Ethiopia Allegedly Spied on Security Researcher With Israel-Made Spyware

The digital rights watchdog Citizen Lab has exposed a new spyware company that sells surveillance technology to governments.
December 6, 2017, 5:00am
Image: John Wollwerth/Shutterstock

On March 30 of this year, Bill Marczak woke up and checked his email. His eyes immediately spotted something suspicious in his inbox: a message about Ethiopia containing only a one line link written in comic sans font.

The phishing email that the hackers sent to Bill Marczak. Image: Bill Marczak

Marczak is a researcher at Citizen Lab, a group that studies how governments around the world use new technologies such as spyware against dissidents and activists. For years, Marczak and his colleagues have exposed several hacking attacks against people all over the world. This time, however, Marczak himself became the target.

“It was pretty shocking,” Marczak told me in a phone call.


Marczak received the email while he and his colleagues were investigating a series of phishing emails sent to Ethiopian journalists and activists with a history of criticizing the current government. Those emails, including the one sent to Marczak, were designed to infect targets with spyware made by the Israeli company Cyberbit, a subsidiary of the defense contractor Elbit Systems, according to a new report published on Wednesday by Citizen Lab.

In the last few years, governments all over the world have purchased spyware designed to monitor targets’ computer and cellphone communications, siphoning off emails, text messages, chats, calls, and more from the victims’ devices. There is now a flourishing, albeit lightly regulated, market for these kind of products. Countries like Ethiopia and Mexico have already been caught using several different spyware products made by surveillance tech vendors such as FinFisher, Hacking Team, or NSO Group.

Citizen Lab already showed that Ethiopia bought spyware from FinFisher and Hacking Team, showing that despite some companies getting exposed for helping governments spy on their citizens, the spyware market is now crowded enough that customers can just switch to a different provider. This new research also shows that despite Citizen Lab’s previous investigations showing abuse of these technologies, Ethiopia keeps using them to target dissidents.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

This latest investigation began when Jawar Mohammed, the executive director of Oromia Media Network, received a suspicious email in October of 2016 and forwarded it to Citizen Lab, which is part of the University of Toronto's Munk School of Global Affairs. Oromia Media Network broadcasts from the United States, and covers news from the Ethiopian state of Oromia. Mohammed and his colleagues have often come in the crosshairs of the Ethiopian government. Earlier this year, Ethiopia charged Mohammed with terrorism and treason for the alleged role of his company in fueling protests.

“The government doesn’t like what I do. The fact that I do a lot of reporting and expose their corruption and killings,” Mohammed told Motherboard in a phone call. “Both the charges and hacking are to meant to take me out of the market, disable me and prevent me from reporting.”


Mohammed said he wasn’t surprised to be targeted with spyware, as he and his colleagues are aware of being a “top target for government because of our reporting.”

The Ethiopian embassy in Washington DC did not respond to a request for comment.

Read More: The Tragedy of Ethiopia’s Internet

Once Mohammed sent Marczak the phishing emails, the researcher started to analyze them and found that the malicious links pointed to websites designed to look like real news and media sites such as The sites showed targets a pop up prompting them to download a malicious new version of Adobe Flash player, which contained the malware.

Code referencing something called PC Surveillance System PSS was “all over the spyware code,” Marczak said. PSS is a spyware product for Windows sold by Cyberbit, according to Citizen Lab.

The malware connected to a command and control server, and when Citizen Lab scanned the internet for similar servers it found several others. Shockingly, the servers displayed a public directory of files, and among them were logs listing all the hacking victims with their IP addresses and geolocation, which helped Citizen Lab to identify and warn logical targets with the help of Ethiopian activists.

“That was the really surprising thing,” Marczak told me. “The extent to which this stuff was easily discoverable.”

Thanks to these files, Citizen Lab was able to find several other victims and alert them. All of them received phishing emails resembling the ones Mohammed and Marczak received, according to Citizen Lab.


A spokesperson for Cyberbit replied to an email containing a series of specific questions with a statement. The spokesperson said that each Cyberbit sale is regulated and approved by the Israeli Ministry of Defense, and the company "does not operate the products" and "is not exposed to the manner in which its products are operated by intelligence and defense agencies, which operate covertly by nature."

"Cyberbit Solutions is fully committed to confidentiality towards its customers and is not permitted to relate to any specific transaction or specific customer." the statement continued. "The company’s products contribute greatly to national security in the countries where they are sold and the law enforcement and defense authorities in these countries are committed to operating them in accordance with the law."

This likely won’t be the last time a government gets caught using spyware against dissidents, but this might be one of the sloppiest attempts we've seen yet.

This story has been updated to include Cyberbit's statement.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.