Ethiopia uses Ginbot 7 pictures to plant spyware in computers

Authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton 

March 13, 2013.

This post describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software. It also details the discovery of a campaign using FinFisher in Ethiopia used to target individuals linked to an opposition group. Additionally, it provides examination of a FinSpy Mobile sample found in the wild, which appears to have been used in Vietnam.

Summary of Key Findings

• We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.

• A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting.

• There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number.

• These findings call into question claims by Gamma International that previously reported servers were not part of their product line, and that previously discovered copies of their software were either stolen or demo copies.

1. Background and Introduction

FinFisher is a line of remote intrusion and surveillance software developed by Munich-based Gamma International GmbH. FinFisher products are marketed and sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group.¹ Although touted as a “lawful interception” suite for monitoring criminals, FinFisher has gained notoriety because it has been used in targeted attacks against human rights campaigners and opposition activists in countries with questionable human rights records.²

In late July 2012, we published the results of an investigation into a suspicious e-mail campaign targeting Bahraini activists.³ We analyzed the attachments and discovered that they contained the FinSpy spyware, FinFisher’s remote monitoring product. FinSpy captures information from an infected computer, such as passwords and Skype calls, and sends the information to a FinSpy command & control (C2) server. The attachments we analyzed sent data to a command & control server inside Bahrain.

This discovery motivated researchers to search for other command & control servers to understand how widely FinFisher might be used. Claudio Guarnieri at Rapid7 (one of the authors of this report) was the first to search for these servers. He fingerprinted the Bahrain server and looked at historical Internet scanning data to identify other servers around the world that responded to the same fingerprint. Rapid7 published this list of servers, and described their fingerprinting technique. Other groups, including CrowdStrike and SpiderLabs also analyzed and published reports on FinSpy.

Immediately after publication, the servers were apparently updated to evade detection by the Rapid7 fingerprint. We devised a different fingerprinting technique and scanned portions of the internet. We confirmed Rapid7’s results, and also found several new servers, including one inside Turkmenistan’s Ministry of Communications. We published our list of servers in late August 2012, in addition to an analysis of mobile phone versions of FinSpy. FinSpy servers were apparently updated again in October 2012 to disable this newer fingerprinting technique, although it was never publicly described.

Nevertheless, via analysis of existing samples and observation of command & control servers, we managed to enumerate yet more fingerprinting methods and continue our survey of the internet for this surveillance software. We describe the results in this post.

እኛና እነሱ – የሁለት ሀገር ሰዎች ነን

ከሥርጉተ ሥላሴ 10.03.2013

እም! ብዬ እያማጥኩ ጀመርኩት።

(ፎቶ – ከኢትዮጵያ ከረንት አፊርስ ዲስከሽን ፎረም የተወሰደ)

እኛ ማነን? እኛ የተቀመምንበት ኢትዮጵያዊነት የሚያንገበግበን። ችግሯ – ችግራችን፤ ዕንባዋ – ዕንባችን፤ መከፈቷ – መከፈታችን፤ ጉስቁልናዋ – ጉስቁልናችን፤ አንገት መድፋቷ ሃዘናችን የሆነው በዬትኛውም ዓለም የምንገኝ ልጆቿ ነን። በወያኔ መዳፍ ውስጥ አሳሩን በማዬት የሚገኘው ከስሜን እስከ ደቡብ ጫፍ፤ – ከዱቡብ ጫፍ እስከ ምዕራብ ጫፍ፤ ከምዕራብ ጫፍ እስከ ምስራቅ ጫፍ የሚገኝ ህዝብ ለሀገሩ ልዩ መለዮችን የሆነው ሥጋና ደም ነን።

እነሱስ? „የደላው ገንፎ ያላምጣል“ እንዲሉ ከማህደረ – ኢትዮጵያዊነት ትንሽ ልቅላቂ ያልፈጠረላቸው፤ አለቶች … በዕንባ ላይ ይሾማሉ፤ ይሸለማሉ …. ልጆቻቸውን አንደላቅው ያሰተምራሉ፤ ሲሰኛቸው ውጬ ልከው ዶላር አፍሰው ያዝመነምናሉ።

ባይታዋሩ ወገናችን ደግሞ ዕጣ ፈንታው … ሥራ ፍለጋ በሺህዎች የሚቆጠሩ ወገኖቻችን፤ በውሃ ጥም፤ በመንገድ ጉዞ አቅም በማነስ፤ በውሃ ሙላት፤ በጾታ ጥቃት፤ በቀጣሪ ዳባ እንደተበተነ ያልቃል፤ እንዲሁም ካሰቡት ሳይደርሱ የአሞራ እራት ይሆናል። በስደቱ በእሳት የሚቀቀሉት፤ ከፎቅ ተከስከስሰው የሚሞቱት፤ በጭንቀት በሽታ አብደው አድራሻቸው ጠፍቶ የሚቀሩትንማ ስሌትም አይገታውም። እንደ ጣሊያን በመሳሰሉት ሀገሮችም መንገድ ላይ ተዳዳሪ ወገኖቻችን በሚመለከት — ቤቱ ይቁጠረው።

ሞተን እያዩ ወደ ሞት ፊት ለፊት የሚገሰግሱ፤ በልተን እንሙት ብለው ከሞት ጋር የሚፋጠጡት ሴተኛ አዳሪ እህቶቻችን ቁጥርም ከሌሎች የችግሩ ሰለባ ከሆኑት ወገኖቻችን ቁጥር

(ፎቶ – ከኢትዮጵያ ከረንት አፊርስ ሆም ፔጅ – ሰርቫይቫል ኢንተርናሽናል ከሰጠው መግለጫ ትርጉም – የተወሰደ)

ቢበልጥ እንጂ ከቶውንም አያንስም። ጧሪ ጠዋሪ አጥተው ቤት እንደ ተዘጋባቸው የሚያልፉት አዛውንታት በእርግማን ለወግ ሳናበቃቸው አፈር ራታቸው፤ ድንጋይ  ትራሳቸው ሆኗል። ሊለምኑ ያፈሩ አካሎቻችን ቁጥር የትዬለሌ ነው። ከመሬት የሚፈናቀሉ ወገኖቻችን ልጆቻቸውን ለመሸጥ ነፍሳቸው እንዲሰነብት ተሰልፈዋል …. ለመራራ ስንብት፤

የጥንተ – ጥዋቱ የአባት አደሩ ወግና ባህል ቀርቶ ዛሬ በገበሬው መንደር ሳይቀር ቡና እንኳን ብቻ – ለብቻእንደ አውሮፓ የሚጠጣበት ዘመን ተድርሷል። ለቡናውም የቡና ቁርስ አሯል። እንግዲህ እኛ የዚህ እርቃኑን – መለመላውን ያለ፤ ለዕለት ጉርስና ከፈን ያልበቃ፤ መጠለያ የሌለው ወገንተኛ ነን፤ ቀኑ እራሱ የተጋጠ የተመለመለ ነው የማረተበት!

እነሱ ደግሞ ለአንድ የምክትል ጠ/ሚኒስተር ቦታ ሶስት – ከዋናው ጋር በድምሩ አራት ሰው ይሾማሉ … አዎን! እኛ የወያኔ ሱፍ ለባሾች ወገንተኛ አይደለነም። የእነኝህ እንጂ ….

እነሱ — ያላጋጥሉ! ….

ይማግጣሉ! ….

በህዝብ የዕንባ ጥሪት ይቀብጣሉ!

በማናለብኝነት ቀፎ ሰረገላ ይዝመነማናሉ!

በፈጣሪ አምላክም ይሳላቃሉ። በሚፈርስ ገላ ላይ ሆነው ይደልቃሉ። „በሬ ሆይ! ሳሩን አዬህ እንጂ …. „ እንዲሉ። ይህም ያልፋል። የማያልፍ ነገር ያልተፈጠረብቻ ነው። በተፈጥሮ

(ፎቶ – ከከረንት ሆም ፔጅ „መሳቂያው ፓርላማ – ከአቤ ቶኪቻው መጣጥፍ የተወሰደ)

ሂደት ይጨበረባራሉ … መፈረሳቸውን ስተው — ይደንሳሉ — ሙጃ!

… እኛና እነሱ የማንገናኝ፤ ልንቀራረብም ከቶውንም የማንችል ነን። …. በዬትኛውም ዘመን በዬትኛውም ጊዜ የማንገናኝ … የሁለት ሀገር ሰዎች ነን። ምን ግዜም አዎን ምንግዜም እኛ እና እነሱ በዚህ ሚዛኑን ባልጠበቀ ተፈጥሮ፤ ሚዛኑን ባልወሰነ ውስጥነት ስለማንገናኝ እስከ ህልፈት ድረስ፤ በታሪክም የማንገናኝ ሰዎች ነን። ብንሞትም አጥንታችን ከክህደት አጥንት ጋር ከቶውንም እርቀ ሰላም የለውም።  - ኃራም!

UDJP always salutes Ethiopia’s prisoners of consciousness

The Horn Times Newsletter 11 March 2013

by Getahune Bekele, South Africa

Despite the ongoing assault on political parties, religious institutions, journalists and perceived or real members of any

Daniel Tefera

opposition group by Ethiopia’s ruling minority junta security apparatus, one of the main opposition parties, UDJP, Unity for Democracy and Justices, is still commemorating prisoners of consciousness by organizing a splendid candle light gathering on the third day of every month in Ethiopia to show the incarcerated brave souls utmost consideration and courtesy.

Since its establishment on 20 June 2008, UDJP has produced great revolutionaries who are currently languishing in jail or banished in to exile, people like the famous young patriot Andualem Arage, a man of great courage and noble spirit.

Speaking to the March issue of Finotenetsanet newspaper, the party’s chief public relations officer Ato Daniel Tefera (pictured) said the struggle to free Ethiopia from dictatorial rule by peaceful means is advancing well and his party expects a positive result.

“Arresting citizens for demanding religious freedom or other rights had been common in the past 50 years in this country. We are working to end this flagrant violation once and for all. We are steadfast in our demand for the immediate release of those jailed in relation with the freedom of worship. UDJP believes they are also prisoners of consciousness.” Daniel Tefera added.

Lamenting the extremely difficult working condition due to tight control and heavy restrictions, the articulate Daniel Tefera said the party is using its head quarters in Addis Ababa as community hall to interact with the population, encouraging them to conquer fear and stand firm on their various demands.

Asked by Finotenetsanet to comment on the current state of the nation the public relations chief of UDJP replied…

“It is very difficult to explain because citizens are labeled terrorists for demanding certain rights. For example, our Muslim brothers who were arrested and charged for simply demanding freedom of worship have been tried and convicted by the government media. Journalists are being charged with terrorism and sent to jail for writing issues close to the heart of the people. Some have already left the country…and they are still leaving…”

The price of the so called war on terror on journalists in Ethiopia is high

The case of the US vs Bradley Manning

Why have the US media shied away from covering the source of the WikiLeaks material yet gouged on his information?

Our feature takes us to Ethiopia where the US ‘war on terror’ has provided cover for laws that are being used to silence dissident journalists. Reeyot Alemu is one of those journalists – she has been sentenced to five years in jail. Foreign reporters have also been charged under anti-terrorism laws for daring to communicate with opposition groups. The Listening Post’s Nic Muirhead takes a closer look.

US Private Bradley Manning is no longer the alleged source of all those documents to WikiLeaks. According to his own

 testimony, delivered before a military court on February 28, Manning was the source – nothing alleged about it.

In a pre-trial hearing for the first time, Manning admitted that he broke the law when he released around 700,000 government documents to WikiLeaks but these lesser charges did not satisfy the United States government.

Calling more than 100 witnesses – some anonymously and in closed hearings – prosecutors will argue that Manning’s leak put national security and lives at risk by ‘aiding the enemy’.

If convicted, Manning – the traitor, could face life without parole but what of Manning – the whistleblower?