Thursday, March 14, 2013

Canadian Security Research Center Citizen Lab's report on spying by Ethiopian government | March 13, 2013

                 

               
Canadian Security Research Center Citizen Lab's report on spying by Ethiopian government | March 13, 2013

"...

3.1 FinSpy in Ethiopia

We analyzed a recently acquired malware sample and identified it as FinSpy. The malware uses images of members of the Ethiopian opposition group, Ginbot 7, as bait. The malware communicates with a FinSpy Command & Control server in Ethiopia, which was first identified by Rapid7 in August 2012. The server has been detected in every round of scanning, and remains operational at the time of this writing. It can be found in the following address block run by Ethio Telecom, Ethiopia’s state-owned telecommunications provider:

IP: 213.55.99.74
route: 213.55.99.0/24
descr: Ethio Telecom
origin: AS24757
mnt-by: ETC-MNT
member-of: rs-ethiotelecom
source: RIPE # Filtered
The server appears to be updated in a manner consistent with other servers, including servers in Bahrain and Turkmenistan.

MD5 8ae2febe04102450fdbc26a38037c82b
SHA-1 1fd0a268086f8d13c6a3262d41cce13470886b09
SHA-256 ff6f0bcdb02a9a1c10da14a0844ed6ec6a68c13c04b4c122afc559d606762fa

Figure 2. The image shown to the victim contains pictures of members of the Ginbot 7 Ethiopian opposition group

In this case the picture contains photos of members of the Ethiopian opposition group, Ginbot 7. Controversially, Ginbot 7 was designated a terrorist group by the Ethiopian Government in 2011. The Committee to Protect Journalists (CPJ) and Human Rights Watch have both criticized this action, CPJ has pointed out that it is having a chilling effect on legitimate political reporting about the group and its leadership.

The existence of a FinSpy sample that contains Ethiopia-specific imagery, and that communicates with a still-active command & control server in Ethiopia strongly suggests that the Ethiopian Government is using FinSpy.

...

The Vietnamese and Ethiopian FinSpy samples we identified warrant further investigation, especially given the poor human rights records of these countries. The fact that the Ethiopian version of FinSpy uses images of opposition members as bait suggests it may be used for politically influenced surveillance activities, rather than strictly law enforcement purposes.

The Ethiopian sample is the second FinSpy sample we have discovered that communicates with a server we identified by scanning as a FinSpy command & control server. This further validates our scanning results, and calls into question Gamma’s claim that such servers are “not … from the FinFisher product line.”10 Similarities between the Ethiopian sample and those used to target Bahraini activists also bring into question Gamma International’s earlier claims that the Bahrain samples were stolen demonstration copies."

Source: CitizenLab.org
Canadian Security Research Center Citizen Lab's report on spying by Ethiopian government | March 13, 2013 "... 3.1 FinSpy in Ethiopia We analyzed a recently acquired malware sample and identified it as FinSpy. The malware uses images of members of the Ethiopian opposition group, Ginbot 7, as bait. The malware communicates with a FinSpy Command & Control server in Ethiopia, which was first identified by Rapid7 in August 2012. The server has been detected in every round of scanning, and remains operational at the time of this writing. It can be found in the following address block run by Ethio Telecom, Ethiopia’s state-owned telecommunications provider: IP: 213.55.99.74 route: 213.55.99.0/24 descr: Ethio Telecom origin: AS24757 mnt-by: ETC-MNT member-of: rs-ethiotelecom source: RIPE # Filtered The server appears to be updated in a manner consistent with other servers, including servers in Bahrain and Turkmenistan. MD5 8ae2febe04102450fdbc26a38037c82b SHA-1 1fd0a268086f8d13c6a3262d41cce13470886b09 SHA-256 ff6f0bcdb02a9a1c10da14a0844ed6ec6a68c13c04b4c122afc559d606762fa Figure 2. The image shown to the victim contains pictures of members of the Ginbot 7 Ethiopian opposition group In this case the picture contains photos of members of the Ethiopian opposition group, Ginbot 7. Controversially, Ginbot 7 was designated a terrorist group by the Ethiopian Government in 2011. The Committee to Protect Journalists (CPJ) and Human Rights Watch have both criticized this action, CPJ has pointed out that it is having a chilling effect on legitimate political reporting about the group and its leadership. The existence of a FinSpy sample that contains Ethiopia-specific imagery, and that communicates with a still-active command & control server in Ethiopia strongly suggests that the Ethiopian Government is using FinSpy. ... The Vietnamese and Ethiopian FinSpy samples we identified warrant further investigation, especially given the poor human rights records of these countries. The fact that the Ethiopian version of FinSpy uses images of opposition members as bait suggests it may be used for politically influenced surveillance activities, rather than strictly law enforcement purposes. The Ethiopian sample is the second FinSpy sample we have discovered that communicates with a server we identified by scanning as a FinSpy command & control server. This further validates our scanning results, and calls into question Gamma’s claim that such servers are “not … from the FinFisher product line.”10 Similarities between the Ethiopian sample and those used to target Bahraini activists also bring into question Gamma International’s earlier claims that the Bahrain samples were stolen demonstration copies." Source: CitizenLab.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)