Details on Hacking Team Software Used by Ethiopian Government

The Citizen Lab at the University of Toronto published a new report on the use of spyware from the Italian cyberweapons arms manufacturer Hacking Team by the Ethiopian intelligence service. We previously learned that the government used this software to target US-based Ethiopian journalists.

News articles. Human Rights Watch press release.

Posted on March 17, 2015 at 10:07 AM • 10 Comments


Barnacle BillMarch 17, 2015 1:04 PM

No offense to Ethiopians, but I've got spotty teenagers in my classroom who would do a better job than the INSA. Off-the-shelf malware that even consumer grade antivirus software will detect, Chrome running on Windows, leaking IPs all over the place... Is that the best a national intelligence agency can do?

65535March 17, 2015 8:52 PM

From what I can understand about the Citizen lab report is this:

1] Journalists from the “…Ethiopian Satellite Television Service (ESAT) were targeted, unsuccessfully, with what appear to be two new versions of Hacking Team’s RCS spyware.. “

2] The vector is infection is via a word document exploit with CVE-2010-3333 which was patched my Microsoft in 2010 [and noted at ]. The “persistent threat” is from bogus certificate which is installed on these journalist computers to at more capabilities and contact with a bot net run by the Hacking Team virus vendor.

2a] “…Ethiopian Satellite Television Service is an independent satellite television, radio, and online news media outlet run by members of the Ethiopian diaspora. The service has operations in Alexandria, Virginia These journalists are probably located in the USA and are supported by the USA intelligence community” -Citizens lab. The satellite broadcasting may be done for Alexandra Virginia – or – close to the NSA HQ.

3] Although the attacks seem to be mitigated by a Microsoft patches and/or help from various IC entities in the US.

4] The “persistence” part of the virus depends on the “bogus SSL certificate” trick which is planted on the victim’s computer. This allows a bot net to up-date the modules of the malware.

5] The malware has been modified and is now difficult to detect. “…Detekt fails to detect an infection resulting from the sample sent on December 19, 2014, as these strings are not present. The nonpresence of the strings is indicative of an update to the software from Hacking Team in response to Detekt. According to leaked Hacking Team RCS documentation, installation of RCS updates requires a user license file from the company. Moreover, Hacking Team states that without its continued support to a client, its product “soon becomes useless.”- citizens lab

6] Although the Hacking team failed the malware is at cross-goals of the US government and clearly illegal in the USA – yet the Hacking Team has not been punished. The human rights policies are FUBAR'd.

7] The Citizens lab is concerned that after repeated attacks on Journalists in the USA’s jurisdiction no formal charges have been brought against the Hacking Team – creating a tangled human rights policy.

My question is who do supporters of these Journalists go to for help in this injustice?

[Please excuse of the grammar and other errors]

WorldWithoutOrderMarch 18, 2015 12:30 AM

I am quite surprise there were no attempts to haul Hacking Team and related "surveillance" or a.k.a Military-Industrial-Intelligence Complex contractors in front of the ICJ for prosecution and sentencing which probably because the big players are protecting them from international prosecution.

It would be interesting if China, Russia and other countries(Non-NATO) were to prosecute these bunch of people and see how the US/UK/5Eyes/NATO Warhawks were to react.

Ole JuulMarch 18, 2015 2:50 AM

Every time I read about these things all I see is "Windows". Why? Actually sometimes they don't even mention it and just assume that one would be running that particular operating system.

You know what? I'm going to say it out loud. This whole malware thing is almost always the victim's own fault. Unless they're an IT expert, anybody who cares one iota about their security (and a lot of other things) would not be running Microsoft Windows in this day and age. It takes two to tango.

No, I don't run a Mac, though that might be a good solution - I don't know. I run other operating systems and they work just fine. I suggest that anybody who wants to mitigate the possibility of getting an infection should chose one of the many excellent operating systems that have been around long enough to be mature. There is nothing wrong with MS-Windows other than the lack of security in the hands of amateurs like me, but there is no sane reason why so called responsible adults should ALL be running Windows. Yet it seems like that is the case. For those with little IT knowledge, and perhaps time, they could at least install one of the many excellent Linux distros which all work beautifully right out of the box and require no special knowledge to install. Of course that would not be a complete fix, but it would be a very different world if malware writers didn't just have to code for a system where world plus dog can run software simply by uploading an executable.

albertMarch 18, 2015 11:44 AM

@vas pup
Thanks for the link. The three articles cited at the bottom of the page are interesting as well. Here's another from
@Ole Juul
It's true that leaving Windowstm is a positive step. Most folks I know (myself included) 'grew up' with Windowstm. Most office/work environments use it. (Do you shudder when you see Windowstm on your banks computer screens?) I recommend folks use a small, simple machine, like a netbook, for banking and online ordering only, nothing else. It should boot Linux from a USB stick (like the LPS system from the USAF). Do a fresh boot before each operation. Please use a hardwired connection with isolated wireless on your router. Don't do banking on a cell phone or pad via wireless. That's a border crossing from silly to insane. Old, but capable netbooks can be found (I was gifted one). You can even have Orifice access in Linux, but it's not necessary for banking. It's a little more trouble, but the learning curve is trivial. If you wait 'til you're hacked, you'll curse the sacrifice you made for convenience.
That's my ₯0.02

olgranpawMarch 19, 2015 11:38 AM

Back in my college days, I dated a really foxy sociology professor who had done her doctoral thesis on the inhabitants of a certain tiny Alabama town. The residents, to all appearances, were perfectly normal American citizens. They voted, they went to church, they assiduously obeyed the local laws and ordinances and all the commandments and rules set forth in the Bible. Their homes were well kept, well furnished and neat as a pin.

The only little... well, quirk they shared -- and had shared for generations -- was that there was no sheathing of any kind whatsoever on any of the *interior* walls of their houses. Those walls were all framed with studs, but had no covering of any kind. No drywall, no paneling, nothing.

On her first invited visit, my professor friend found the group sociology just a bit disconcerting. In the middle of a lovely afternoon tea with several neighbor ladies present, neither the hostess nor her guests seemed the least bit disturbed when old Uncle Lester and Aunt Selma went into the bedroom -- separated from the living room only by two-by-four studs, two feet apart -- and proceeded to (rather loudly and enthusiastically) make the proverbial beast with two backs.

The prof spent weeks with these people, and eventually learned that they literally couldn't see any of that stuff -- quote, 'cause them are walls, an' ain't nobody can see through walls!, unquote.

It was considered absolutely insane to even suggest that Uncle Lester might be over there on the throne, grunting one out -- because, as any right-thinking person knows, he's BEHIND THET WALL!

I like to tell this story whenever someone assures me that their Windows computer is secure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.