Last week, media outlets, citing a briefing published by CitizenLab – an interdisciplinary laboratory based at the University of Toronto, Canada – widely reported an allegation that the Ethiopian government is using FinSpy malware.
FinSpy is a lawful interception malware developed and marketed by a British company, Gamma International, and is said to have the ability to “capture information from an infected computer, such as passwords and Skype calls, and send the information to a FinSpy command & control (C2) server.”
The malware has been detected, at one time or another, in servers located in 25 countries – including, Australia, Bahrain, Canada, Germany, India, Japan, the Netherlands, Qatar, the United Arab Emirates, the United Kingdom and the United States – according to CitizenLab’s research briefing.
CitizenLab claimed that its research “strongly suggests” that Ethiopia is using FinSpy to intercept “political activists” by embedding the malware in images of officials from Ginbot-7, an organisation designated as terrorist by Ethiopian law.
Although CitizenLab did not say how the FinSpy-embeded-images were distributed, media reports claimed that emails were used as conduits.
This is certainly an alarming allegation for many internet users, except perhaps Ginbot-7 officials.
In an interview with their friendly media, VOA Amharic, Ginbot-7 officials seized the opportunity to announce that their regime-change struggle tactics include “cyber war” and that they have long been engaged in such battles with Addis Abeba, both on the offensive and the defensive. A possible claim if only Ginbot-7 didn’t have a track record of making blown-up statements.
The Ethiopian government’s response to the FinSpy allegation was vague.
An official from the Ministry of Communications & Information Technology (MoCIT) categorically denied the purchase and use of technologies that are primarily developed for interception. He did not, however, deny the capability to intercept telecom services, noting that it could be conducted by telecom operators by retracing logs, subject to court approval.
It is difficult to tell which of the diametrically opposed versions – from the Ginbo7 and the MoCIT officials – is the one closer to the truth.
But, the report by Citizenlab is inconclusive upon a closer look.
The malware was first detected on Ethiopian Internet Protocol (IP) address by Claudio Guarnieri, one of the co-authors of the Citizenlab report. It was last August that he listed a couple of IP addresses, including the Ethiopian one, that were detected of sending the malware, in an article where he cautions:
“We are not able to determine whether they’re actually being used by any government agency, if they are operated by local people, or if they are completely unrelated at all: they are simply the results of an active fingerprinting of a unique behaviour, associated with what is believed to be the FinFisher infrastructure. Our guess is that parts of the identified [Command & Control servers] are acting as proxies.”
So, what changed since August?
Since Gamma International would not disclose the name of its clients, CitizenLab’s allegation against the Ethiopian government is based on the type of image allegedly found embedded with the malware.
CitizenLab’s report claimed that:
“the existence of a FinSpy sample that contains Ginbot-7 members’ images, and that communicates with a still-active command & control server in Ethiopia, strongly suggests that the Ethiopian Government is using FinSpy.”
However, it is counter-intuitive that the FinSpy command & control server in Ethiopian has been ”detected in every round of scanning [since last August], and remains operational at the time of this writing”, as the report indicates.
Other IP addresses – with similar cases in other countries – have been shutdown or relocated immediately after they were publicly listed with similar allegations. Evidently, both Gamma International and Ethiopia would have strong reasons to do the same to disguise the utilisation of any malware if they were in control of them.
Unfortunately, CitizenLab would not respond to my email inquiring in what context the images were used, including adjoining texts. In the case of other countries, such primary data were disclosed.
In short, it does not seem that CitizenLab found a smoking gun.
In fact, one is bound to be skeptical of the report, as it is too ideological for security research, with conclusions premised on the perception that Ginbot-7 is a legitimate dissident group; the images of its leaders are ideal baits, and Addis Abeba needs to resort to such means.
Whatever the quality of the report may be, however, it reminds us of the absence of sufficient safeguards for Ethiopian telecom users.
The official from MoCIT, in the interview mentioned above, reassuringly cited the recent Telecom Fraud Offenses proclamation, which makes unlawful interception of telecom services a crime punishable, with up to 15 years imprisonment.
However, the proclamation is not yet fully in-force, as it needs to be seconded by a regulation to be issued by the Council of Ministers.
Moreover, the mandate to oversee such misconducts apparently lies within the same body that is supposed to monitor telecommunication services for national security.
A worrying overlap of duties that should be rectified in the forthcoming regulation, whose drafting should be adjoined by a public hearing, unlike the proclamation’s, which was not.
*********
* A version of this article was first published on my column on Addis Fortune, on March 24, 2013, titled “FinSpy allegation smells fishy”.
I was pretty pleased to find this website.
I want to to thank you for ones time just for
this fantastic read!! I definitely liked every part of iit and i akso have you book marked to look
at new things in your site.