The Current

Ethiopian government used spyware against dissidents: report

It's never been easier for governments to keep track and spy on dissidents, but now that spyware software can be bought virtually off-the-shelf, any country can get in the game.
Two hands shaded in greeny-dark hover over a laptop keyboard, with the screen above showing vertical rows of 1s and 0s.
It's never been easier for governments to keep track and spy on dissidents, but now that spyware software can be bought virtually off-the-shelf, any country can get in the game. (Kacper Pempel/Reuters)

Read Story Transcript

In October 2016 at the Irreecha religious festival in Bishoftu, Ethiopia, at least 55 people were killed in a stampede after police fired tear gas into the crowds. 

The deaths sparked nationwide protests and within days, a different kind of countermeasure got underway: cyberattacks.

Festival goers flee during a deadly stampede in Bishoftu. Several thousand people had gathered at a sacred lake to take part in the Irreecha ceremony, in which the Oromo community marks the end of the rainy season. (Zacharias Abubeker/AFP/Getty Images)
The government was very nervous, the population was angry. So it was this time that they tried to hack me.-  Oromo activist Jawar Mohammed

Given the work activist Jawar Mohammed does with the Oromia Media Network (OMN) and his profile online, he figured he'd be an obvious target, but it was how he was targeted that surprised him.

"When this suspicious email came, I did not open it. I passed it to our IT department. They looked at it, and they suspected it might be spyware," he tells The Current's Anna Maria Tremonti

"We in the media were providing the domestic and international community with updated information from every village. So the situation was extremely intense. The government was very nervous, the population was angry. So it was this time that they tried to hack me."

Residents of Bishoftu crossed their wrists above their heads as a symbol for the Oromo anti-government protesting movement during the Oromo new year holiday Irreechaa in Bishoftu, October 2, 2016. (Zacharias Abubeker/AFP/Getty Images)

Even before the protests, Mohammed says the government was using different hackers from Russia and China to get into his email and attack OMN's website. 


What made the email suspicious?

Mohammed says the email looked like it came from people he knew. There was also a link provided and when clicked, prompted an Adobe software download.

"That was quite strange so I stopped there and contacted our IT people," he says.

Then the University of Toronto's Citizen Lab that studies surveillance and content filtering on the internet was contacted to investigate this email.  
Bill Marczak at the University of Toronto's Citizen Lab says rules and oversight regarding lawful intercept are lacking. (Getty Images)

Bill Marczak, senior research fellow at the facility, says upon looking at Mohammed's email, a link that looked like it was going to a website called EastAfro.com, which is an Eritrean online video portal, was not what it seemed.

"When we looked at the link, it actually appeared that someone had registered a website to look like EastAfro.com which was called EastAfro.net. So it was a lookalike website which was our immediate clue that something was suspicious," Marczak tells Tremonti.

A virtual machine in the lab determined that when the link in Mohammed's email was clicked and the software downloaded and installed, "it would have started sending information from the computer back to a server on the internet which is a telltale sign of spyware," Marczak says.
 

Is this illegal?

While it's typically illegal for a private individual to use spyware against someone else, Marczak says when it's a government following this procedure, they can often use local law as a defence.

"But the problem is that governments like Ethiopia and other places, the rules and oversight regarding lawful intercept are lacking," he says.

We found an IP address traced to Ethiopia.- Bill Marczak

Marczak says the lab was able to trace a sample of the spyware from Mohammed's email to a fake Adobe Flash update used by computer security researchers who investigate suspicious files.

"We noticed the second sample was signed by this company Cyberbit. And from there we looked at its website and found out that this is the company that claims to sell exclusively to governments," he explains.

The spyware was traced to Ethiopia because the server attached to it had a publicly accessible log file, according to Marczak.

"This is not typically something that you want to have on your spyware server if you're running a secret operation," Marczak says, adding that the company probably forgot that this feature existed.

"The log file showed who was logging in to check the results of the spyware. In other words, who was logging in to download the data that was being uploaded by infected computers, and we found an IP address traced to Ethiopia."

The Current did contact Canada's privacy commissioner, Daniel Therrien, for comment on this story. A spokesperson replied that online surveillance by foreign governments is outside the commission's jurisdiction, and directed The Current's producers to Global Affairs. We contacted that department, but no one got back to us. 

The Current also contacted the Ethiopian embassy in Ottawa. A spokeswoman there said no one was available to speak to this issue today. 


Listen to the full conversation above — including Dmitri Vitaliev, co-founder and director of eQualit.ie, a Montreal-based nonprofit that provides support, training, and digital protection for journalists activists and civil society workers worldwide.


This segment was produced by The Current's John Chipman and Susana Ferriera.