Transcription performed by Leah Hervoly www.leahtranscribes.com
JACK: What’s a mercenary? Let me look this up; okay, there are two main definitions. One is a soldier hired to do work for another army and the second is a person who works purely because of monetary gains. I’m gonna guess that they don’t have allegiance other than whoever is paying them. They’re hirelings; they get paid to do a job and to get it done and they’re not supposed to ask why. But mercenaries are people and people are complex. They’re filled with emotions and they actually do have allegiance even if they’re paid to forget about that. If you pay a mercenary to do something that goes over their moral line they’ve got internally, conflict happens and everything falls apart.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Let’s get started. Ready?
DAVID: Yes, sir.
JACK: Let’s start with your name, or what do you want to be called on this show, and what do you do?
DAVID: Yeah, my name’s David and I am a type of offensive intelligence analyst. I track foreign intelligence hacking in the United States. That’s what I do now.
JACK: Oh my gosh, I have like, twenty questions already just from saying that. Did you say ‘offensive intelligence analyst?’
DAVID: That’s correct.
JACK: I’ve never heard of that. What does that mean?
DAVID: If a foreign intelligence organization would gain access to any type of US-based critical infrastructure, that would be something that I would help investigate.
JACK: This is gonna be a great episode. It’s very exciting to me because David is going to tell us a story that was a secret up until this year and still remains somewhat shrouded. So, let’s get into it. [MUSIC] Let’s start when he was a teenager. In high school, David really wasn’t into computers at all.
DAVID: Well, I was a long-distance runner. I was involved of all different types of extra-curricular things; student government and stuff like that.
JACK: After high school he went to college and got his degree.
DAVID: It was actually in religion and philosophy.
JACK: Interesting. Take note here; imagine all the morals and ethics one has to consider while majoring in religion and philosophy.
DAVID: My goals at that point were to pursue a career alongside some of my other peers that I might be able to make a difference to. I did look into hey, how could I potentially join as a chaplin? Talking to other people in that same world, they’d say well, I’ve never even met my chaplin, or I’ve never had a real conversation with him, or I don’t know who they are. I realized if I really wanted to make any type of difference in people’s lives, it wasn’t gonna be as a chaplin.
JACK: After getting his degree, David decides to join the military. Off to the Navy he goes. [MUSIC] He does his initial bootcamp, graduates from that; fairly easy and is a full-fledged Navy sailor. But David was hungry for more.
DAVID: My initial school was in BUDS so I joined to sort of become – go through that Navy SEAL track and see how that went.
JACK: Whoa, BUDS is Basic Underwater Demolition Training. It’s what you need to go through to become a Navy SEAL. This is the most rigorous, demanding, and crazy training there is in the Navy. This is what they call Hell Week and it’s much longer than a week. Those who make it through this become practically drown-proof. They become frog-men and most of all, they become weapons experts.
DAVID: [MUSIC] When I talked to a Navy SEAL and his mindset was, the last time I was deployed, I got every type of kill other than a knife kill. He was bragging about that. He just really wanted to get a knife kill. That was like okay, [00:05:00] you know what, I don’t want that to be me. I’m not saying that every Navy SEAL is like that but the potential if somebody can become like that, then there’s the potential that I could become like that. That was something that I wanted to avoid. That’s an important job and I have a lot of respect for Navy SEALs but I just had this fear that I really don’t want that to become me.
JACK: That’s some intense training and you definitely need to do some soul-searching while there. You question yourself on whether you want this bad enough or if you’re fit enough to do it. You have to put mind over matter and push yourself beyond limits you think you can’t ever get over. If you’re gonna push yourself beyond your own limits, you better really want what you’re working for. David wasn’t sure if being a Navy SEAL was for him. He knew that Navy SEALs just weren’t a bunch of killers, but he started to question if he really wanted it bad enough. He rang the bell and quit BUDS, and looked for something else to do in the Navy. Still, he wasn’t interested in computers like, at all. The only thing he knew how to do was check Facebook and e-mails at that point. He’s fit, buff even, and understands religion and philosophy. He looked at his options and for some reason, computers and cyber-warfare caught his attention. He decided to sign up for that in the Navy. Immediately, he needed training, though.
DAVID: Well, the training is pretty basic. Actually, when I say basic, I don’t mean basic. It’s the same type of training you would get everywhere else from a cyber-security perspective, but the pace is significantly faster. Instead of going through a twelve-week course to learn how to code, you do all of that in one week. You literally learn all of it in a single week. You’re set to learn everything from assembly language all the way up to coding languages and then how that’s interacting with different type of assembly languages and how coding – you understand the process, how it all sort of builds. You go all the way up to that spot and then you get back to the application layer, and then you move back down to the exploitation layer. The exploitation layer in that environment is not taught – buffer overflows and exploitation analysis is not taught until you get into more OJT or following courses for different shops.
JACK: This amazes me. The Navy teaches people how to hack. I sort of know they do that, but it kind of boggles my mind every time I hear it. He got training and then started doing security analyst work for the Navy.
DAVID: Yeah, I applied maybe three or four months before I realized – in that time period when I was learning how to be a certain type of cyber-security analyst or an exploitation analyst or in training, how to be a general IT person. I sort of enjoyed it and I realized that I’m in no ways an expert at exploit development, but I didn’t understand the concepts and I don’t give up; it allows me to push through. [MUSIC] From that time period being at the shop, what I did next basically was purchased a Mac Pro server, for instance, installed ESXI on that, and started building stacks and learning hey, I’m learning this at work. I’m not gonna take the exact thing that I’m doing, the exact concept ‘cause we’re not really supposed to do that, but I can – similar layout, similar designs, and let me just replicate this at home so I can continue to learn how to do it. It might be let’s learn how to pivot through a machine or let’s learn how to exploit active directory trust relationships, so on and so forth. Being able to build those up and stuff like that allowed – it sort of grew my fascination with it.
JACK: [MUSIC] This is an important quality about David. He didn’t just show up and do his work and go home; instead, he built a lab and practiced on his off-hours and got better and better. Anyone who really wants to excel in this kind of stuff has to have the mindset of always trying to learn and not just doing the minimum. With the Navy teaching him formally in his home lab, he became pretty good at hacking. In fact, his specialty was not just getting in but then pivoting around, moving laterally, and finding what else is in that network. After about four months of doing that, he moved over to the NSA. [MUSIC] Because David was an exploit analyst in the Navy, the NSA came and said hey, why don’t you come work for us, and recruited him over. He started working for the NSA as an analyst there. He worked at the NSA for a while.
DAVID: I’d say August of 2011 to August of 2014, so about three years.
JACK: Then around that time, a new opportunity showed up.
DAVID: At that point I had gotten married. Probably, while I was up there, it would have been maybe almost two years I’ve been married. [00:10:00] It’s time for me to get out of the service. I had gotten an offer to stay there on campus which is at the NSA. Then a different organization, or actually, an individual recruiter reached out to me and said hey…
JACK: There was this recruiter from a company called CyberPoint. This is a company that’s contracted to do various types of hacking. Basically, if he were to work for this company, he would become a hacker for hire. The US government actually grants certain companies’ extra permissions to conduct stuff like this. The details of this are foggy but this company that was trying to recruit David was vetted by the US government to do this. David listened to the recruiter tell him what the job entails.
DAVID: That I would be doing a lot of different types of offensive work, offensive maybe security, maybe offensive intelligence. That would be some of our goals. Whether or not…
JACK: Give me an example of what some of the offensive work is that you expected to do.
DAVID: Just from previous conversations, I’d understood well, you might be doing some tracking of terrorist organizations to help out and alleviate some of the workload in the United States. [MUSIC] We’re helping them out over there; protect their country as well. Our main understanding was we’re going over there to help them protect their country.
JACK: This sounded good to David; to help protect the country, to help battle terrorists and to reduce some of the workload for the US forces? Alright! The company was called CyberPoint and it’s based in Baltimore, in the US. It’s typical that not all the details are given about your duties until after you sign an NDA, a Non-Disclosure Agreement. But there was one more detail in this contract. If he was to accept it, he would have to move to Abu Dhabi in the United Arab Emirates for two years which was the duration of this contract.
DAVID: Not really ever traveled, not really ever gone anywhere. I had before, but being married, my wife had not. We made a decision together.
JACK: They decided to take the job in Abu Dhabi. [MUSIC] Off they go. They packed up everything they needed, said bye to the family, and moved to the UAE which is right in the Middle East. The name of the hacking unit Dave was assigned to was called Project Raven.
DAVID: For the first thirty days to sixty days, you’re actually living in a hotel. There are so many red flags when you first get over there, you should know to yourself; I shouldn’t be doing this.
JACK: What were some of them?
DAVID: Well, the fact that you have two different folders that explain different confidential information. That should be one of them. Like, this is what we told you you’re gonna be doing and this is what you’re actually gonna be doing.
JACK: When a new person would show up at Project Raven, they would get two back-to-back meetings. First was the Purple Meeting. [MUSIC] In this Purple Meeting, you’re given a folder with information. It says you’re here strictly to carry out defensive measures within the cyber-security discipline such as deploying firewalls, intrusion detection systems, and other defensive measures. But as soon as that Purple Meeting was over, new employees were told that’s just a front; it’s a cover story that you can tell your family or anyone who pushes you to ask what you’re doing. Then immediately, you’re given the Black Meeting with a new folder.
In this Black Meeting, you’re told a very different story. Here, you’re told you’re gonna be helping NISSA conduct offensive cyber operations. This meeting further explained that NISSA was the secret part of the UAE government which is similar to the NSA and that you’re gonna be helping them conduct electronic exploitation and collect information from specific targets. Yeah, for you and me, seeing these two back-to-back meetings like this would be a red flag for sure, but for someone who’s used to a lot of secrets coming out of the military and the NSA, this is actually a sort of common thing to experience. Covers and fronts for what your actual official duties are, yeah, that happens. It wasn’t an immediate flag for David.
DAVID: The location we worked out of was actually a villa, a converted villa. Our spouses were not even really supposed to know where the villa was at even though that’s ridiculous ‘cause some people dropped their spouses off.
JACK: Let’s talk about this villa he worked out of. I saw a floor plan to this. Let me describe it. [MUSIC] It was a big mansion and it was just converted into an office space that these contractors could work out of. I think that was there to blend in and hide out. A mansion is typically private and secluded and quiet. It’s a great place to set up a spy agency. This villa is where Project Raven was to take place. The villa was two stories and it consisted of a server room, a management office, a conference room, an operations center, a data-processing room, a couple of kitchens, and some security guards hanging out. Dozens of people either worked there or had business there and would come and go. I’m guessing [00:15:00] around thirty people worked in this villa. The operation would go down like this; first, an order. A mission was relayed to the management office and managers would then work with those in the targeting room to properly identify the targets.
Then, the team who worked in the infrastructure room would get busy. They would use fake identities and Bitcoin to anonymously rent server space around the world. This is a precaution that in case the target figures out they’re being spied on and they try to track it down, it doesn’t come all the way back to this villa; there’s this anonymous, untrackable gap. Then, the targeting team would get to work scouring the target’s social media and trying to learn as much as they can about the target to strategize on a way to get into the victim’s computers and phones. Once they knew a method of attacking, the target team would figure out what attacks to use or create an exploit from scratch. The target team was very good. They knew that the more you knew about the target, the easier it will be to create exploits for them. The operations team would then step in.
They’d be given all the tools to do the job and all the information on the target. Then, they exploited the target’s computer or cell phone to get data off of it and learn about that person or get the information that they’re after. They vacuumed up photos, e-mails, call records, conversations, texts, locations; anything of value. It was all done very secretly and covertly so the target wouldn’t even know they’re being spied on. Then, this information was given to management who then relayed it to whoever hired them. Pretty good little operation they had going on there. At this point, you might be wondering who’s hiring this group and conducting this spying and hacking? It was the UAE government who was hiring them to conduct these hacks. It sounds like the UAE government was in the process of getting their own internal hacking group stood up but they needed to hire this group of mostly Americans, many of whom were ex-NSA agents or ex-military intelligence-trained. This way, the UAE government can see how they operate and learn from them and build their own hacking team.
DAVID: At this point, whenever I first started, everything was on the level; what we were doing, what we were operating on, what our targets were. We all agreed and we understood this is what we’re gonna be working on.
JACK: The targets that David was given to extract data from seemed okay. He was given the same sort of mission each time.
DAVID: Was just on what could be perceived as terrorist activity and we were protecting the local infrastructure.
JACK: Makes sense, right? Anyone can get behind this. Let’s use hacking to get into terrorist cells and anyone planning to attack the UAE infrastructure, and stop any terrorist attacks before they happen. That’s what happened; David and the team at Project Raven were learning what terrorists were planning and giving this information to the UAE government to stop them. Now, I should add an important note here; all of this hacking was done by citizens of the UAE which are called Emiratis. I’m gonna use that term a lot so make sure you understand it. An Emirati is simply a citizen of the United Arab Emirates. Since the UAE was trying to train up their own team to do this, it made sense to teach them how. David really never really had hands-on-keyboard to conduct any of this. Instead, he was right next to an Emirati doing it, telling him exactly what keys to press and what exploits to use, and giving advice on how to move around the network. Most Emiratis speak English so the language barrier wasn’t a problem.
This sounds okay too, but it also might be a red flag. Things get murky regarding how legal Project Raven was. It’s clearly illegal to share classified information with other people so David couldn’t tell these Emiratis any secret information that he was privy to at the NSA but in this case, David was sharing cyber-spying techniques with the Emiratis. Provided it’s not proprietary NSA style tactics and exploits, there isn’t any hard law prohibiting him from teaching others how to hack, such as how to set up a phishing e-mail and use Metasploit to gain access to the victim’s machine. Anyone can learn this just on YouTube. That part, okay, that’s legal. But then we start trying to figure out whether an Emirati hacking into a terrorist phone who’s also in the UAE is legal or not.
In the US, it probably isn’t legal unless you’re given express written consent from the US State Department. But what about over there? Keep in mind, this company did have all the approvals they needed from the UAE government and the US State Department to do this. Yeah, it might be a little easier to get approvals for things if Emiratis hack other Emiratis, but if an American were to do it, I don’t know, would it be different? It’s complicated and it makes my head spin but you see how murky this gets, right? But whatever, it’s not something I’m gonna be able to solve here. At this point, the UAE government was pleased with the work that Project Raven was doing.
DAVID: The first four to six months, that’s what we were doing. Anytime we had an alert or a red flag of a probable or anticipated event, we would start the process of doing research to see if we can identify whether or not [00:20:00] it was a valid threat.
JACK: Now, it’s also important to say that all of this data exfiltration David was doing on the targets was only that; data exfiltration. He was never on a mission to drain a terrorist’s bank account or disable a car remotely, or do any disrupting, degrading, or destroying things that other hackers might do. This was just collecting communications. This went on for a while but then at some point, the requests from the UAE government started to get a little weird.
DAVID: [MUSIC] You know, the unfortunate thing is, things didn’t get weird for quite some time because the requests looked very similar to what we were currently working on. Hey, this looks like that some of their funding might have come from over here. What would be necessary for you guys to prove that a country, for instance, is funding terrorist activity? Our response would be gain access to the country and gain access to this particular shopper, this person, and then read this stuff from the perspective of we’re still sanctioned to perform these activities under the State Department. Again, this might have been just me being naïve about the entire situation. Chances are, other people on the shop knew the answers to the questions of this is not sanctioned. But me being so new to this entire community and this whole world, I’m like okay, well, this is approved. They wouldn’t be asking unless it was an approved request.
JACK: Keep in mind, the government branch of the UAE communicating with Project Raven is called NISSA and this is UAE’s version of NSA. NISSA told them to gain access to that foreign government country’s network to see if they’re funding terrorists. David’s team got busy scanning the IP space of that target country’s government network. You’ll never believe what they found. Stay with us. After the team at Project Raven scanned the .gov URLs for the target country, they found a VPN portal, a place you can log into and from there, you can get access to the internal systems in that network. Guess what? That VPN was using default credentials.
DAVID: It’s not very hard to find default credentials; a Google search. I would say that 95% of initial accesses are gained based off of some type of easy guessable or default credentials. Look at the IOT world right now. That’s exactly what’s happening.
JACK: [MUSIC] Take note, listeners; change your default passwords and don’t use any of the top 100 most common passwords like qwertyo or 12345. Make it hard for people like this to break into your stuff. Double-check your routers, firewalls, computers, phones, e-mails, VPN servers, and make sure none of them are using easy-to-guess passwords. When somebody at your shop gets into this thing, now this is where you shine, right, being able to move laterally in a network, pivot around, find the goods. Is that right?
DAVID: It’s sort of one of the things that I was trained in. Again, I’m really good at ideas; hey, let’s do this, and then it’s a bunch of research if no one has done that before.
JACK: The idea they had here was let’s start reading e-mails within this .gov organization. They found the organization was being managed by an MSP. An MSP is a managed service provider. Basically this .gov organization didn’t have the expertise or head count to handle all the routers, firewalls, servers, phones, whatever. They contracted all this out to someone else to take care of it. That’s what an MSP does. It manages, patches, oversees, and troubleshoots the network devices. I think in this case they did a bad job at managing the network since they left default passwords on the VPN [00:25:00] but who am I to judge? David’s team found a device on the network managed by this MSP. It was a server running an app called Managed Engine which is basically a tool to help you monitor your network better.
DAVID: The default credentials on this platform, again default creds, are administrator/administrator. You login and there’s a known vulnerability for this where you actually have to – you’re creating a ticket but in that process of creating a ticket, you can upload a document. That process of uploading a document, since you’re administrator, you go back to the administrator console where it tells you where do you want the documents to go that you upload? Then you can change that to a new location.
For instance, if you know it has a VaR dub dub dub HTML space and you know hey, I can actually just drop these right in there, you know the sub folder creation naming convention for each ticket number, then you go and create a ticket, you put an ASPX web shell on there, upload it as part of that ticket, and now you browse your ASPX web shell and you have either a web shell or if your ASPX is a reverse – let’s just say meterpreter session, now you have access to that server. Realizing that they had credentials stored in the machine that we just used their encryption process to – just took that down, reversed their encryption process – again, somebody else significantly smarter than me did this, reversed this encryption process to actually decrypt the passwords for administrators for peered networks in this platform.
JACK: Okay, so now they have a whole bunch of usernames and passwords of people who log into this managed engine server. From here they figured out that some of the users also worked for this MSP. They also found a tunnel back to the MSP. Now they decide to try to get into that MSP’s network.
DAVID: [MUSIC] You have two different ways; if you have a credential, you just use your – again, living off the land, your net bios, your SMB, passing the hash or even the plain text password, login remotely until you get where you want to go to the domain controller, dump all the credentials, and then install persistence throughout the environment.
JACK: Whoa. Oh man, like, this is – do you realize what’s happening here? David’s team has access into the managed service provider, this MSP. This is a company that has a map to all the critical infrastructure for this .gov organization. It also has all the passwords and IP addresses and access to all these systems. But not only that; this MSP had many more clients, like other .gov networks in this target country. Do you see now? David’s team just got tons and tons of access into that target government’s network by gaining access to this single MSP. I mean, where do you even begin looking for e-mails or communications saying that they’re paying the terrorists? The UAE government asked Project Raven for an update. Did you find anything yet? The team responded by saying…
DAVID: We gained access to Ministry of Foreign Affairs, their royal family heir line, some of their military infrastructure.
JACK: This was very interesting to the UAE government. They then even asked the team to track the royal family heir lines of this target nation.
DAVID: [MUSIC] Yeah, when they’re flying, at least. Then we started getting requests for daily polls; we want this particular flight tracker on a daily basis. Again, that was another red flag of why is this important? You guys are just looking for proof that they’re funding Muslim Brotherhood. Why do you guys need this information? More internal conversation that we were actually becoming the intelligence-gathering shop for essentially the local country’s intelligence agency. We’re no longer really focused on getting this particular type of information. That’s when questions started to come up. Why are we doing this? What is the point of this? In reality, from a political perspective, I could see that there was a lot of point; they want to know who else this country’s talking to, they’re lying behind their back, and so on and so forth. Those are just speculations. I would assume that they’re doing this but I don’t really have any idea.
JACK: Let’s put our ethics cap on, here. If you were hired to work in another country as a cyber-mercenary, if you will, and you come for the money and to help the government fight terrorism, but now you’re just helping the UAE collect intelligence off a foreign government’s royal family? Do you question it or do you do it diligently [00:30:00] with no questions asked? This scratched something in the back of David’s head; something wasn’t exactly right with this but he kept on doing his work anyway. [MUSIC] He went back into that foreign government network and started looking around for anything about terrorist funding. Sometimes when David was in that network, he would see someone else was also in there at the same time, another hacker. Maybe another government agency has hacked into the same system that he was sitting on. Seeing something like this always makes you slow down and take a breath.
DAVID: We’re not gonna go in and help clean up an entire environment because we’re in there. But you can see that there’s stuff there and you can do some research and figure out what it is. But lots of times in those environments, you either don’t use those particular machines that might have other infrastructure on there or you just do your best to blend in. Also, if you have proprietary tools, you don’t use those tools on that piece of infrastructure.
JACK: This makes sense, right? Exploits are weapons and if you load up your best weapon so that you can hop into another computer, anyone else who’s on that system can also see your exploit or weapon and grab it for themselves. It’s best to use off-the-shelf stuff because you really have no idea who else is hacking their way around this network, too. The UAE called up Project Raven and gave them a new request.
DAVID: Hey, is there any indication that bribing happened for a particular sport? They want to know if a sport – if there was bribing is because we both bid on this to take place in our country and then they won it. We think that we probably bid higher and we had a much better chance but they won. Then we realized that the requests were all political. [MUSIC] There was no real request about funding the Muslim Brotherhood. There was just the shady request design to push us forward to gain access to this.
JACK: Again, this was odd for David because he came here to do something else. He quit the NSA and moved with his wife all the way across the world to here, the UAE, to battle terrorists. Now he’s learning that’s not what this role is actually for; it’s kind of changed. This is hard to handle. If he knew this is what the job was from the beginning, he might not have moved all the way over here to do it. I think this is when David starts to really question his work here. There were other teams in the villa like I was saying earlier.
David was there to extract information from the target but his team would give that information to another team for analysis which is just in another room in this villa. One of the people in that analysis team was named Lori Stroud. Lori would take the information collected and try to make sense of what it was, and then give it to management and then the UAE officials. Before coming to Project Raven, Lori was a technology consultant for a company called Booz Allen Hamilton. After that, she went on to work for the NSA. But now she’s here in this villa with David. Lori, too, was getting suspicious of the motives that the UAE was giving her.
DAVID: We start getting requests for targeting of, let’s just be honest, journalists and human rights activists. [MUSIC] Again, they started to raise some pretty significant flags.
JACK: There were journalists and activists that were being critical of the UAE government and their leaders. Basically, the UAE saw these people as threats to the nation and wanted this team to get anything they could off them. What stories were they working on? Where were they rallying? Where were they located? What were their phone calls about? Back in the US where David and Lori are from, this is wrong. The First Amendment of the Constitution protects against this. In short, it says congress shall make no law prohibiting the freedom of press or the right of people to peaceably assemble. This was not okay for them to morally or ethically do. As David said, this was starting to go too far. This was becoming a bigger red flag now.
DAVID: There’s no potential threat. The only potential threat is gonna be political. It turned into something that we didn’t really quite – none of us really agreed with. None of us thought it was the right direction for us to be going. We started to raise questions. We started to say hey, I don’t think this is the right way.
JACK: The UAE was requesting more and more from Project Raven which clearly looked like it was for political reasons [00:35:00] and not for threats against the nation. At one point they asked the team at Project Raven if they would consider targeting US computers. If a known terrorist was using a computer in the US, then they wanted the data off that computer. But David is from the NSA, the military. He remembers clearly reading through FISA, the Foreign Intelligence Service Act, and in Section OVSC-1203 it clearly says if you find yourself targeting a US person, you should de-target them at an emergency priority. This was clearly going over the line for David so he advised management to push back on this objective.
DAVID: We told them that we’re encouraging you not to do this, yeah.
JACK: With that, a lot of conversations went back and forth between this company that David and Lori worked for and the UAE government. At one point during her analysis, Lori found that data was collected on US citizens. She decided this was wrong and she said, quote, “I don’t think Americans should be doing this to other Americans. I’m a spy; I get that, and I’m an intelligence officer but I’m not a bad one.” End quote. Lori was not happy with this and started to raise even more questions. By now, over at the villa where Project Raven was, the seams were starting to show. Employees were asking questions. They were feeling hesitant about the work they were doing.
DAVID: Probably at this point, around October/November, there’s a lot of red flags going up for people. Then my wife and I, we left for Christmas break to go back to the states around Christmastime. I think it was December 17th or 16th or 17th when I got an e-mail saying – from our US contracting agency that they’re essentially giving everyone a reprieve on their contract. If you want to go back to the United States, they’ll pack you up and ship you home at no cost. We decided to do that. A lot of people did. There’s also a lot of people who decided to stay but a lot of the people that I operated with on a daily basis decided I’m not staying here, and so they took off.
JACK: After David left, Project Raven continued. They carried out new operations and tasks that were given to them. I’m gonna switch gears here for a minute and bring on someone new to talk about what happens next at Project Raven.
RORI: My name is Rori Donaghy and in 2012, I set up a human rights group that was effectively just a WordPress website and the blog where I set out press releases from. It was called the Emirate Center of Human Rights. I wrote about human rights abuses in the United Arab Emirates because I felt they weren’t getting enough coverage and I had built up some good contacts that helped me with information that happened there.
JACK: Rori was living in London in the UK and he started this little WordPress blog simply to call attention to some of the bad things that the UAE government was doing. But this blog started to pick up and it was getting noticed by some bigger journalists.
RORI: I was getting good coverage and getting access to big platforms. I was being interviewed semi-regularly by the BBC across the English and crucially, its Arabic platforms. Also, the work was being covered a little bit more in places like the Financial Times and The Guardian, places where it was never in discussion about Dubai other than in a positive tourist and business sense. All of a sudden there were these stories about torture and how they were treating people in prison, and political activists, and shutting down of free speech. It was changing, I think slightly, the international image of the UAE at the time.
JACK: Here’s a clip from Rori on the BBC.
HOST: I’m joined by Rori Donaghy who is campaign manager for the Emirates Center for Human Rights based here in the UK. Why is this important?
RORI: This is important because they’ve been tortured and some have been held as – enforced its appearances over the last seven months. We’ve seen the European parliament condemn the human rights abuses in the UAE over the past two weeks.
HOST: Let me quote to you what the attorney general has said. He says that they were arrested for managing an organization with the aim of committing crimes against state security.
RORI: Well, there has been no evidence brought forward for that.
HOST: Neither have they gone to court yet, either.
RORI: They haven’t got to court. No charge has been brought…
JACK: The UAE government did not like Rori talking about them. They told Project Raven to get in his computer and phone and spy on him.
RORI: [MUSIC] One day at work in the Middle East, I got an e-mail asking if I could take part in a human rights panel and if I wanted to take part in it, could I click on the following link and comment on a piece? The link looked like it would go to an Al Jazeera English’s website. But the e-mail address was very odd; it was random and the English was poor, misspelled. [00:40:00] But none the less, I was foolish enough to click on the link. When I did, it didn’t go anywhere. I thought it was very strange so I just forwarded it onto Citizen Lab and Bill Marczak there, who I knew through work. He got to work on it because even at that point, when I sent the e-mail to him, I couldn’t have thought that I was being surveilled. I just thought it was a bit strange. I really had no idea what was going on.
JACK: Rori gave this e-mail to Citizen Lab. They basically do research on espionage going around against civil society. If a journalist or an activist thinks they’re being targeted by malware or espionage from some government, they can go to Citizen Lab to get help. Rori sent this suspicious e-mail to them to check into it.
RORI: After some time, Bill came back to me and told me that I had been the target of this spyware.
JACK: Besides the URLs riddled with spyware, there were a lot of people tweeting at Rori, too. Citizen Lab found thirty-one public tweets sent to Rori that were suspicious. These were all tweets about human rights activities in the UAE with shortened URLs that contained spyware. These tweets were publically sent to Rori but what was really interesting about these tweets is that about six of the accounts that sent these tweets were actually UAE citizens, except they had been arrested. These tweets were sent after their arrest.
RORI: Yeah, this is a common tactic in the UAE which would be to – once they had arrested a political activist or dissident, that they would then take control of their social media accounts and then use them to try and lure other people they would want to pull into their web of surveillance because obviously they couldn’t arrest me because I was living in London. That’s quite a common tactic. It’s a really frightening tactic.
JACK: A very freaky tactic but an effective one because the team at Project Raven did completely infiltrate Rori’s computer and phone. [MUSIC] Bill at Citizen Lab told Rori the bad news.
RORI: He said he believed ultimately was the UAE government to spy on me and probably listen and read all my communications. They weren’t just surveilling me from what I understand; it was also my parents, my other younger brother who’s got special needs who poses no threat to anyone, the school we went to, my partner. I did feel really violated. I guess the thing that I would say most about it is that when people ask about this story, is that it all happens silently. I was just carrying on with my life. When I think about the experience of it, there wasn’t really any experience of it. This all happened so silently. It’s such an effective way of surveilling someone that you have no idea about just how pervasive it is or what they have access to. It’s not an experience as such. It’s just something that happens and then someone tells you about later. It’s quite hard to retroactively feel something because it’s already happened at that point. It’s a very bizarre experience.
JACK: I don’t know, if I learned that a foreign government has infiltrated my computer and was looking at my e-mails, private messages, texts, and knowing what stories I was working on, I’d be extremely freaked out. I think it’s a little weird that Rori didn’t panic more.
RORI: Actually, when you talk about my response to it being weird, I think it’s because I felt safe in London. If I’d lived in the UAE under the fear of this authoritarian government that’s capable of torture and imprisonment for a long period of time, I’d have felt very differently about it.
JACK: That does make sense. If you compare torture and arrests versus being spied on, I guess he got the lesser of two consequences for speaking up against the UAE on that one. He was able to clean up his computer and wipe the spyware off, and was careful not to be infected again. But he looks back on this experience and it’s still a bit shocking to him.
RORI: Do you know, the fact that there was a whole team of people and they must have spent quite a significant sum of money on this. I do find that frightening because that’s still going on now but just to someone else, I imagine.
JACK: While Rori was writing about human rights in the UAE from London, there was another activist also writing about the same stuff, but he was an Emirati. His name was Ahmed Mansoor and Rori talked with him a lot back then.
RORI: Yeah, Ahmed was a close contact and I’d say a friend throughout the time that I covered human rights abuses in the UAE. Ahmed was the number one political and human rights activist in the UAE.
JACK: Here’s a clip from YouTube that’s Ahmed talking about human rights.
AHMED: Hello, ladies and gentlemen. [00:45:00] My name is Ahmed Mansoor from United Arab Emirates. I will focus in this presentation on the latest development related to human rights situation in UAE. The first point that I would like to talk about is the arbitrary detention.
JACK: Once again, this is another person that the UAE government was not happy about and assigned Project Raven to spy on Ahmed as well. The same tactics were used; phishing e-mails from so-called activists, tweets from people who were arrested, and Project Raven also got into Ahmed’s phone and computer and could see pretty much everything he was doing. But Ahmed had a much worse fate than Rori.
AHMED: Ahmed was arrested by the Emirati Authorities and accused of some crime that wouldn’t exist in any democratic state. I think it was communicating with a foreign enemy, something along those lines.
JACK: He was actually charged with damaging the country’s unity which kind of sounds like a made-up crime to me.
AHMED: …and sentenced to ten years in prison. There’s been credible reports of his torture and kept in really terrible conditions in the UAE.
JACK: Jeez, can you imagine? If you speak out against your government and then the government hires a bunch of ex-NSA people to spy on you, and this leads them to find where you live and what you’re doing which then gets you arrested. Then you get put in prison for ten years and placed into solitary confinement with terrible living conditions. Let’s not ignore that all of Ahmed’s family is also spied on. His wife’s phone was also hacked by this group, and she now lives in fear and social isolation as a result of all this.
AHMED: The reason that this has happened to Ahmed is because he has been the lone light in covering human rights abuses in his country for many years and led to him winning prestigious human rights awards including the Martin Ennals Award for Human Rights Defender of the Year. His growing stature as an international human rights defender is really, what I think, led to his arrest because he was known as being – he wasn’t affiliated to any religious or political group that could be used to undermine his credibility by the UAE. Ahmed stood alone as this really respected human rights activist.
I can’t stress enough how brave and courageous he was to do that work in a country where he knew that when he was going to get arrested, which is inevitable, that he would be tortured and treated in such a terrible way. Prior to his arrest, Ahmed was being surveilled in the most pernicious and obtrusive way which, as I’m sure you know, led to Apple having to issue an update to their software because of the way he was surveilled which was through – it was sent to his iPhone.
JACK: Oh right, Apple and the iPhone. Let’s talk about that. Project Raven had access to this crazy hacking tool called Karma. When I read about Karma, it kind of reads like how Hollywood hacking is portrayed. It’s crazy simple and it blows my mind. In 2016, the UAE purchased this hacking tool Karma from some outside vendor. We don’t know who made it or where it was purchased from. The UAE told Project Raven look, we have this great new tool and you can target iPhones with it. But this was its limitation, too; just iPhones. Here’s how it works. [MUSIC] If someone in Project Raven knew their target had an iPhone and wanted data off it, they might decide to use Karma. All you have to do is give Karma the phone number or e-mail address of your target. A text was then sent to that target’s phone. Here’s the craziest part; the user doesn’t even have to click on a link or do anything in order for this exploit to work.
The text just has to get to the phone. Once it got to the phone, the exploit could then steal photos, e-mails, text messages, and location data all without user interaction. It really was an amazing tool for getting the data off these targets. It was too easy, even. We aren’t sure exactly how, but it looks like it was exploiting a flaw in Apple’s iMessage. By sending this crafted text through iMessage, it enables the exploit. In 2017, Apple pushed an update which made this tool much less effective. There isn’t a lot known about this tool, but even just this gives us a sense of what its capabilities were and what Project Raven had at its disposal. David told me he never used Karma himself. I wonder if that just means he told other people to use it.
The UAE government terminated the contract with Project Raven and brought in a new contractor named DarkMatter. DarkMatter is a UAE company owned and operated by UAE citizens. The people who were at Project [00:50:00] Raven had the option; either join DarkMatter or quit. About a quarter of them quit but the rest moved on to DarkMatter. Lori was one of the ones that moved onto DarkMatter. You have to understand Lori was working for government contractors for a while and the NSA. She’s used to doing this kind of clandestine work. In fact, she loves doing cyber-espionage. It’s what she’s good at and this was a good-paying gig so Lori kept at it. UAE was now working with DarkMatter to carry out these objectives and offensive intelligence operations. Lori continued to work for DarkMatter for a while and at one point she got a list of targets. When she looked at the list, she saw that some of them were Americans.
[MUSIC] She looked up their occupation and saw these were American journalists. Oh, this made her sick to her stomach. She raised even more questions about this and started to say this isn’t right. DarkMatter put her on leave. They escorted her out of the building and had her passport revoked. That had to be extremely scary for her; to be in the UAE, upset with the UAE government, and to have your passport taken. She felt like she was probably now a target and being surveilled. She was stuck in this country with no way out. This had to be a very dark time for her. After two months, she was allowed to go back to America. Upon arriving in the states at the airport, the FBI agents questioned her and asked what US citizens were you spying on? But she refused to tell them anything. I think she thought she was under UAE surveillance still at that point, and it was all probably just so stressful.
The FBI still, to this day, has an ongoing investigation about all this. They want to know whether or not classified information was given to the Emiratis, and if targeting US citizens actually happened because these are both clearly illegal and the FBI wants to know if these laws were broken. Still now, DarkMatter is operating and working with the UAE government and NISSA. They’re probably continuing to do all the espionage on behalf of the UAE government. You might be wondering how do I know all this? Well, David just told us, right? But he only told us some of the story. Back in January of this year, Lori came forward and told her whole story to Reuters. Journalists Christopher Bing and Joel Schectman took her story and fact-checked it against a lot of people including eight ex-Project Raven employees.
Chris and Joel did an amazing job reporting this story and published it earlier this year. Of course, I fact-checked their story too. I made a lot of phone calls and wrote a lot of e-mails, and had some very interesting conversations about this whole story. I even called up an ex-NSA person that I know who has contacts in DarkMatter to learn a little more. Yeah, Reuters did a great job on this story and when the story came out, it made really big news. But the only one who allowed her name to be in the story was Lori. Now, for the first time, you heard a second person come forward; David. He has never spoken publically about this until now which is pretty exciting to hear someone else tell us this inside story. It’s kind of a big deal. [MUSIC] I asked Rori what he thought of this story when he read it.
RORI: I remember telling my partner about this story before it was going to come out. She obviously doesn’t think I’m a liar, but she thought it sounded a bit crazy and that maybe I had been duped into thinking that this had happened because of just how crazy it sounded. I had that response myself a little bit when the Reuters guys phoned me initially. I felt that even that at that point, even with all my knowledge and experience of the UAE and the Gulf, I still felt that this side of it had gone a bit far. Like, really? Would they really have gone through this much effort to surveil me? I was still a bit surprised by it all.
I was glad that it came out because I think that people should know the truth about a country that invests huge sums of money to portray itself as a friendly, open, global country that is tolerant and happy but in reality is nothing more than a tin-pot dictatorship with billions and billions of dollars to keep hold of power and lock up anyone who challenges them. That’s a really important thing to know when they’re a close ally of not only my country, the UK, but also America and other European allies.
JACK: Do you think you’ll ever go to the UAE again?
RORI: I wouldn’t feel comfortable going to the UAE even if the president of the country gave me a personal assurance that nothing would happen to me if I went there. Again, it’s not because I feel important or whatever; it’s just that I wouldn’t trust authorities to not harm me because they’ve so consistently done that to a whole range of people from petty [00:55:00] criminals who’ve been there on drugs charges or written a cheque in bad faith, to political activists. I would never feel comfortable going to the UAE.
JACK: Project Raven was a hacking unit working for a company called Cyber Point which is based in Baltimore. The CEO of Cyber Point was questioned about all this and flat-out said the mission of Project Raven was to help the Emiratis defend their network, very similar to what that Purple Meeting said they were doing. But perhaps the CEO didn’t actually know. Perhaps that unit was initially set up to do that but somehow transformed to become offensive all on its own without proper oversight from Cyber Point. David even said over time, the missions changed. This was a secret operation in the UAE; how much of a secret operation is really going to be reported back to Baltimore? DarkMatter has publically said that this entire story written up in Reuters is false, made up. It’s defamatory and it’s unsubstantial and they deny any wrongdoing.
Oh, and check this out; you might have a DarkMatter root certificate in your browser. In 2017, DarkMatter applied to be a sort of certificate authority. They wanted to issue SSL certificates to websites so those websites are secure. All major browsers granted DarkMatter the ability to become a certificate authority with provisional status. Ah! Yes, their root certificates were trusted in all our browsers. After that happened, DarkMatter approved 275 websites to be trusted but this year, that changed. When Reuters published that report, Firefox and Google read it and they saw what DarkMatter was doing. They decided to revoke that root certificate from being trusted. Now certificates from them will show up as untrusted sources.
I helped the other browsers follow suit, too. While I was putting this episode together, I went to Black Hat, the security conference in Vegas. There, Natalie Silvanovich gave a presentation on exploiting iMessage. Let me tell you about Natalie because in my book, she’s amazing. Natalie works for Project Zero and Project Zero is amazing, too. It’s a project that Google started. Basically, the Project Zero team at Google has the job of finding vulnerabilities in software of any kind. It doesn’t have to be just Google vulnerabilities. It could be software with Microsoft or Apple or anything. Natalie works on this team and simply obsesses over finding vulnerabilities in software. After hearing about Karma and what this Project Raven was doing, she decided to take a deep dive and try to figure out how Karma could have worked because it’s really remarkable to just send a message to an iPhone and to get back pictures, texts, location, and more.
Natalie began trying to exploit iMessage on the iPhone. I won’t go into how she found the bugs, but she found three vulnerabilities on the iPhone. Now, when someone at Project Zero finds a vulnerability, they tell the vendor and they give them ninety days to fix it. If it’s not fixed in ninety days, they’re gonna publically disclose this vulnerability. Software companies better move quick once Project Zero tells them about the bugs. Natalie told Apple about these three bugs I think back in May of this year, then she waited. Apple acknowledged the bugs and patched their phones. Once that happened, Natalie published her report about the vulnerabilities found and gave a presentation on it at Black Hat. What she found was really interesting. It’s not the smoking gun and there’s no evidence that this is what Karma was or used, but it might be.
Basically, Natalie found that if you send a zip file to an iPhone, the iPhone then tries to peek inside it to look at the object file within it and then display on the iPhone what kind of files are in there. It does this automatically without the user even trying to open the file or click anything. Here’s the crazy part; when your iPhone gets this file and looks inside it, it looks at this object file inside it which can instruct your phone to go to a URL without the user clicking anything. This alone is useful information; just by visiting a URL you get that phone’s IP address and other metadata about the browser type. This could give you a rough idea of where that person is. But on top of that, it’s requesting a certain thing from that URL and if you send it back a malicious payload to execute, you could do extra stuff to the phone that you shouldn’t be able to do.
This is a fascinating exploit but it doesn’t quite capture all the texts and pictures. But remember that Apple did a patch to iMessage back in 2017 which Project Raven operatives said made Karma less effective. Hm, hopefully now that Natalie has found three vulnerabilities in the iPhone, hopefully this makes Karma completely useless. We don’t know for sure. Now, I wanted to give the last word to David because one of the main reasons why he wanted to come on and share this story is because he wants to give a warning to anyone accepting foreign contract work; if a recruiter comes to you with a high-paying job in another country, [01:00:00] you might want to think twice about it.
DAVID: I guess my encouragement from that perspective is if you are transitioning out of a space like, you know, from a technical or offensive space and you hear of a job tailing, go ahead and take this job over there and do this ‘cause it’s gonna mean it’s a low-level networking position. Just understand and know that what you’re signing up for may not be actually what you’re doing. Where you’re gonna go, what you’re being promised, or what the job description is – is more if you’re going overseas, it’s more than likely not what you’re gonna do. Creating a safety net for yourself is really the right way forward. Say for instance, if you’re married and you’re gonna go take a foreign job and you don’t actually know what you’re gonna be doing, then go without your spouse for the first couple weeks. Kind of see, go over there and fill it out.
That way if you do have to leave and you have to leave in a hurry, you’re not buying two plane tickets out of a country; you’re only buying one. Or if you’re deciding this is not the right space for you, then you can leave significantly faster. If you are going over a certain spot and you have experience doing things and people contact you and reach out to you that you don’t know, you’ve never heard of before, especially if it’s a foreign contracting vehicle, if it’s not an American contracting company, that should of course be a significant red flag. If you’re being recruited for DarkMatter and you have any type of cyber or offensive background in the cyber-security world, chances are you’re not going to be doing what you think you’re doing.
JACK (OUTRO): [OUTRO MUSIC] A big thank you to David for being brave enough to come forward with this story. Amazing, amazing. Thanks so much to Rori Donaghy for sharing his story. Also, thanks to Christopher Bing and Joel Schectman from Reuters. Their article is titled Inside the UAE’s Secret Hacking Team of American Mercenaries. That article is amazing and you should all check it out. It’s got the floorplan of the villa and it goes into so much more detail. Of course, thank you to Lori Stroud. None of this would even be known if it wasn’t for your bravery bringing all this to the light.
For show notes and links, check out darknetdiaries.com and while you’re there, you might as well check out the shop where you can buy stickers and shirts and trust me, it’ll make your friends jealous if you have one of these and you’ll also look really good in one of the shirts from there. This show is created by me, the Pewlett Hackard, Jack Rhysider. Editing help this episode was by the .matrix Damienne and the theme music is by the helmet-wearer, Breakmaster Cylinder. Even though my name is probably put on a list somewhere within DarkMatter, whenever I say it, this is Darknet Diaries.
[OUTRO MUSIC ENDS] [END OF RECORDING]