There is a small army of security researchers dedicated to digging into the details and inner workings of APT campaigns and exposing them to the light. These campaigns often are the work of intelligence services--or contractors working directly for them--and when they’re exposed they often attract quite a lot of attention, and rightly so.

APT campaigns typically go after high-profile government, corporate, or industrial targets and they can have serious, long-term effects. APT groups have been able to infiltrate the global financial system, nuclear facilities, utility systems, and many other highly secured targets. These teams know what they’re doing and have extensive toolsets at their disposal, usually comprising malware, exploits, and other tools that are built to spec by dedicated in-house developers working with enormous budgets.

But there are other, more troubling, campaigns that are just as serious and target victims without the resources and technical skills to defend themselves against high-powered attack groups. These campaigns are run against human rights activists, political dissidents, journalists, and others who may be on the radar of a given government. These attacks don’t get the attention that the campaigns against public targets garner, but they’re fueled by a growing group of shadowy companies that sell powerful commercial intrusion systems. Some of these companies aren’t very picky about who is on their customer lists, and a new report from the researchers at Citizen Lab in Canada shows that some government-sponsored attack groups are continuing to target people outside of their borders with these tools.

In its report, Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, lays out the details of a wide-ranging campaign of attacks against targets around the world. Citizen Lab attributes the attacks to the Ethiopian government and says that the government is using software from an Israeli firm called Cyberbit to carry out these operations. Cyberbit sells a commercial intrusion and monitoring tool called PSS, mainly to law enforcement agencies and intelligence organizations. Citizen Lab’s researchers were able to identify a C&C server used in the attacks that had a public log file that showed operators inside Ethiopia and targets in countries around the world.

The attacks use well-known techniques that include highly targeted, specially crafted spear-phishing emails that have attachments rigged with the malware or a link that leads to a download of a file. That file may be disguised as a legitimate piece of software, such as an Adobe Flash update, to make it look benign. These are the same types of techniques often used by law enforcement or intelligence agencies in some countries when they target terror or criminal suspects. But these attacks are going after activists and dissidents living around the world.

“Our research, which documents new attacks against civil society by government actors based in and operating from Ethiopia, highlights the need for clear legal pathways for extraterritorially-targeted individuals to seek recourse. At this juncture, the Ethiopian government’s penchant for commercial spyware is notorious, as is its pattern of digital espionage against journalists, activists, and other entities—many of which are based overseas—that seek to promote government accountability and are therefore viewed as political threats. Yet the Ethiopian government and others like it have faced little pressure to cease this particular strain of digital targeting,” Miles Kenyon, one of the Citizen Lab researchers, wrote in a post on the report’s findings.

The Ethiopian government is by no means alone in running these types of operations. In previous reports, Citizen Lab has exposed similar attack campaigns by several oppressive regimes, along with the commercial infrastructure that supports those operations. This is a small but expanding shadow economy that enables the attacks against political targets.

“Commercial spyware companies have also incorporated in the design of their products certain techniques that involve spoofing legitimate companies—for example, by packaging their spyware alongside legitimate software such as Adobe Flash Player—in order to deceive a target, enhancing the likelihood of target infection and spyware persistence,” Kenyon said.

“The result is not only the infection of targeted individuals’ devices, but also the undermining of security of the wider digital ecosystem. Spyware companies have profited, while civil society and legitimate ICT businesses have borne the costs of foreseeable misuse of spyware products and services.”