On January 30, Reuters released two investigative reports on hacking activities of the United Arab Emirates’ National Electronic Security Authority (NESA) targeting political leaders and activists, suspected terrorists, and the governments of Qatar, Turkey, and Iran. The report is the latest evidence of an ongoing cyberwar by the UAE and its ally Saudi Arabia against Qatar, and the UAE has been enlisting US and Israeli experts to help.
Reuters’ sources also said that the project targeted American citizens for surveillance.
Citing documents reviewed by Reuters and eight individuals who claimed to have worked as US contractors supporting the operation (referred to as Project Raven), the report claims that Baltimore-based CyberPoint and the UAE-based firm DarkMatter—ostensibly hired to help NESA build a threat monitoring and defensive capability similar to the National Security Agency/Central Security Service National Threat Operations Center (NTOC)—also had a secret task of providing NESA with an offensive cyber capability. Some of the US citizens employed by CyberPoint and later by DarkMatter were former NSA analysts who worked at NTOC or, in some cases, NSA’s Tailored Access Operations unit.
If US contractors targeted American citizens for a foreign government by using electronic surveillance, that would be in violation of US law—and potentially fatal for companies such as CyberPoint, which has done work for the US government at the Patent and Trademark Office, DARPA, and other agencies. Ars attempted to reach CyberPoint executives for comment, but we received no response before publication. However, Ars was able to reach Daniel Wolfford, a former NSA analyst, former director of threat intelligence at DarkMatter, and now co-founder of a Dubai-based cybersecurity and cryptocurrency firm called Advanced Analysis. Wolfford strongly denied the accusation.
“We did not hack Americans,” he told Ars. “Our mission was simple: advise and assist UAE to create a national cyber security program similar to NTOC.” The work done creating a “target list,” Wolfford said, was part of a training operation “to teach the Emiratis about lawful targeting and collection,” he asserted. “We tried to show them who is and isn’t a threat to their national security.”
Reuters’ sources—including Lori Stroud, the only source who went on the record with Reuters—were CyberPoint contractors who, when UAE officials became uncomfortable with having a US-based firm involved in sensitive security operations in 2015, left after DarkMatter took over the project. Stroud was a Booz Allen contractor at NSA’s NTOC, and she was partially responsible for hiring Edward Snowden.
The Reuters report is not the only evidence of attempts by the UAE government to conduct offensive cyber campaigns against Qatar and other governments—those campaigns included a May 2017 attack on the Qatar News Agency’s website to publish faked statements by the Emir of Qatar praising the government of Iran, which triggered the still-ongoing diplomatic standoff between Qatar and other Gulf nations. Saudi Arabia also appears to have been involved in the hacking operation, which occurred just after a visit to Riyadh by President Trump. Trump had tweeted his support for actions against Qatar by Saudi Arabia, the UAE, Bahrain, and Egypt despite the US’s alliance with Qatar and the presence of a major US military facility there.
According to Al Jazeera, the international news service funded by the Qatari government, the attack against QNA’s website was coordinated from within a Saudi ministry building in Riyadh. A story citing US intelligence sources implicated the UAE in the attack. A shell company in Azerbaijan with a UAE registry approached three Turkish companies to conduct a vulnerability scan of QNA’s servers. Once the data was turned over by the penetration testers, the company evaporated. Five people in Turkey were arrested and cooperated with Turkish and Qatari authorities.
Mobile hacking for hire
The UAE bought mobile device spyware from the NSO Group, an Israeli company, as far back as 2013. The country targeted members of the Qatari royal family, Qatari journalists, and domestic targets including Emirati human rights activists, according to reports. A staff member of Amnesty International working in Saudi Arabia was also targeted, as were members of the Saudi royal family, based on leaked documents and emails cited in a lawsuit against NSO. The exploit offered by NSO used a malicious text message to gain access to devices.
Saudi prince Mutaib bin Abdullah—who was arrested in November of 2017 along with 10 other Saudi princes in an “anti-corruption” campaign by Saudi crown prince Mohammad bin Salman—was specifically targeted.
The leaked documents also show that an Abu Dhabi-based company called Al Thuraya acquired a tool called VOLE (Voice Over Location Enabler) from CT Circles Technology Ltd with the intention of providing it to UAE’s NESA. VOLE was advertised as enabling the interception of calls made and received with targeted devices while they were internationally roaming. It also targeted location data for the device and other metadata. DarkMatter also signed a non-disclosure agreement with CT Circles, based on the document cache. CT Circles is based in Cyprus, but the organization has connections to Israel.
Emails in the cache show Eric Banoun, an Israeli and a senior executive at Circles, received a request from Ahmad Ali al-Habsi, an official of the UAE’s Supreme Council for National Security. Banoun and Circles were to intercept calls for four numbers in August of 2014. Two of the numbers belonged to bin Abdullah. Another belonged to Saad-eddine Rafic Al-Hariri, the former prime minister of Lebanon, and the final number belonged to the Emir of Qatar. Based on the emails, the Circles system used SS7 routing commands to perform call interception—meaning that it exploited the international call routing system itself. While the phones targeted could be located, they could not be intercepted, because they were not internationally roaming, according to email exchanges.
According to Reuters, in 2016 NESA obtained an exploit tool called “Karma” for remote attacks on iPhones. The tool used a “no-click” exploit to gain access to iOS devices, allowing the harvesting of data from the phone. This attack appears to be similar to an exploit offered by the Munich-based hacking tool company FinFisher to a nation-state mobile surveillance operation documented in a presentation by researchers from Lookout at the Shmoocon security conference in Washington, DC last month.
Stroud told Reuters that the introduction of Karma “was like, ‘We have this great new exploit that we just bought… Get us a huge list of targets that have iPhones now. It was like Christmas.” The exploit became less effective after an iOS update in 2017.