ethiopian government blocks Tor network online anonymity,” Computer Weekly, June 28, 2012, http://bit.ly/1LDQ5L2.

41 Daniel Berhane, “Ethiopia’s web filtering: advanced technology, hypocritical criticisms, bleeding constitution,” Horns Affairs, January 16, 2011, http://bit.ly/1jTyrH1

42 Kevin Mwanza, “Is Ethiopia restricting access to social media in Oromia region?” Afk Insider, April 13, 2016, http://afkinsider.com/123180/ethiopia-restricting-access-social-media-oromia-region/

43 Markos Lemma, “Disconnected Ethiopian Netizens,” Digital Development Debates (blog),November 2012,  http://bit.ly/1Ml9Nu3.

44 Exemptions are made for foreign nationals of Ethiopian origin. See, Abrham Yohannes, “Advertisement Proclamation No. 759/2012,” Ethiopian Legal Brief (blog), September 27, 2012, http://bit.ly/1LDQf5c.

45 “Proclamation No. 686/2010 Commercial Registration and Business Licensing,” Federal Negarit Gazeta, July 24, 2010, http://bit.ly/1P3PoLy; World Bank Group, Doing Business 2015: Going Beyond Efficiency, Economy Profile 2015, Ethiopia, 2014, http://bit.ly/1L49tO6.

46 Chala, “When blogging is held hostage of Ethiopia’s telecom policy.”

47 “Ethiopia Trains Bloggers to attack its opposition,” ECADF Ethiopian News & Opinions, June 7, 2014, http://bit.ly/1QemZjl.

48 The term “Koka” is a blend of two words: Kotatam and cadre. Kotatam is a contemptuous Amharic word used to imply that someone is a sellout who does not have a respect for himself or herself.

49 Endalk Chala, “Ethiopia protest videos show state brutality, despite tech barriers,” Global Voices (blog), January 6, 2016, https://advox.globalvoices.org/2016/01/06/ethiopia-protest-videos-show-state-brutality-despite-tech-barriers/

50 Jacey Fortin, “The ugly side of Ethiopia’s economic boom,” Foreign Policy, March 23, 2016, http://foreignpolicy.com/2016/03/23/no-one-feels-like-they-have-any-right-to-speak-at-all-ethiopia-oromo-protests/

51 “Seven things banned under Ethiopia’s state of emergency,” BBC News, October 17, 2016, http://www.bbc.com/news/world-africa-37679165

52 “Social media blackout in Ethiopia,” Jacarandafm, October 17, 2016, https://www.jacarandafm.com/news-sport/news/social-media-blackout-in-ethiopia/

53 “Ethiopia lifts state of emergency imposed in October,” Associated Press, August 4, 2017, http://www.startribune.com/ethiopia-lifts-state-of-emergency-imposed-in-october/438488273/

54 Constitution of the Federal Democratic Republic of Ethiopia (1995), art. 26 and 29, accessed, August 24, 2010, http://www.ethiopar.net/constitution.

55 Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, Federal Negarit Gazeta No. 64, December 4, 2008.

56 Article 19, The Legal Framework for Freedom of Expression in Ethiopia, accessed September 10, 2014, http://bit.ly/1Pl0f33.

57 Criminal Code, art. 613, http://bit.ly/1OpHE6F.

58 Article 19, “Ethiopia: Proclamation on Telecom Fraud Offences,”legal analysis, August 6, 2012, http://bit.ly/1Lbonjm.

59 “Anti-Terrorism Proclamation No. 652/2009,” Federal Negarit Gazeta No. 57, August 28, 2009.

60 The government first instituted the ban on VoIP in 2002 after it gained popularity as a less expensive means of communication and began draining revenue from the traditional telephone business belonging to the state-owned EthioTelecom. In response to widespread criticisms, the government claimed that VoIP applications such as Skype would not be considered under the new law, though the proclamation’s language still enables the authorities to interpret it broadly at whim.

61 “Ethiopia Computer Crime Proclamation Text Draft,” Addis Insight, May 9, 2016, http://www.addisinsight.com/2016/05/09/ethiopia-computer-crime-proclamation-text-draft/

63 Article 13, “Crimes against Liberty and Reputation of Persons,” Computer Crime Proclamation.

64 Article 15, “Dissemination of Spam,” Computer Crime Proclamation,

65 Kimberly Carlson, “Ethiopia’s new Cybercrime Law allows for more efficient and systematic prosecution of online speech,” Electronic Frontier Foundation, June 9, 2016,https://www.eff.org/deeplinks/2016/06/ethiopias-new-cybercrime-law-allows-more-efficient-and-systematic-prosecution-online; Tinishu Soloman, “New Ethiopian law targets online crime,” The Africa Report, June 9, 2016, http://www.theafricareport.com/East-Horn-Africa/new-ethiopian-law-targets-online-crime.html

66 “Oromo protests: Ethiopia arrests blogger Seyoum Teshome,” Al Jazeera, October 5, 2016,

http://www.aljazeera.com/news/2016/10/oromo-protests-ethiopia-arrests-blogger-seyoum-teshome-161005071925586.html

67 “Seyoum Teshome released,” Frontline Defenders, accessed October 30, 2017, https://www.frontlinedefenders.org/en/case/seyoum-teshome-released

70 Salem Soloman, “Ethiopia’s Anti-terrorism Law: Security or Silencing Dissent?” VOA News, May 31, 2016, http://www.voanews.com/a/ethiopia-anti-terrorism-law-security-silencing-dissent/3356633.html

71 “Ethiopia jails opposition politician Yonatan Tesfaye,” Al Jazeera, May 26, 2017, http://www.aljazeera.com/news/2017/05/ethiopian-court-jails-politician-6-years-170525141848655.html

72 @befeqadu Twitter post, April 12, 2016, https://twitter.com/befeqadu/status/719963259911188480/photo/1

73 “News: Ethiopia editor-in-chief sentenced for a year and half in prison, time he already served,” Addis Standard, May 26, 2017 “http://addisstandard.com/news-ethiopia-editor-in-chief-sentenced-for-a-year-and-half-in-prison-time-he-already-served/

74 “Six members of Zone Nine, group of bloggers and activists are arrested,” [in Amharic] Zone9 (blog), April 25, 2014, http://bit.ly/1VJn6ow; “Federal High Court Lideta Criminal Bench court, Addis Ababa,”http://1drv.ms/1OqAjlC.

75 Endalk Chala, “What You Need to Know About Ethiopia v. Zone9 Bloggers: Verdict Expected July 20,” Global Voices (blog), July 17, 2015, http://bit.ly/1jTDO9b.

76 Ellery Roberts Biddle, Endalk Chala, Guardian Africa network, “One year on, jailed Ethiopian bloggers are still awaiting trial,” The Guardian, April 24, 2015, http://gu.com/p/47ktv/stw; “Nine Journalists and Bloggers Still Held Arbitrarily,” Reporters Without Borders, “Nine Journalists and Bloggers Still Held Arbitrarily,” August 21, 2014, http://bit.ly/1P3TW4I.

77 “Netizen Report: Ethiopia’s Zone9 Bloggers Go Back to Court,” Global Voices (blog), March 30, 2016, https://advox.globalvoices.org/2016/03/30/netizen-report-ethiopias-zone9-bloggers-go-back-to-court/

78 “Ethiopia Supreme Court says two Zone 9 bloggers should face incitement charges,” CPJ, April 6, 2017, https://cpj.org/2017/04/ethiopia-supreme-court-says-two-zone-9-bloggers-sh.php

79 Tedla D. Tekle, “Ethiopian blogger and activist sentences to five years and four months,” Global Voices (blog), May 16, 2016, https://advox.globalvoices.org/2016/05/16/ethiopian-blogger-and-activist-sentenced-to-five-years-and-four-months/

80 Such trumped-up charges were based on an online column Nega had published criticizing the government’s use of the Anti-Terrorism Proclamation to silence political dissent and calling for greater political freedom in Ethiopia. Nega is also the 2011 recipient of the PEN/Barbara Goldsmith Freedom to Write Award.“That Bravest and Most Admirable of Writers: PEN Salutes Eskinder Nega,” PEN American Center (blog), April 13, 2012, http://bit.ly/1Lm89Y7; See also, Markos Lemma, “Ethiopia: Online Reactions to Prison Sentence for Dissident Blogger,” Global Voices, July 15, 2012, http://bit.ly/1OpKaKf; EndalkChala, “Ethiopia: Freedom of Expression in Jeopardy,” Global Voices Advocacy, February 3, 2012, http://bit.ly/1jfIEO3.

81 Article 23, “Retention of Computer Data” and Article 24, “Real-time Collection of Computer Data,” http://hornaffairs.com/en/2016/05/09/ethiopia-computer-crime-proclamation/

82 Human Rights Watch, “They Know Everything We Do,” 62.

83 Human Rights Watch, “They Know Everything We Do,” 67.

84 Ibid, 52.

85 Committee to Protect Journalists, “Ethiopian Blogger, Journalists Convicted of Terrorism,” January 19, 2012, http://cpj.org/x/47b9.

86 Bill Marczak et al., Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware, Citizen Lab, March 9, 2015, http://bit.ly/1Ryogmr.

87 Hacking Team,“Customer Policy,” accessed February 13, 2014, http://hackingteam.it/index.php/customer-policy.

88  Declan McCullagh, “Meet the ‘Corporate Enemies of the Internet’ for 2013,” CNET, March 11, 2013, accessed February 13, 2014, http://cnet.co/1fo6jJZ.

89 Marczak et al., Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware.

90 Fahmida Y. Rashid, “FinFisher ‘Lawful Interception’ Spyware Found in Ten Countries, Including the U.S.,” Security Week, August 8, 2012, http://bit.ly/1WRPuap.

91 Endalk Chala, “Ethiopia Locks Down Digital Communications in Wake of #OromoProtests.”

92 Tedla D. Tekle, “’I was forced to drink my own urine,’: ‘Freedom’ for netizen after 647 days locked up, but not for all.”

93 Seyoum Teshome, “A license to torture,“ Amnesty International, March 28, 2017, https://www.amnesty.org/en/latest/campaigns/2017/03/a-license-to-torture/

94 SIMEGNISH (LILY) MENGESHA, “CRAWLING TO DEATH OF EXPRESSION – RESTRICTED ONLINE MEDIA IN ETHIOPIA,” Center for International Media Assistance (blog), April 8, 2015, http://bit.ly/1IbxFie.

95 “ክንፉ አሰፋ በስለላ ከሆላንድ የተባረረው የጋዜጠኛውን አንገት እቆርጣለሁ አለ,” ECADAF Ethiopian News & Opinion, April 12, 2015, http://ecadforum.com/Amharic/archives/14790/.

96 Marczak et al., Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware, March 2015, https://citizenlab.ca/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/ .

Internet access and usage in African world November 16, 2017

Posted by OromianEconomist in Uncategorized.
Tags: , , , , , , , , ,
add a comment

The special edition  of  The Journal of Pan African Studies   focuses on Internet access and usage in the African world. It discusses the future of the Internet, uproar over Internet shutdowns in Africa, WhatsApp political broadcast messages in the 2015 presidential election in Nigeria, new media appropriation via New Media and Oromo Protests in Ethiopia, Internet access to Caribbean government information on homeschooling in Barbados, African-centered internet literacy, information seeking behavior, a section on women in information technology innovation in Africa. 

CURRENT ISSUE


Volume 10 • Number 9 • November 2017


 

● Internet Access and Usage in the African World: Articulating a Progressive African Centered Digital Ecosystem
[ view PDF ]

 

● The 2016 Internet Society Report: Areas of Impact and Concern for the Future of the Internet
an editorial by Itibari M. Zulu
[ view PDF ]

 

● Uproar Over Internet Shutdowns: Governments Cite Incitements to Violence, Exam Cheating and Hate Speech
a guest editorial by Tonderayi Mukeredzi
[ view PDF ]

 

● Internet Diffusion and Government Intervention: The Parody of Sustainable Development in Africa
by Badmus Bidemi G
[ view PDF ]

 

● Appraisal Resources in Select WhatsApp Political Broadcast Messages in the 2015 Presidential Election Campaign in Nigeria
by Oluwabunmi O. Oyebode and Adeyemi Adegoju
[ view PDF ]

 

● The Powers and Limits of New Media Appropriation in Authoritarian Contexts: A Comparative Case Study of Oromo Protests in Ethiopia
by Habtamu Dugo
[ view PDF ]

 

● Internet Access to Caribbean Government Information on Homeschooling: A Preliminary Case Study of Barbados
by Mark-Shane Scale
[ view PDF ]

 

● African-Centered Internet Literacy: An Ubuntugogy Metadata Approach
by Abdul Karim Bangura
[ view PDF ]

 

● Social Media: Towards the Realisation of A Global Stance for the African Voice
by Bassey Nsa Ekpe
[ view PDF ]

 

● Teaching Afrocentricity Through E-Clustering
by Abdul Karim Bangura
[ view PDF ]

 

● Information Seeking Behavior Among Undergraduates Students Engaged in Twitter
by Musa D. Hassan
[ view PDF ]

 

● Internet Access in Nigeria: Mobile Phones, Issues, and Millennials 
by Mercy Kolawole
[ view PDF ]

 

● Women in Information Technology Innovation in Africa
[ view PDF ]

 

Relevant Books

[ view PDF ]

 

Announcement

● Fixed and Mobile Broadband in Africa: An Executive Summary
[ view PDF ]

 


 

Newsweek: WHY ETHIOPIA BLOCKED MOBILE INTERNET AGAIN June 1, 2017

Posted by OromianEconomist in #OromoProtests.
Tags: , , , , , , , , ,
add a comment

WHY ETHIOPIA BLOCKED MOBILE INTERNET AGAIN


Ethiopians may have experienced a frustrating sense of déjà vu when they tried to log on to social media or use the internet on their cellphones Wednesday.

That’s because the Ethiopian government has terminated mobile internet connectivity, a tactic the administration has used repeatedly in recent years to quell anti-government sentiment.

Ethiopia’s deputy communications minister, Zadig Abrha, confirmed to AFP on Wednesday that “mobile data has been deactivated,” but declined to provide any further information. The country’s sole telecommunications provider, the state-owned Ethio Telecom, has also refused to comment.

Preliminary data from Google showed a dramatic fall in search traffic from the Horn of Africa country from Tuesday afternoon, which did not appear to have returned to normal by Wednesday evening. It is unclear whether both mobile and fixed internet connections were blocked, but the majority of Ethiopians who do use the internet do so on mobile devices: The country has 11.95 mobile-broadband subscriptions per 100 people, compared to 0.66 fixed-broadband subscriptions, according to the International Telecommunications Union.

Read more: Ethiopian athlete urges the world to help stop “persecution of Oromo people”

Julie Owono, the director of Paris-based internet freedom organization Internet Sans Frontières (ISF), says that the latest reports she has received were that internet connectivity had returned by Thursday morning, but that connectivity was not stable or fast. Owono tells Newsweek that access to some social media websites remains restricted.

Despite being one of Africa’s fastest-developing economies, Ethiopia has an extremely low internet penetration rate of just 2.9 percent, according to U.S. NGO Freedom House; in neighboring Kenya, penetration stands at 43 percent.

Internet access has been patchy since the government imposed a six-month state of emergency following a year of protests that were concentrated in the Oromia region, surrounding the capital Addis Ababa, and resulted in hundreds of protesters being killed by security forces. (The state of emergency was extended by four months in March.)

Ethiopia telecoms office

A woman walks past an Ethio Telecom office in Ethiopia’s capital, Addis Ababa, on November 9, 2015. Ethiopia only has one telecommunications provider and a very low internet penetration rate.TIKSA NEGERI/REUTERS

This time, the internet shutdown appears to be linked to university entrance exams taking place across the country this week. Around the same time in 2016, Ethiopia blocked access to social media sites—including Facebook, Twitter and Instagram— after copies of the exams were leaked online.

The Ethiopian government has not confirmed whether the exam period, which ends on Friday, is the reason for the shutdown. Newsweek contacted the Ethiopian embassy in London for a comment, but received no immediate reply.

But Owono says that the risk of an exam leak does not justify shutting down mobile internet for the entire population, and that the Ethiopian government’s repeated use of the tactic shows that it “fears connectivity.”

“For the wrong reasons, [it] sees the internet as a threat rather than as an opportunity,” says Owono. She points out that increasing internet connectivity and availability is part of the United Nations’ Sustainable Development Goals, a global agenda for development. “The reaction of the Ethiopian regime is contrary to this global aim.”

Ethiopia is not alone in Africa in closing down the internet to deal with social issues. In April, Cameroon lifted a three-month internet blackout in the country’s English-speaking regions, home to about one-fifth of the population, following mass protests there in late 2016. Egyptian authorities have ordered internet service providers to block access to 21 news websites, claiming that they backed terrorism or reported fake news, in a move criticized by press freedom activists.

Internet blackouts have also proven to be financially costly to countries. Between July 1, 2015 and June 30, 2016, the internet was shut down for a period of 30 days in Ethiopia; this cost the country’s economy $8.6 million, according to a report by the Brookings Institution.


Related Articles:

Global Voices:Ethiopia Imposes Nationwide Internet Blackout

 

 

ENCA:Ethiopia shuts off mobile internet without explanation

 

ETHIOPIA SHUTS OFF MOBILE INTERNET NATIONWIDE WITHOUT EXPLANATION.  KEEPING IT REAL WITH ADEOLA  31 May 2017

Ethiopia said on Wednesday it had deactivated mobile internet service, but offered no explanation for the countrywide outage that also briefly affected the African Union headquarters and a massive UN facility.

This is the second time in recent months that Africa’s second most populous country has turned off its mobile data service, which most businesses and consumers rely on for internet access.

RSF slams Ethiopian govt over nationwide internet blackout

ETHIOPIA


The media advocacy group, Reporters Without Borders (RSF) has slammed the Ethiopian government for an internet shutdown believed to be linked with upcoming national exams.

According to RSF, the action was “a danger to freedom of information and press freedom.” The nationwide blackout started late Tuesday without formal communication.

A deputy communications minister later confirmed to the AFP news agency, Zadig Abrha as simply saying “mobile date has been deactivated.” It is not known when services will be restored.

The shutdown is aimed at preventing a repeat of leaks that occurred last year. We are being proactive. We want our students to concentrate and be free of the psychological pressure and distractions that this brings.

3rd day of nationwide mobile internet blackout in : a danger for freedom of information and !

The government subsequently confirmed the shutdown and said it was to protect the integrity of high school exams. Thousands of students will take the Grade 10 exams between May 31 until June 2 whiles Grade 12 papers will be taken between June 5 and June 8.

The respective exams are for university entrance purposes and also for enrollment into national vocational courses. “The shutdown is aimed at preventing a repeat of leaks that occurred last year,” Mohammed Seid, public relations director of Ethiopia’s Office for Government Communications Affairs, told Reuters.

“We are being proactive. We want our students to concentrate and be free of the psychological pressure and distractions that this brings.”

There was a widespread leak of exams papers last year leading to a cancellation of papers. Beside shutdowns related to education, the government has also blocked internet in the wake of anti-government protests that hit the country last year.

Even though it is not known exactly when services will be restored the government says only access to social media was blocked and that other essential services like airline bookings and banking outfits had access to internet. Diplomatic outfits and international organizations operating in the country also have connection.


 

IRIN News: Ethiopia’s internet crackdown hurts everyone November 19, 2016

Posted by OromianEconomist in #OromoProtests.
Tags: , , , , , , , , , ,
add a comment

Odaa OromooOromianEconomistViber, twitter, Facebook and WhatsApp Are strictly forbidden in Fascist regime (TPLF) Ethiopiato-have-facebook-is-illegal-in-ethiopia

 

Ethiopia’s internet crackdown hurts everyone

IRIN, 17 November 2016


Ethiopia has never been an easy place to operate. But a six-month state of emergency, combined with internet and travel restrictions imposed in response to a wave of anti-government protests, means it just got a whole lot harder.

The government has targeted the mobile data connections that the majority of Ethiopians use to get online. Internet users have also been unable to access Facebook Messenger and Twitter, with a host of other services also rendered unreliable.

This has impacted everyone: from local businesses, to foreign embassies, to families, as well as the extensive and vital international aid community.

“Non-governmental organisations play crucial roles in developing countries, often with country offices in the capitals, satellite offices across remote regions, and parent organisations in foreign countries,” said Moses Karanja, an internet policy researcher at Strathmore University in Nairobi.  “They need access to the internet if their operations are to be efficiently coordinated.”

A political decision

The Ethiopian government has been candid about the restrictions being in response to year-long anti-government protests in which hundreds of people have died.

It has singled out social media as a key factor in driving unrest. Since the beginning of October, there has been a spike in violence resulting in millions of dollars’ worth of damage to foreign-owned factories, government buildings and tourist lodges across Oromia Region, initially ground zero for the dissent.

“Mobile data will be permitted once the government assesses that it won’t threaten the implementation of the state of emergency,” government spokesman Getachew Reda – who has since been replaced – told a 26 October press conference in Addis Ababa.

Security forces
James Jeffrey/IRIN
Security forces ready to crackdown

The Oromo are the country’s largest ethnic group, constituting 35 percent of the country’s nearly 100 million population. They have historically felt ignored by successive regimes in Addis Ababa. In August, similar grassroots protest broke out among the Amhara, Ethiopia’s second largest ethnic group. The ruling EPRDF is portrayed by opponents as a narrow, unrepresentative clique that refuses to share power.

Ethiopia is not alone in its approach to political unrest. Around the world, as countries become increasingly integrated with online technology, the more autocratic governments are blocking the internet whenever they deem it necessary.

“The trend appears to be growing because more people are going online and using the internet, often through the use of mobile connections,” said Deji Olukotun of Access Now, which campaigns for digital rights. In 2016, it documented 50 shutdowns, up from less than 20 in 2015.

“People are enjoying the freedom and opportunity that the internet provides, which enables them to organise themselves and advocate for what they want,” Olukotun told IRIN. “In response, governments are shutting down the net to stop this practice.”

Bad timing

An aid worker, who didn’t want to be identified as her agency needs to renew its government permit, explained how she relies on Skype to communicate with far-flung colleagues.

“Before, it was hard enough, but now Skype is even more unreliable,” she said. “People can’t connect with colleagues in the field; people miss invites to meetings, can’t arrange logistics.”

The squeeze comes at a particularly bad time for Ethiopia, beyond the impact of the protest movement. Ten million people are in need of food aid as a result of drought. The Oromia and Amhara regions, where most of the anti-government unrest is happening, have some of the largest numbers of people requiring assistance.

“Websites like the famine early warning system, FEWSNET, which provides detailed regional analysis and projections on food insecurity, cannot be accessed by most stakeholders,” said an international development official.

“Some modern software systems for things like pharmaceutical supply-chain management are not working to their full capacity – making it harder to accurately track inventory and deliveries.”

Phone
Andrew Heavens/Flickr
Careful what you say

Many humanitarian organisations, including UN agencies, are heavily reliant on cash transfers to government organisations that conduct work on their behalf. They are finding it much harder to account for funds.

Another aid worker, again speaking to IRIN on condition of anonymity due to the sensitivity of operating in Ethiopia, said everything was getting delayed, including the rolling out of new programmes.

“If we can’t email or phone, we can’t find out how money has been spent, and if we can’t account and there’s no transparency, we can’t authorise new spending,” the aid worker said.

Post-truth

The importance of social media to people’s lives in Ethiopia is magnified because they so distrust mainstream media, largely controlled by the EPRDF.

“Many Ethiopians are fed up with local and state media and so they turn to diaspora news,” said Lidetu Ayele, founder of the opposition Ethiopia Democratic Party. “The problem is, a lot of things they’d view as gossip if heard by mouth, when they read about it on social media, they take as fact.”

The worst disaster during Ethiopia’s protests occurred at the beginning of October. After police and protesters clashed at a traditional Oromo festival beside a holy lake, a stampede ensued that left about 100 people drowned or crushed to death.

Social media didn’t hang around. It pulsed with claims a circling government helicopter had fired down into panicking crowds.

“My brother was telling me on the phone he was about to protest, and asking me how I couldn’t after the government had done something like that,” an Addis Ababa resident, who is half Oromo and half Amhara, recalled about the days following the stampede. “But I said to him, ‘Don’t be an idiot, it isn’t true.’”

Witnesses and journalists at the event had confirmed that the circling helicopter was in fact innocently dropping leaflets saying “Happy Irreecha”, the name of the festival.

Loading aid
James Jeffrey/IRIN
Unintended consequences

Policy backfire?

Even before the state of emergency, Ethiopia was one of the most censored countries in the world and a top jailer of journalists, according to the Committee to Protect Journalists.

Independent media does exist in Ethiopia, but it struggles. Last month, the Addis Standard, a well-respected private magazine, announced it was stopping its print edition due to the latest round of restrictions.

“The government has created this problem for themselves,” remarked a freelance Ethiopian journalist.

The Ethiopian diaspora in the United States maintains a strong cyber presence and is rallying to the political reform movement. Jawar Mohammed, a particularly prominent US-based social media activist, has 500,000 followers on Facebook, and broadcasts information and footage from protests demanding an end to EPRDF rule.

“The diaspora do amplify what’s happening, but it didn’t start with us,” Jawar said in an interview earlier in 2016.

Internet shutdowns between mid-2015 and mid-2016 have lost the Ethiopian economy about $9 million, according to a recent report by the US-based Center for Technology Innovation at the Brookings Institution.

“Internet disruption slows growth, costs governments tax revenue, weakens innovation, and undermines consumer and business confidence in a country’s economy,” said report author Darrell West, vice president and director of governance studies at the Brookings Institution.

“As internet-powered businesses and transactions continue to grow to represent an increasingly significant portion of global economic activity, the damage from connectivity disruptions will become more severe.”

Olukotun of Access Now said such blackouts were particularly damaging for developing countries “striving to embrace the digital economy and innovation”.

“We’ve seen juice sellers, online banks, courier services, and internet companies all lose drastic amounts of money during disruptions,” he said.

But for the ruling party in Ethiopia, a country that has known centralised authoritarian rule for millennia, the concept of ceding any of that control is anathema.

“Censoring the internet is not a solution to the protests or resistance,” said Karanja, the Kenyan researcher. “It is a blockage to the democratic trajectory of a country.”

The Tragedy of Ethiopia’s Internet February 3, 2016

Posted by OromianEconomist in Internet Freedom.
Tags: , , , ,
add a comment

Odaa OromooThe Tragedy of Ethiopia’s Internet

The Tragedy of Ethiopia’s Internet

By Justin Lynch, Motherboard, 1 February 2016


 

The only way to access the internet in Ethiopia is through the government-owned provider, Ethio Telecom, which has unilateral control over the telecom industry. A burgeoning tech scene in neighboring Kenya, which has an internet penetration rate of 69.6 percent, has garnered the name “Silicon Savannah.” But in Ethiopia, the monopoly on internet access has created one of the most disconnected countries in the world.
Only 3.7 percent of Ethiopians have access to the internet, according to the latest data, one of the lowest penetration rates in the world. By comparison, South Sudan, which lacks most basic government services, has an internet penetration rate of 15.9 percent. There are only ten countries with lower internet penetration than Ethiopia. Most of them, such as Somalia and North Korea, are hampered by decades-long civil wars or largely sealed off from outside world.



 

Nafkot Nega thinks journalists are terrorists. When I visited him and his mother, Serkalem Fassil, at their tiny apartment in the outskirts of Washington, DC, in early January, 9-year-old Nafkot intermittently murmured and jabbed his hands, pretending to be a superhero fighting criminals.

Perhaps some of those criminals were journalists like his father, Eskinder Nega, who was convicted of violating Ethiopia’s anti-terror law in July 2012. Eskinder is currentlyserving an 18-year prison sentence.

“Journalism is a crime or a terrorist act in his mind because what has been portrayed about [his dad],” Serkalem explained to me through a translator. “Not only his dad, but if you mention any journalist he will scream and say ‘I don’t like journalists!’”

Their story is a weaving tale that mirrors how Ethiopia, home to over 90 million people, became a digital hermit nation. How Nafkot come to believe journalism is a crime equivalent to terrorism is a case study of how governments have used the internet as a tool for repression.

***The only way to access the internet in Ethiopia is through the government-owned provider, Ethio Telecom, which has unilateral control over the telecom industry. A burgeoning tech scene in neighboring Kenya, which has an internet penetration rateof 69.6 percent, has garnered the name “Silicon Savannah.” But in Ethiopia, themonopoly on internet access has created one of the most disconnected countries in the world.

Only 3.7 percent of Ethiopians have access to the internet, according to the latest data, one of the lowest penetration rates in the world. By comparison, South Sudan, which lacks most basic government services, has an internet penetration rate of 15.9 percent. There are only ten countries with lower internet penetration than Ethiopia. Most of them, such as Somalia and North Korea, are hampered by decades-long civil wars or largely sealed off from outside world.

As one of the fastest growing economies in Africa, with one of the most storied cultures in the world, Ethiopia’s lack of internet access is astounding. It’s also troubling.

It’s unclear exactly how many Ethiopians can access the internet. Those who can, however, must contend with the specter of state surveillance. The Ethiopian government is suspected of deploying spyware and other hacking and surveillance tools to surveil individuals, including at least one American citizen, hooked to the web. Because of these alleged cybersleuthing efforts, the Ethiopian government has turned an engine of commerce and information into an afterthought and an instrument of surveillance.

Nafkot. Illustration: Shaye Anderson

Former American diplomats, current members of Ethiopia’s intelligence agency, and foreign policy experts all told me that the Ethiopian government is afraid of dissident views spreading online, and has crafted its intelligence service, telecom sector, and legal codes to stamp out digital dissent.

Perhaps the foremost victim of the country’s internet crusade is young Nafkot, who believes his father is a terrorist because he’s a journalist. Nafkot’s parents were two of the most well-known journalists in Ethiopia; Eskinder and Serkalem were internationally award winning media moguls, who began their respective careers after the communist Derg regime fell in 1987, and a new government formed in 1991. After a disputed parliamentary election where ensuing protests turned violent in 2005, both Eskindir and Serkalem were arrested.

Unbeknownst to either of them, Serkalem was pregnant.

***The prohibitive factors that cause Ethiopia’s digital divide are straightforward. The monopoly on internet access has made it prohibitively expensive for many citizens to get online. Routine service outages make connections unreliable. And for those Ethiopians who do manage to access the internet, there is little content available in the local language of Amharic.

Whether these barriers to internet access are the intended result of a system designed to limit the spread of information, or the unintentional byproduct of a monopolistic cash cow is about as murky as the country’s dealings in cyber-espionage.

“Ethiopia wants to maintain as much control as possible over the internet so that it can prevent internal comments that are critical of government policies and minimize access to critical comments originating outside Ethiopia,” David Shinn, the former American ambassador to Ethiopia, told me.

A member of the Information Network Security Agency, one of Ethiopia’s intelligence agencies, also told me the monopoly purposefully limited internet access to preserve security in the country.

“Everything connected to the internet is slowing down”

“It’s because of security reasons, and I don’t think there is anything related to that other than this,” said the official, who works on technical capabilities and spoke on the condition on anonymity because he did not want to talk about his employer. “Everything connected to the internet is slowing down. Entrepreneurs can’t create their companies.”

Ethiopia is among a constellation of African nations made of patchworks of ethnic identity, and Bronwyn Bruton, the Deputy Director of the Africa Center at the Atlantic Council, told me that the government has led the fractured country by limiting freedom of expression.

“The Ethiopian state is very fragile,” Bruton said. “It’s built on a premise of segregation that is in theory separate but equal, however in practice dominated by one ethnic group, the Tigray. The Tigreans are only about six percent of the population but they absolutely dominate political and economic power.”

When I asked Teressa Belete, the Chief Enterprise Officer at Ethio Telecom, if the lack of internet access was a deliberate result of the government to limit free speech and dissent, he seemed genuinely confused and dismissed the idea. The advantage of a government monopoly, Belete said, is that rural Ethiopians, who make up a majority of the country’s population, wouldn’t be serviced by private companies with profit motives.

Yet Ethio Telecom, which was founded in 1952, made an estimated $300 million profit per year, as The Economist reported in 2012. And Ethio Telecom used the excess funds to bankroll railway development in the country.

“The country lags far behind in terms of liberalization of the [telecommunications] sector,” said Lishan Adam, a consultant who has worked with the World Bank on information and communications tech policy. “They missed most of the liberalization era in the 1990s, and there was a delay in terms of getting internet.”

Adam told me Ethiopia only became connected to the internet in 1997, and said that while the desire to limit free speech might be a factor in the lack of internet access, it wasn’t the main reason why most Ethiopians aren’t online.

Ethiopia’s internet penetration rate is reported to be 3.7 percent as of November 2015. Ethiopian officials take issue with that figure, reported by the World Bank. They argue it’s inaccurate because it doesn’t fully account for mobile subscribers. The World Bank’s numbers do include mobile subscribers, but it’s likely the reported number is still too low, and Adam estimated that the true internet penetration rate is between five and 15 percent of the population.

***Nafkot was born in prison in 2006. He was premature and couldn’t breathe at room temperature. Doctors wanted to move him immediately to a hospital with incubators, but the only hospital that could admit him required a signed form one of his parents. Serkalem was still under anesthesia, and the police wouldn’t bring the form to Eskindir. Nafkot could not get the treatment he needed.

“They didn’t really care about his life, but for the grace of God survived,” Serkalem said, her voice rising with anger.

Nafkot stayed at his grandparent’s home until Serkalem and Eskinder were released from prison. At which point, Serkalem and Eskinder could not continue working as print journalists; along with most of the independent newspapers in the country, theirs were shut down. Serkalem stopped writing altogether. Eskinder began blogging online, one of the first in the country to do so.

“He turned to blogging because all of the other avenues were closed,” Serkalem said. “Although he knew that not many had internet access in Ethiopia, it was better than being silent. He knew it wasn’t going to do much, but he needed to write.”

Serkalem. Illustration: Shaye Anderson

The internet penetration rate in Ethiopia was 0.2 percent in 2005, and it is believed by internet security experts that the government’s online censorship began in 2006, the year Eskinder started blogging. Opposition websites inside Ethiopia became inaccessible that year, and the government was assumed to be behind the censorship.

Before parliamentary elections in 2010, the Ethiopian government introduced a vague anti-terrorism law in an effort to avoid another contested election, Jeffrey Smith, an international human rights expert based in Washington, DC, told me. The law has become a cornerstone of the government’s censorship, labeling anyone who “influences government” a “terrorist.”

“Ethiopia is an example of a ruling regime that uses the term ‘terrorism’ as a politically expedient term,” Smith said. “The terrorism concerns inside the country are real but they have gone way beyond that, and have systematically abused human rights.”

With the Arab Spring protests in late 2010, there was hope the anti-government rallies that began in Tunisia would spread to Ethiopia. Eskinder’s blogging was provocative and confrontational during this time. In one 2011 article he prodded the Ethiopian military to choose the side of the people like the Egyptian military did at the time.

“Ordinary citizens took the initiative all over North Africa and the Middle East,” Eskinder wrote in another post, published September 2, 2011. “The results made history. They are powerful precedents for the rest of humanity. While inspiring words, sober analyses and robust debates are indispensable as ever, they will remain exactly no more than mere words unless translated into actions. To Ethiopia this means risking the core of a much cherished collective vision—peaceful transition to democracy.”

“No school for me”

On September 14, 2011, while Eskinder was picking up Nafkot from school, the Ethiopian intelligence service surrounded Eskinder’s car and arrested him. Serkalem raced to the scene. She found Nafkot crying, but no Eskinder. Serkalem took Nafkot to his grandmother’s house, then went straight to the Maekelawi prison, notorious for practices of torture. She waited for three hours for Eskinder to show up. But he never did.

That’s because Eskinder was actually at their house, watching the intelligence service rifle through the family’s belonging. Serkalem recalled that when she returned home the intelligence officers tried to stop her from entering, but she forced herself through to reach Eskinder. Panicked, she yelled out to him.

“Calm down, and be courageous!” Eskinder shouted back. Then he was taken away.

Afterward, Serkalem went to pick up 5-year-old Nafkot. The boy was clearly traumatized from witnessing his father arrested at school. The next day, Nafkot didn’t want to go back.

“No school for me,” he said.

***The Ethiopian intelligence apparatus is one of the most invasive in the world. Exiled Ethiopian journalists in Nairobi, Kenya, told me of being followed or snooped on by government agents who had no interest in hiding their identity. One Ethiopian businessman joked to me about how he wouldn’t be surprised if he heard a third-party cough while talking with someone over the phone.

Felix Horne, the Ethiopia researcher at Human Rights Watch and author of acomprehensive report on the Ethiopian surveillance agency, told me that the government has a nationwide program called “five to one.” It’s an all-seeing system in which five citizens are monitored by one individual. It is like a listening node in a system that spans the entire country with the goal to preserve command over its many ethnic groups.

“The Ethiopian government, like many other governments, appears to be using hacking tools to supplement their regular surveillance regime” said Bill Marczak, a research fellow at Citizen Lab. The Ethiopian government’s traditional surveillance methods are “effective for someone who is looking inside Ethiopia, but one of the features of Ethiopia is it has a very large diaspora community spread out over many different countries in the world.”

Washington, DC, has around a quarter million Ethiopian expatriates, and there is a large presence in Europe, Marczak added. And there is “no way other than hacking, phishing, and targeted attacks to monitor these people.”

Eskinder. Illustration: Shaye Anderson

When Neamin Zeleke received an email in December 2014 claiming to have inside information about a sensitive subject in Ethiopia, his home country, he recognized it as a likely hack. Zeleke was managing director of Ethiopian Satellite Television and Radio (ESAT), one of the largest Ethiopian news outlets, and run by members of the country’s diaspora. Its website and TV service are banned in the country. But Ethiopians can still access the channel and website through satellites and proxy servers.

Zeleke told me that ESAT satellite service has been jammed 20 times by the government. The latest jam, he said, happened just a few minutes before he and I met in early January. He forwarded the suspicious email to Marczak of Citizen Lab, who recognized that it carried a low-level bug likely from Hacking Team, a provider of surveillance software to governments across the world.

Using software from Hacking Team, an Italian company, and likely the Gamma Group, a European company, the Ethiopian intelligence service has targeted journalists and political opponents with invasive systems that allow the government to remotely activate a computer camera and microphone, record keystrokes, and monitor online activity. The frequency of these attacks and other surveillance capability is obscured by the inherent secrecy of spycraft, and that the targets of these hacks either don’t know, or don’t want to share that they’ve been infiltrated makes it difficult to assess the tools and motivations of their hacking, Marczak told me.

Zeleke is both a journalist and a political opponent. He is a member of Ginbot 7, an armed opposition group in Ethiopia that is labeled a terrorist organization by the government. Security experts told me that there is no evidence Ginbot 7 has ever undertaken terrorist activity, and the organization is not on the US State Department’s list of terror organizations.

Ginbot 7 is largely a collection of exiled Ethiopians who operate outside the borders of the country they wish to change. According to an ESAT report, Ginbot 7 has attacked government soldiers, which Zeleke confirmed to me.

Zeleke stepped down as managing director of ESAT in early 2016. He didn’t have the time for it anymore, and told me he was worried he could no longer be objective. He is now a consultant for the organization, though he still holds a corner office in the station’s tiny studio, which is lined with awards from prestigious human rights organizations.

One of the awards was for Eskinder Nega.

Zeleke told me ESAT took the award on behalf of Eskinder, who “was considered one of the pioneers of independent media in Ethiopia.”

In the ESAT news bullpen, and also next to Eskinder’s award in Zekele’s office, was a large portrait of Andargachew Tsige, the founder of Ginbot 7, in military fatigues. Tsige is believed to be under arrest in Ethiopia. Zeleke lept toward me when I tried to take a photo of the portrait next to Eskinder’s award.

“I don’t think that’s appropriate for this story,” Naimin said, moving Tsige’s photo out of the shot.

Later, I asked Zeleke if he thought the Ethiopian government was targeting him and other ESAT journalists because of their dissident views, or because the government perceives the organization as affiliated with Ginbot 7. What if authorities didn’t know where Zeleke’s political activity ends, and his journalism begins? It wouldn’t justify the surveillance. But because there have been so few public cases of the Ethiopian government’s targets, the distinction could illuminate the motivations of the intelligence service’s hacking—primarily to stop the flow of information, or targeting perceived political threats.

The head of the government agency that runs Ethiopia’s hacking, the INSA, declined to comment for this story.

The real punishment wasn’t his time wasted behind bars. It was seeing Nafkot suffer without a father

Zeleke told me that the Ethiopian government is monitoring ESAT because it is a political organization affiliated with Ginbot 7, but it is a fully independent organization and the journalists are from across the political spectrum.

“The fact that I am affiliated with Ginbot 7 may be a factor, but without me being here, whoever is the head of ESAT, these journalists [would be attacked],” he told me. “Others, many others who are not Ginbot 7, thousands of others, are subject to cyberattacks and surveillance. So, I mean, logically you have to see the context. This is a routine practice by the police, an authoritarian state to control the populous, to control the flow of information, and to intimidate alternative media and political dissenters.”

***Serkalem and Nafkot would visit Eskinder in prison every Saturday and Sunday after he was sentenced. Eskinder tried to convince Nafkot that he was just in school, not at prison, to make the burden of an absent father easier on his young son. Born in a prison, Nafkot recognized that his father wasn’t in school.

“No, you’re in jail,” he would say to his dad.

Nafkot Nega has believes that the profession of his parents is a crime equivalent to terrorism. Innovative industries in Ethiopia have been hamstrung to preserve this philosophy, and those who do access the internet are targets of relentless hacking.

When they visited, Serkalem told me the jail staff would humiliate inmates in front of their families. Eskinder grew concerned that Nafkot would become desensitized to the brutality and grow resentful of the world.

“It’s OK to be jailed for what you believe in, but to see the impact on your family and your son, he couldn’t bear, and asked me to take him away,” Serkalem told me. The real punishment wasn’t his time wasted behind bars. It was seeing Nafkot suffer without a father.

Eskinder started to ask his wife and son the same question each time they visited: “Have you bought your ticket?” He also pressed other family members and friends who visited to convince Serkalem and Nafkot to leave Ethiopia, so he could finish his time with the peace of mind that his family would be safe.

The last time Nafkot saw his father was July 23, 2014. Serkalem had purchased two tickets for the United States the next day, and Eskinder tried to cheer up his son during their last visit.

“America is right nearby!” he exclaimed.

Serkalem told me she wants to create a positive memory for Nafkot of his father. She wants to convince her son that his father’s sacrifice as not in vain. Eskinder is scheduled to be released from prison in 2030, when Nafkot will be 23 years old—the same age Eskinder opened his first newspaper in Ethiopia.


 

http://motherboard.vice.com/read/the-tragedy-of-ethiopias-internet