Team of American Hackers and Emirati Spies Discussed Attacking The Intercept

Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present for a meeting to plan for such an attack.

The cybersecurity firm, DarkMatter, brought ex-National Security Agency hackers and other U.S. intelligence and military veterans together with Emirati intelligence analysts to compromise the computers of political dissidents at home and abroad, including American citizens, Reuters revealed in January. The news agency also reported that the FBI is investigating DarkMatter’s use of American hacking expertise and the possibility that it was wielded against Americans.

The campaign against dissidents and critics of the Emirati government, code-named Project Raven, in fact began in Baltimore. A 2016 article by former Intercept reporter Jenna McLaughlin revealed how the Maryland-based computer security firm CyberPoint had assembled a team of experienced Americans for a contract to train the UAE’s budding offensive hacking and surveillance capabilities, leaving some recruits unsettled. Much of the CyberPoint team was later poached by DarkMatter, a local firm with close ties to the Emirati government headquartered just two floors from the Emirati equivalent of the NSA, the National Electronic Security Authority. (The NESA later became the Signals Intelligence Agency.) One of McLaughlin’s sources described the episode as “more of a ‘hostile takeover’ directed by the United Arab Emirates government — ending CyberPoint’s original UAE contract and offering positions within the country instead, to get engineers under its own roof.” A subsequent story by the same reporter for Foreign Policy detailed how American spies at DarkMatter had been crucial in building the UAE’s intelligence apparatus. The NESA would go on to become Project Raven’s primary “client,” responsible for handing down groups and organizations to be targeted and compromised.

“When the article hit, it mentioned DarkMatter, so we had to tiger team a response.”

According to the hacking team source, who discussed the episode on the condition of anonymity because they were not permitted to speak to the press, this reporting vein that revealed the connection between DarkMatter and the Emirati government made The Intercept a target. “When [McLaughlin’s first] article hit, it mentioned DarkMatter, so we had to tiger team a response to that,” said the source, using jargon for a specialized response group. “Any time NESA or DarkMatter had any media, we would get pulled in to develop target lists.”

Project Raven monitored the internet for mentions of DarkMatter, said Jonathan Cole, an ex-Raven employee who worked in targeting, to make sure that the public-facing cybersecurity company’s name wasn’t attached to the work being done by its hackers on behalf of the NESA. “When an article like this would come out, [the client] would be very upset,” the source added, referring to the NESA.

The Emirati consulate did not return a request for comment about NESA’s relationship with DarkMatter or allegations of targeting American citizens.

A second person familiar with the matter confirmed discussions about targeting The Intercept, saying the talks included Marc Baier, a top American DarkMatter executive formerly with the NSA. This person did not say if the discussions led to a decision.

Following several news reports tying DarkMatter to Emirati government surveillance, DarkMatter chief financial officer Samer Khalife moved some Americans from DarkMatter to a new company, Connection Systems, according to the second source, who requested anonymity because they were not authorized to speak to the media. The purpose of the new company was to create the appearance that DarkMatter no longer conducted surveillance and cyberoperations on behalf of the Emirati government — but Khalife installed his brother as the company’s nominal boss, this person said. Connection Systems today employs multiple former DarkMatter staffers, according to LinkedIn.

Neither Khalife nor Baier responded to a request for comment.

It is not clear if an attack against The Intercept was ever carried out. The Intercept was unable to find evidence of an attack by DarkMatter on its computers. But the targeting would have happened in 2016, so it’s possible that malicious messages were rejected by a spam filter or discarded in the intervening years.

A third source familiar with Project Raven, who spoke on the condition of anonymity because they were not permitted to discuss their work, said they were not aware of any attempt to target The Intercept or its employees, and that it was unlikely a coordinated attack of that sort could have been attempted by DarkMatter’s resident NESA hackers without attracting the attention of their American counterparts. Still, this source noted that the covert targeting of an American publication by Emirati nationals was technically possible.

Other ex-Project Raven members contacted by The Intercept declined to comment, some citing the FBI investigation. The FBI declined to comment.

In an email to The Intercept, DarkMatter’s marketing chief Priscilla Dunn said the company “rejects” the claim that it targeted The Intercept in retaliation for prior coverage. Dunn declined to specifically deny that this discussion took place and refused to comment on the existence of Project Raven or the company’s collaboration with the NESA, providing instead the following statement:

Our work in cyber security is single-mindedly focused on defensive capabilities. Our values and principles call for us to have the highest impact on the societies and economies we serve.

We develop our own intellectual property and partner with vetted global-technology companies and the government to develop cybersecurity products, solutions and services that are all in public view on our website.

Cyber security is still a relatively young field and the discussion around it is increasingly polarized. DarkMatter wants to be part of this discussion and has been a leading voice in the media and in forums on how to build cyber resilient societies, economies and institutions.

Aldar HQ office building where DarkMatter has their headquarters.

Photo illustration: Soohee Cho/The Intercept, Google Map

Planning and Execution

The hacking team source said that they did not participate in any attempt to hack The Intercept, but were present in a conference room inside Project Raven’s Abu Dhabi headquarters when the attack was discussed. According to the source, others in the room included Al Anood Al Kaabi and Fatema Mohammed Al Shehhi, two NESA analysts; and Ryan Adams, the team’s American operations director, a U.S. Air Force veteran. None responded to requests for comment.

“Literally, the guidance to us as the target developers was, ‘Here’s the article, find the people responsible, find the people pushing it around, that’s your target list — go,’” the source said.

“The guidance was, ‘Here’s the article, find the people responsible — go.’”

According to the hacking team source and Cole, target lists drawn up by individual Project Raven analysts in response to a news article typically included not only the article’s author, but also potentially others connected to that person, including anyone who might have contributed to, edited, or even shared the article. Counterattacks against negative mentions of the Emirati government — and the NESA in particular — cast a “pretty wide net,” said the hacking team source, sometimes sweeping up not only an article’s author, but also the “author’s boyfriend, girlfriend, or brother … two or three hops out” from the original target. The idea was to hack anyone who might be communicating with the target, Cole said, and to “go get anyone you can to get a foothold in this organization” in order to spy on their sources, as the source put it. Compiling an actual target list would be up to individual Project Raven analysts.

After the target list was set, the next step would have involved the execution of a text, social media, and email spearphishing campaign by NESA analysts “trying to quiet the issue or redirect attention” away from the negative article.

Phishing messages are designed to trick the recipient into taking some action, and in national security cases at DarkMatter typically involved trying to get them to open malicious documents in common formats like PDF, RTF, and Microsoft Word, which would be sent by email, according to Cole.

Such attacks were conducted after scouting for an individual’s digital weaknesses, according to the hacking team source and Cole. “When you did your target research, [that included] the basics about a person, their technical footprint, any social media accounts, any selectors, mobile, email, social handles, things like that,” said the hacking team source. Once a target’s online life was mapped, “you could pair those with [computer] exploits” from DarkMatter’s “in-house exploit inventory.” If the client “really wanted them bad,” Project Raven would purchase exploits from a third party, including so-called zero day software vulnerabilities, or those that have yet to be identified by the software’s maker. Such attacks are particularly dangerous and difficult to guard against. If opened, such exploits could have granted persistent access to the target’s computer.

According to Cole, trying to breach a journalist was typically a means to an end rather than an attempt to damage the journalist themselves. “If someone from The Intercept was talking to a [national security] target,” Cole explained, “you could go after an Intercept account” in order to get to that national security objective. Project Raven hackers would often work to build a rapport with a target by posing as a potential source or supporter through initial messages, only later springing the trap. “Once you elicit trust, you can inject a [malicious] document into the chain,” said Cole. “It’s more probable someone will open an exploit if you’ve established communications in safe manner.”

If targets traveled to the UAE, Project Raven would take advantage of their proximity, at times going so far as to break into a target’s room, explained the hacking team source: “If they’re in country we just go to the service provider and say, ‘Hey, we need … access,’ [or] poison their wireless access at a hotel.” This source said that Project Raven tasked members of the Emirati State Security Department to “dress up as cable guys, do fake repairs, be in a hotel where you needed to be, swap out your laptop charger for one that looks similar” in order to compromise a target’s devices.

Project Raven’s practice of targeting journalists, American or otherwise, was disclosed in the Reuters report, which mentioned the presence of “three … American names on the hidden targeting queue” at DarkMatter in Abu Dhabi. These names have yet to be identified. According to the report, “One of [DarkMatter’s] key targets in 2012 was Rori Donaghy … a British journalist and activist who authored articles critical of the country’s human rights record.”

UAE-villa-screenshot-nogrid-1560283454

NESA analysts and DarkMatter personnel discussed targeting The Intercept at a property in this neighborhood of Abu Dhabi’s Khalifa City, a private residential suburb whose rental villas are popular among business executives and expats.

Photo illustration: Soohee Cho/The Intercept, Google Map

The Americans

The hacking team source said that although they personally refused to help target U.S. individuals and organizations, that work ended up being done one way or another. “Unfortunately when you generate a target list and you’re working with a small tiger team, I can say all day long that I’m not working that person that’s on the list, but then it’s just given to the next person on the team,” the source said. The prevailing feeling, they added, would be “the client fucking wants this now, we need to do it. The client doesn’t care what the citizenship is.”

“The client fucking wants this now, we need to do it. The client doesn’t care what the citizenship is.”

Cole, who worked on similar operations against non-U.S. targets, said he had no involvement in or firsthand knowledge of efforts to hack Americans or American computer systems, but recalled being warned about these efforts by a concerned American co-worker at the time. Cole also said he worried Americans were being targeted by the American-aided hackers, despite assurances from above that any information on U.S. citizens vacuumed into the group’s central repository of hacked data was accidental. Cole says he now believes such collection was deliberate, and that Project Raven’s leadership falsely claimed that the U.S. government was informed of any incidental surveillance of Americans and that such data was routinely purged from DarkMatter computers. “I suspected that for a while,” he told The Intercept. “I was raising the flag in monitoring for that specific thing. The understanding was [collected American data] was being communicated back to the U.S. intelligence agencies. That’s what we were led to believe, but we found out later that was a fallacy.” Files from American sources that Cole’s managers promised him they would delete wound up sticking around. “There was always different rationales and excuses,” Cole said, when a promised purge of American data failed to materialize. “I was told one thing and observed another.”

Be the first to comment

Leave a Reply

Your email address will not be published.


*