Ethiopia, by the way, is one of the NSA’s approved SIGINT partners. As you can see on this chart, taken from the Snowden documents published in Glenn Greenwald’s book “No Place to Hide,” Ethiopia received $450k from the NSA to build its surveillance capabilities, including those targeting “terrorists,” which is what the Ethiopian government calls political dissidents. Citizen Lab reports have found both FinFisher and HackingTeam command and control servers operating in Ethiopia. Given how relatively inexpensive these products are, $450k goes a long way towards covering those costs.
Three months later, I was put in touch with a person in Washington DC who provided technical support for Ginbot 7, known by the pseudonym Kidane. I explained the researcher’s findings, described FinFisher’s capabilities, and he allowed an expert to examine his computer for malware. Forensic analysis revealed that his computer had been infected with FinFisher’s surveillance tool, FinSpy. It had been uninstalled, but the uninstallation process had left traces which enabled us to know some of what the software had recorded and possibly exfiltrated back to the Ethiopian government. This data included Skype calls and Google searches. Further analysis traced the infection back to an infected Word document attachment that had been sent by agents of the Ethiopian government and forwarded to him.
Because the spying happened in the United States—in fact—Mr Kidane’s laptop never left the US, EFF is representing him in a lawsuit against the Ethiopian government. We are suing the Ethiopian government for violating the US wiretapping act and state privacy law.
This case is important because it demonstrates that state-sponsored malware infections and can indeed are occurring in the U.S. against U.S. citizens. It seeks to demonstrate that warrantless wiretapping is illegal and can be the basis of a lawsuit in the United States, regardless of who engages in it.
Meanwhile, British privacy watchdogs Privacy International the findings on Mr. Kidane’s computer, as well as Citizen Lab’s extensive research into the use of UK-based Gamma International’s surveillance software to facilitate human rights violations to put pressure on Her Majesty’s Revenue and Customs to investigate these exports. We expect that EF’s law suit and PI’s legal action will take a long time to work their way through the courts. The fight against governments that abuse human rights through targeted surveillance and the companies that sell to them, facilitating that abuse, but is a long one, but it would not be possible at all without public research directly linking human rights abuses to the surveillance software.
So, what do I want you to do with your next year of research? If you find malware targeting vulnerable groups, publish your research. Ideally, it should be written in a way that can be understood by journalists and activists and ordinary readers, who can turn it into advice for the targets and fodder for policy decisions—and if you can’t do that, partner with a journalist or activist from the affected community.
If you are concerned about the possibly legal implications of publishing your research, contact me at the Electronic Frontier Foundation. We have an entire floor of lawyers who have been defending the rights of security researchers to publish their work for decades. If you are located outside of the United States, or you are concerned about legal action outside of the US, I can make a referral.
We couldbeheroes -recon2014
We Could Be Heroes
Global Policy Analyst, Electronic Frontier Foundation
Predictable C2 domain naming convention.
Dark Comet RAT
March 2012: Fake YouTube Website
YouTube credential phishing
June/July 2012: Skype phishing
August 2012: Facebook phishing
Repeated use of 220.127.116.11 as C2.
Dark Comet RAT
Operating from November 2012 to present
Zero hour plan for the city of Aleppo
Plans for a revolutionary high council
Skype encryption program
Names of some militants in Syria and abroad who
are wanted by the Syrian regime
30+ DarkComet RAT samples connecting to
1 Xtreme RAT sample connection to 18.104.22.168
C&C stayed up during Internet blackout in Syria
“"The current Ethiopian government has a well-
documented history of human rights violations
against anyone it sees as political opponents. Here,
it wiretapped a United States citizen on United
States soil in an apparent attempt to obtain
information about members of the Ethiopian
diaspora who have been critical of their former
government. U.S. laws protect Americans from this
type of unauthorized electronic spying, regardless
of who is responsible."
EFF Staff attorney Nate Cardozo