Last week, media outlets, citing a briefing published by CitizenLab – an interdisciplinary laboratory based at the University of Toronto, Canada – widely reported an allegation that the Ethiopian government is using FinSpy malware,
FinSpy is a lawful interception malware developed and marketed by a British company, Gamma International, with the ability to “capture information from an infected computer, such as passwords and Skype calls, and send the information to a FinSpy command & control (C2) server.”
The malware has been detected, at one time or another, in servers located in 25 countries, including; Australia, Bahrain, Canada, Germany, India, Japan, the Netherlands, Qatar, the United Arab Emirates, the United Kingdom and the United States, according to CitizenLab’s research briefing.
CitizenLab claimed that its research “strongly suggests” that Ethiopia is using FinSpy to intercept “political activists” by embedding it in images of officials from Ginbot-7, an organisation deemed to be terrorists under Ethiopian law. Although CitizenLab did not say how the FinSpy-embeded-images were distributed, media reports indicate that emails acted as conduits.
This is certainly an alarming allegation for many users, except perhaps Ginbot-7 officials.
In an interview with their friendly media, VOA Amharic, Ginbot-7 officials seized the opportunity to announce that their regime-change struggle includes “cyber war”, and revealed that they have long been engaged in such battles with Addis Abeba, both on the offensive and the defensive. This would be a plausible claim, if it wasn’t for the fact that Ginbot-7 have a track record of making blown-up statements.
The Ethiopian government’s response to the FinSpy allegation was vague. An official from the Ministry of Communications & Information Technology (MoCIT) categorically denied the purchase and use of technologies primarily developed for interception. He did not, however, deny the capability to intercept telecom messages, but claimed such processes could be conducted by telecom operators by retracing logs, subject to court approval.
It is difficult to tell which version is closer to the truth. Upon a closer look, the report by CitizenLab is also inconclusive.
The malware was first detected in Ethiopia by Claudio Guarnieri, one of the co-authors of the recent report. He listed the Internet Protocol (IP) address of the Ethiopian server, along with others that were sending the malware, in an article published last August, cautioning:
“We are not able to determine whether they’re actually being used by any government agency, if they are operated by local people, or if they are completely unrelated at all: they are simply the results of an active fingerprinting of a unique behaviour, associated with what is believed to be the FinFisher infrastructure. Our guess is that parts of the identified [Command & Control servers] are acting as proxies.”
So, what changed?
Since Gamma International would not disclose the name of its clients, this month’s allegation against the Ethiopian government is based on the type of image allegedly associated with the detected malware.
The latest report stated that “the existence of a FinSpy sample that contains Ginbot-7 members’ images, and that communicates with a still-active command & control server in Ethiopia, strongly suggests that the Ethiopian Government is using FinSpy.”
However, it is counter-intuitive that the Ethiopian FinSpy server “has been detected in every round of scanning [since last August], and remains operational at the time of this writing”, as the report indicates.
Other IP addresses have been shutdown or relocated immediately after CitizenLab publicly listed them. Evidently, both Gamma International and Ethiopia would have strong reasons to disguise the utilisation of any malware if they were in control of them.
Unfortunately, CitizenLab would not respond to an email inquiring in what context the images were used, including adjoining texts. In the case of other countries, primary data was disclosed.
In short, it does not seem that CitizenLab found a smoking gun. In fact, one is bound to be skeptical of the report, as it is too ideological for security research, with conclusions premised on the perception that Ginbot-7 is a legitimate dissident group; the images of its leaders are ideal baits, and Addis Abeba needs to resort to such means.
Whatever the quality of the report is, however, it reminds us of the absence of sufficient safeguards for Ethiopian telecom users.
The official from MoCIT, in the interview mentioned above, reassuringly cited the recent telecom fraud offenses proclamation, which makes unlawful interception of telecom services a crime punishable, with up to 15 years imprisonment. Yet, still, the proclamation is not fully in-force, as it needs to be seconded by a regulation to be issued by the Council of Ministers.
Moreover, the mandate to oversee such misconducts apparently lies within the same body that is supposed to monitor telecommunication services for national security. This is a worrying overlap of duties that should be rectified in the forthcoming regulation, whose drafting should be adjoined by a public hearing, unlike the proclamation’s, which was not.
Leave a Reply