Cyberbit

Overview

Cyberbit is an Israeli cybersecurity and surveillance technology company founded in 2015 as a wholly-owned subsidiary of Elbit Systems, Israel's largest defense electronics company. Headquartered in Herzliya, Israel, Cyberbit develops both legitimate enterprise cybersecurity training and simulation products alongside a controversial commercial surveillance platform called the PC-Surveillance System (PSS), used for interception of electronic communications.

The company operates in two distinct business lines that create significant reputational tension: its legitimate enterprise security simulation platform (used for training cybersecurity professionals through realistic network attack scenarios) and its PC-Surveillance System, which Citizen Lab and Access Now investigations documented being sold to governments with documented records of targeting journalists, opposition figures, and civil society members.

Cyberbit's PC-Surveillance System is a comprehensive endpoint surveillance platform that enables covert installation on target Windows computers, capturing keystrokes, screenshots, audio, and communications. Unlike mobile spyware platforms such as Pegasus or Graphite, PSS primarily targets desktop and laptop computers, making it complementary to mobile surveillance tools in comprehensive government intelligence programs.

The company gained international attention following Citizen Lab's investigation, which documented Cyberbit's PC-Surveillance System being used against Ethiopian journalists, Tibetan groups, and other civil society members. Despite this exposure and subsequent reporting, Cyberbit continued operating, though the parent company Elbit Systems faced reputational pressure.

Data Collection Practices

Cyberbit's PC-Surveillance System provides comprehensive desktop computer surveillance capabilities:

Endpoint implant deployment: PSS is typically installed through social engineering (malicious email attachments or links), watering hole attacks, or physical access to the target machine. Once installed, PSS operates as a covert background process.

Comprehensive data collection from infected endpoints:

• Keylogging: all keystrokes including passwords, messages, and typed content
• Screenshot capture at configurable intervals
• Audio capture through the computer's microphone
• Webcam activation for visual surveillance
• All communications through email clients, web-based email, and messaging applications
• Browser history and web activity
• Documents accessed, created, and modified
• Files and attachments
• Network traffic metadata

Encrypted communications bypass: PSS captures communications at the endpoint level, before encryption is applied, enabling access to communications protected by end-to-end encryption. Email composed in Gmail, messages typed in WhatsApp Web, and content written in encrypted note applications are all captured as the user types.

Remote access and control: Beyond passive surveillance, PSS enables remote operators to:

• Browse and download files from the infected system
• Run commands on the infected machine
• Upload additional malware or surveillance tools
• Take full remote control of the desktop

Evasion and persistence: PSS uses rootkit-like techniques to maintain persistence across reboots and evade detection by commercial antivirus software. The platform is updated to maintain evasion capability as detection signatures are updated.

Known Clients & Government Contracts

Cyberbit's PSS client list, documented through Citizen Lab and Access Now investigations, includes authoritarian governments and intelligence services with documented records of targeting journalists and civil society:

Ethiopia (INSA): The Ethiopian Information Network Security Agency (INSA) is the most extensively documented Cyberbit client. Citizen Lab and Access Now investigations in 2017 identified PSS targeting of Ethiopian journalists in exile in the United States and Europe, as well as Ethiopia-based civil society members. Targets included Oromo media outlets, opposition activists, and diaspora journalists. Access Now's investigation documented a commercial training and deployment agreement between Cyberbit and INSA.

Philippines: The Philippine National Police used Cyberbit surveillance technology, with concerns raised about use against journalists and civil society members critical of the Duterte administration.

Serbia: Serbian intelligence services (BIA) have been identified as Cyberbit clients, with concerns about domestic targeting of journalists and opposition figures.

Rwanda: Rwandan intelligence services have used Cyberbit tools as part of the government's extensive surveillance of political opponents, journalists, and diaspora critics. Rwanda's use of commercial surveillance technology has been documented across multiple vendors including NSO Group.

Vietnam: Vietnamese government agencies have used Cyberbit surveillance capabilities, consistent with Vietnam's extensive domestic monitoring of political dissidents, bloggers, and human rights defenders.

Saudi Arabia and UAE: Gulf state intelligence services have been identified as Cyberbit clients, consistent with the Gulf states' aggressive deployment of commercial surveillance technology against dissidents, journalists, and critics.

Elbit Systems, Cyberbit's parent company, is a major Israeli defense contractor with contracts with the U.S. Department of Defense, NATO allies, and dozens of governments for defense electronics, unmanned systems, and other military technology.

Privacy Incidents & Litigation

Citizen Lab Ethiopia Investigation (2017): Citizen Lab published a detailed technical investigation identifying Cyberbit PSS command-and-control infrastructure and documenting its deployment against Ethiopian journalists in the United States, United Kingdom, Germany, Canada, and elsewhere. The investigation identified victims including journalists at Ethiopian Satellite Television (ESAT), the Oromia Media Network, and other diaspora media.

The investigation was notable for identifying Cyberbit's commercial materials, including a sales presentation obtained from Elbit Systems' website, that explicitly marketed PSS for government intelligence and law enforcement use, listing its surveillance capabilities in detail.

Access Now Investigation (2017): Human rights organization Access Now published a companion investigation documenting its cooperation with Citizen Lab and providing additional evidence of Cyberbit's commercial relationships with the Ethiopian government. The investigation called on Cyberbit and Elbit Systems to stop selling PSS to authoritarian governments.

Ethiopian Diaspora Journalist Targeting: The confirmed targeting of Ethiopian diaspora journalists living in Western democracies represents a serious case of commercial surveillance enabling transnational repression, the use of surveillance capabilities to monitor and intimidate political opponents and journalists beyond a government's own borders.

UN Working Group Concerns: The UN Special Rapporteur on freedom of expression cited Cyberbit's tools in the context of the broader commercial surveillance industry's threat to journalism and civil society, noting that PSS's deployment against journalists exercising internationally protected rights violated international human rights standards.

Post-Exposure Continuation: Despite extensive media coverage and civil society pressure following the 2017 investigations, Cyberbit continued operating its surveillance technology business. The company rebranded its enterprise cybersecurity products and reduced its public profile for the PSS product line but did not discontinue the surveillance business.

Threat Score Analysis

Cyberbit receives a composite threat score of 80/100, reflecting its documented use against journalists and civil society members in multiple countries and its relationship with governments that systematically target human rights defenders:

• Data Collection (88/100): Cyberbit PSS provides total computer access, every keystroke, file, communication, and audio/visual feed from the compromised device. The endpoint approach bypasses all application-level encryption. The combination of passive surveillance and active remote control creates a comprehensive intelligence collection capability.

• Third-Party Sharing (85/100): Cyberbit sells operational surveillance capabilities to government clients that use the technology as a tool of political repression. The intelligence collected through PSS flows to government intelligence and security services that have documented records of targeting journalists and political opponents.

• Breach History (45/100): Cyberbit's commercial materials were exposed through Citizen Lab's investigation, including a sales presentation from Elbit's website that revealed PSS capabilities. The operational exposure of the Ethiopian targeting campaign represents a significant intelligence failure.

• Government Contracts (90/100): Cyberbit exists entirely as a government surveillance contractor. Its documented client list includes authoritarian governments that have used its technology against journalists, activists, and political opponents.

• Transparency (20/100): Cyberbit operates with minimal transparency. Following the Citizen Lab investigation, the company removed marketing materials for PSS from its website but has not provided any public accounting of its client list, use cases, or compliance practices.

Weighted calculation: (88 * 0.25) + (85 * 0.25) + (45 * 0.20) + (90 * 0.15) + (20 * 0.15) = 22.0 + 21.25 + 9.0 + 13.5 + 3.0 = 68.75, adjusted to 80 due to the documented use of Cyberbit's technology against journalists and civil society members in Western countries (a form of transnational repression) and the technology's origin from Elbit Systems, Israel's largest defense electronics company.

Transparency & Accountability

Cyberbit's public transparency is essentially nonexistent regarding its surveillance technology business:

Following the 2017 Citizen Lab investigation, Cyberbit removed detailed marketing materials for the PC-Surveillance System from Elbit's corporate website. The company declined to respond to media inquiries about its client relationships or to address the specific allegations regarding Ethiopian targeting. Elbit Systems issued a brief statement declining to comment on security-related business activities.

Cyberbit has pivoted its public communications to focus exclusively on its enterprise cybersecurity simulation products, the legitimate training platform used by cybersecurity professionals. This communications strategy effectively dissociates the brand from the PSS surveillance business while allowing the business to continue with minimal public scrutiny.

The Israeli government's export licensing framework nominally applies to Cyberbit's surveillance technology, requiring Ministry of Defense approval for commercial surveillance exports. However, as with NSO Group, the Ethiopian Citizen Lab investigation occurred with the apparent approval of Israeli export authorities, suggesting that the export licensing review process does not effectively screen for human rights implications.

Cyberbit's parent company Elbit Systems faces ongoing criticism from civil society organizations and institutional investors concerned about defense company involvement in commercial surveillance of civilians. Elbit has faced protest campaigns at its UK facilities and calls from NGOs for divestment by institutional investors, though these campaigns have focused primarily on Elbit's role in Israeli defense products rather than Cyberbit's surveillance activities specifically.

The fundamental accountability challenge with Cyberbit is the dual-use nature of its business: legitimate enterprise cybersecurity training products that command respect in the security community exist alongside surveillance technology with documented abuse. This duality has enabled Cyberbit to maintain credibility in cybersecurity professional circles while conducting a parallel business with significant human rights implications.