Darknet Diaries - Ep 47: Project Raven
Episode Date: September 17, 2019This is the story about an ex-NSA agent who went to work for a secret hacking group in the UAE.SponsorsThis episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in... your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
What? What's a mercenary? Let me look this up. Okay, there are two main definitions. One is a
soldier hired to do work for another army, and the second is a person who works purely because of
monetary gains. I'm going to guess that they don't have allegiance other than whoever is paying them.
They're hirelings. They get paid to do a job and to get it done, and they're not supposed to ask why.
Mercenaries are people, and people are complex. They're filled with emotions, and they're not supposed to ask why. Mercenaries are people, and people are complex.
They're filled with emotions, and they actually do have allegiance, even if they're paid to forget
about that. And if you pay a mercenary to do something that goes over their moral line they've
got internally, conflict happens, and everything falls apart.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount
for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off
is to go to joindeleteme.com
slash darknetdiaries
and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's join deleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good
work. If you want to improve the security of your organization, give them a call. I'm sure they can
help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make
Black Hills Information Security world-class in security training. You can learn things like
penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF
Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Let's get started.
You ready?
Yes, sir.
So let's start with your name or what do you want to be called on this show and what do you do?
Hi.
Yeah, my name is David and I am a type of offensive intelligence analyst. I track foreign intelligence hacking in the United States. That's what I do now.
Oh my gosh, I have like 20 questions already just from saying that. Did you say offensive intelligence analyst?
That's correct.
I've never heard of that. What does that mean? So if a foreign intelligence organization would gain access to any type of U.S.-based critical infrastructure, that would be something that I would help investigate.
This is going to be a great episode. It's very exciting to me because David is going to tell us a story that, well, was a secret up until this year, and still remains somewhat shrouded.
So, let's get into it.
Let's start when he was a teenager.
In high school, David really wasn't into computers at all.
Well, I was a long-distance runner.
I was involved in all different types of extracurricular things,
you know, student government and stuff like that.
After high school, he went to college and got his degree.
It was actually in religion and philosophy.
Interesting. Take note here.
Imagine all the morals and ethics one has to consider while majoring in religion and philosophy.
My goals at that point were to pursue a career sort of alongside
some of my, you know, basically other peers
that I might be able to make a difference to.
So I did look into, you know, basically other peers that I might be able to make a difference to. So I did, I did look into, you know, hey, how would I, could I potentially join as a chaplain?
But, you know, talking to other people in that same world, they said, well, I've never even met
my chaplain or I've never had a real conversation with them or I don't know who they are. And I
realized if I really wanted to make any type of difference in people's lives, it wasn't going to be as a chaplain.
So after getting his degree, David decides to join the military.
Off to the Navy, he goes.
He does his initial boot camp, graduates from that fairly easy and is a full fledged Navy sailor.
But David was hungry for more.
My initial school was in Bud's. So I joined to sort of become,
you know, go through that Navy SEAL track and kind of see how that went.
Whoa. Bud's is basic underwater demolition training. It's what you need to go through
to become a Navy SEAL. This is the most rigorous, demanding and crazy training there is in the Navy.
This is what they call hell week. and it's much longer than a week.
Those who make it through this become practically drown-proof.
They become frogmen.
And most of all, they become weapons experts.
When I talked to a Navy SEAL and his mindset was,
the last time I was deployed, I got every type of kill other than a knife kill.
And he was bragging about that, and he just really wanted other than a knife kill. And he was like bragging about that.
He just really wanted to get a knife kill.
And that was like, okay, you know what?
I don't want that to be me.
Like, I'm not saying that like every Navy SEAL is like that,
but the potential, if somebody can become like that,
then there's a potential that I can become like that.
And so that was something that I wanted to avoid.
That's an important job.
And I have a lot of respect for Navy SEALs.
But I just sort of had this fear that,
you know, I really don't want that to become me.
That's some intense training
and you definitely need to do some soul searching while there.
You question yourself on whether you want this bad enough
or if you're fit enough to do it.
You have to put mind over matter
and push yourself beyond limits you think you can't ever get over.
And if you're going to push yourself beyond your own limits, you better really want what you're working for.
And David wasn't sure if being a Navy SEAL was for him.
He knew that Navy SEALs just weren't a bunch of killers, but he started to question if he really wanted it bad enough.
So he rang the bell and quit BUDS and looked for something else to do in the Navy. Still, he wasn't interested in computers like at all.
The only thing he knew how to do was check Facebook and emails at that point. He's fit,
buff even, and understands religion and philosophy. He looked at his options and for some reason,
computers and cyber warfare caught his attention. So he decided to sign up for that in the Navy.
Immediately, he needed training though. Well, I mean, up for that in the Navy. Immediately, he needed
training, though. Well, I mean, the training is pretty basic. I mean, essentially, I mean,
actually, when I say basic, I don't mean basic. I mean, you know, it's the same type of training
you would get everywhere else from a cybersecurity perspective, but the pace is significantly faster. So instead of going through a 12-week course
to learn how to code,
you do all of that in one week.
I mean, you literally learn all of it in a single week.
And now you start to learn everything
from assembly language all the way up to coding languages
and then how that's interacting
with different types of assembly languages
and how coding, you know, you understand the process,
how it all sort of works.
And so you go all the way up to that spot
and you get back to the application layer
and then you move back down to sort of the exploitation layer.
And, you know, the exploitation layer in that environment
is not taught, you know, buffer overflows and exploitation analysis
is not taught until you get into more OJT or following courses for different shops.
This amazes me. I mean, the Navy teaches people how to hack. I sort of know they do that,
but it's just, it kind of boggles my mind every time I hear it.
So he got training and then started doing security analyst work for the Navy.
Yeah, it might have been maybe three or four months before I realized, I mean, in that time period when I was learning how to be a certain type of cybersecurity analyst or an exploitation analyst,
I were in training, you know, how to be a general it person i sort of enjoyed it and i realized that i had
you know i'm not i'm in no ways an expert at um at you know exploit development but um but i
understand the concepts and i don't give up so it allows for me to sort of push through and from
that time period being at the shop i what i did next basically was, you know, purchased a Mac Pro server, for instance, installed ESXi on that and started building stacks and learning, you know, hey, I'm learning this at work.
You know, I'm not going to take the exact thing that I'm doing, you know, the exact concept because we're not really supposed to do that.
But I can, you know, similar layout, similar designs, and let me just replicate this at home
so I can continue to learn how to do it. So it might be, let's, you know, let's learn how to
pivot through a machine or let's how to exploit active-vector trust relationships, so on and so
forth. And being able to build those up and stuff like that allow, it just sort of grew my fascination with it.
This is an important quality about David. He didn't just show up and do his work and go home.
Instead, he built a lab and practiced on his off hours and got better and better.
Anyone who really wants to excel in this kind of stuff has to have the mindset of always trying to learn and not just doing the minimum. And with the Navy teaching him formally and his home lab,
he became pretty good at packing.
In fact, his specialty was not just getting in,
but then pivoting around, moving laterally,
and finding what else is in that network.
After about four months of doing that, he moved over to the NSA.
Because David was an exploit analyst in the Navy,
the NSA came and said, hey, why don't you come work for us?
And recruited him over.
So he started working for the NSA as an analyst there.
And he worked at the NSA for a while.
I'd say August of 2011 to August of 2014, so about three years.
Then around that time, a new opportunity showed up.
You know, at that point, I had gotten married. Probably
while I was up there, it would have been maybe two years, almost two years I've been married.
It's time for me to get out of the service. And I had gotten an offer to stay there on campus,
which is at the NSA. Then a different organization or actually an individual recruiter reached out
to me and said, hey, hey, hey, hey, hey, hey. There was this recruiter from a company called CyberPoint.
This is a company that's contracted to do various types of hacking.
Basically, if he were to work for this company, he would become a hacker for hire.
The U.S. government actually grants certain companies extra permissions to conduct stuff like this.
The details of this are foggy, but this company that was trying to recruit David was vetted by the U.S. government to do this.
David listened to the recruiter tell him what the job entails.
That I would be doing a lot of, you know, different types of offensive work, offensive, you know, maybe security, maybe offensive intelligence.
And that would be sort of some of our goal, you know, whether or not.
And give me an example of what some of the offensive work is that you expected to do.
I mean, just from previous conversations, I've understood, well, you might be doing
some tracking of terrorist organization to sort of help out and alleviate some of the workload
in the United States. And, you know, we're helping them out over there to sort of protect
their country as well. And so our main understanding was we're going over there to help
them protect their country. This sounded good to David, to help protect the country, to help battle
terrorists and to reduce some of the workload for the U.S. forces. All right. The company was called
CyberPoint and it's based in Baltimore in the U.S. And it's typical that not all the details are
given about your duties until after you sign an NDA, a non-disclosure agreement. But there was one more detail in this contract. If he was to accept it,
he would have to move to Abu Dhabi in the United Arab Emirates for two years, which was the duration
of this contract. Not really ever traveled, not really gone anywhere. I mean, I had before, but
you know, being married, my wife had not. And so we, you know, made a decision together.
They decided to take the job in Abu Dhabi.
Off they go.
They packed up everything they needed, said bye to the family and moved to the UAE, which is right in the Middle East.
And the name of the hacking unit Dave was assigned to was called Project Raven.
For the first 30 days to 60 days,
you're actually living in a hotel.
I mean, it was just, I mean,
there are so many red flags when you first get over there,
you should know to yourself, I shouldn't be doing this.
What were some of them?
Well, the fact that you have two different folders
that explain different types of information, that should be one of them.
Like this is what we've told you you're going to be doing and this is what you're actually going to be doing.
When a new person would show up at Project Raven, they would get two back-to-back meetings.
First was the purple meeting.
In this purple meeting, you're given a folder with information, and it says you're here strictly to carry out defensive measures within the
cybersecurity discipline, such as deploying firewalls, intrusion detection systems, and other
defensive measures. But as soon as that purple meeting was over, new employees were told that's
just a front. It's a cover story that you can tell your family or anyone who pushes you to ask what
you're doing. Then immediately you're given
the black meeting with a new folder. In this black meeting, you're told a very different story.
Here you're told you're going to be helping NISA conduct offensive cyber operations. This meeting
further explained that NISA was the secret part of the UAE government, which is similar to the NSA, and that you're going to be helping them conduct electronic exploitation and collect information from specific targets.
Yeah, for you and me, seeing these two back-to-back meetings like this would be a red flag, for sure.
But for someone who's used to a lot of secrets coming out of the military and the NSA,
this is actually a sort of common thing to experience. Covers and fronts for what your
actual official duties are. Yeah, that happens. So it wasn't an immediate flag for David.
So the location we worked out of was actually a villa, a converted villa. So we could, you know,
our spouses were not really even supposed
to know where the villa was at, even though it's ridiculous because some people dropped
their spouses off. Oh, so let's talk about this villa he worked out of. I saw a floor plan to
this. Let me describe it. It was a big mansion and it was just converted into like an office
space that these contractors could work out of. I think that was there to sort of blend in and
hide out. I mean, a mansion is typically private and secluded and quiet. It's a great place to set
up a spy agency. And this villa is where Project Raven was to take place. The villa was two stories,
and it consisted of a server room, a management office, a conference room, an operations center,
a data processing room, a couple of kitchens, and some security guards hanging out.
Dozens of people either worked there or had business there and would come and go.
I'm guessing around 30 people worked in this villa. And the operation would go down like this.
First, an order. A mission was relayed to the management office, and managers would then work with those in the targeting room to properly identify the targets. Then the team who worked in
the infrastructure room would get busy. They would use fake identities and Bitcoin to anonymously
rent server space around the world. And this is a precaution that in case the target figures out
they're being spied on and they try to track it down, it doesn't come all the way back to this
villa. There's this anonymous, untrackable gap. Then the targeting team would get to work.
Scouring the target's social media
and trying to learn as much as they can about the target
to strategize on a way to get into the victim's computers and phones.
And once they knew a method of attacking,
the target team would figure out what attacks to use
or create an exploit from scratch.
The target team was very good.
They knew that the more you know about the target,
the easier it will be to create exploits for them.
The operations team would then step in.
They'd be given all the tools to do the job and all the information on the target.
Then they exploited the target's computer or cell phone to get data off of it
and learn about that person or get the information that they're after.
They vacuumed up photos, emails, call records, conversations, texts, locations, anything of value.
And it was all done very secretly and covertly, so the target wouldn't even know they're being spied
on. Then this information was given to management, who then relayed it to whoever hired them.
Pretty good little operation they had going on there. At this point, you might be wondering,
who's hiring this group and conducting
the spying and hacking? It was the UAE government who was hiring them to conduct these hacks.
And it sounds like the UAE government was in the process of getting their own internal hacking
group stood up, but they needed to hire this group of mostly Americans, many of whom were
ex-NSA agents or ex-military intelligence trained. This way, the UAE government can see how they
operate and sort of learn from them and build their own hacking team. Now, at this point,
whenever I first started, everything was sort of on the level, kind of what we were doing,
what we were operating on, what our targets were. We all sort of agreed and we understood this is
what we're going to be working on. And the targets that David was given to extract data from seemed okay. He was given the same sort of mission each
time. Was just on what could be perceived as terrorist activity and we were protecting the
local infrastructure. Makes sense, right? Anyone can get behind this. Let's use hacking to get
into terrorist cells and anyone planning to attack the UAE infrastructure and stop any terrorist attacks before they happen.
And that's what happened.
David and the team at Project Raven were learning what terrorists were planning
and giving this information to the UAE government to stop them.
Now, I should add an important note here.
All of this hacking was done by citizens of the UAE, which are called Emiratis.
I'm going to use that term a lot, so make sure
you understand it. An Emirati is simply a citizen of the United Arab Emirates. Since the UAE was
trying to train up their own team to do this, it made sense to teach them how. So David never really
had hands on keyboard to conduct any of this. Instead, he was right next to an Emirati doing it,
telling him exactly what keys to press and what exploits to use and giving
advice on how to move around the network. And most Emiratis speak English, so the language barrier
wasn't a problem. This sounds okay too, but it also might be a red flag. See, things get murky
regarding how legal Project Raven was. It's clearly illegal to share classified information with other
people, so David couldn't tell these Emiratis any secret information that he was privy to at the NSA.
But in this case, David was sharing cyber-spying techniques with the Emiratis.
Provided it's not proprietary NSA-style tactics and exploits,
there isn't any hard law prohibiting him from teaching others how to hack,
such as how to set up a phishing email and use Metasploit to gain access to the victim's machine.
I mean, anyone can learn this just on YouTube.
So that part, okay, that's legal.
But then we start trying to figure out
whether an Emirati hacking into a terrorist phone
who's also in the UAE is legal or not.
In the U.S., it probably isn't legal,
unless you're given express written consent
from the U.S. State Department.
But what about over there?
Now keep in mind, this company did have all the approvals they needed
from the UAE government and the U.S. State Department to do this.
So yeah, it might be a little easier to get approvals for things
if Emiratis hack other Emiratis,
but if an American were to do it, I don't know, would it be different?
It's complicated, and it makes my head spin.
But you see how murky this gets, right? But whatever, it's not something I'm going to be
able to solve here. At this point, the UAE government was pleased with the work that
Project Raven was doing. So the first four to six months, that's what we were doing. Anytime we had
an alert or a red flag of a probable or anticipated event, we would sort of start the process of doing research to see if we
can identify whether or not it was a valid threat. Now, it's also important to say that all of this
data exfiltration David was doing on the targets was only that, data exfiltration. He was never on
a mission to drain a terrorist bank account or disable a car remotely or do any disrupting,
degrading, or destroying things that other
hackers might do. This was just collecting communications. This went on for a while,
but then at some point, the requests from the UAE government started to get a little weird.
You know, the unfortunate thing is things didn't get weird for quite some time because the requests look very similar to what we are currently working on.
Hey, this looks like that some of their funding might have come from over here.
Can you guys, you know, what would be necessary for you guys to prove that a country, for instance, is funding terrorist activity?
And then our response would be gain access to the
country and gain access to this particular shop or this person and then read this stuff um from
the perspective of we're still sanctioned to perform these activities under the state department
um and you know and and again this might have been been just me being naive about the entire
situation you know chances are other people on the shop knew the answers to the questions of this is not sanctioned.
But me being so new to sort of this entire community and this whole world, I'm like, OK, well, this is approved.
This is sort of one of those they wouldn't be asking unless it was an approved request.
Keep in mind, the government branch of the UAE
communicating with Project Raven is called NISA,
and this is UAE's version of NSA.
So NISA told them to gain access
to that foreign government's country's network
to see if they're funding terrorists.
So David's team got busy scanning the IP space
of that target country's government network.
And you'll never believe what they found.
Stay with us.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record. But oh, so much more goes into making a podcast than that. If you're thinking,
what if I start my own business? Don't be scared off, because with Shopify, you can make it a
reality. Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates,
and Shopify helps you manage your growing business.
Shipping, taxes, and payments are all visible from one dashboard, allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it? Sign up for your $1 per month trial period at Shopify.com slash Darknet. Thank you. After the team at Project Raven scanned the.gov URLs for the target country,
they found a VPN portal, a place you can log into,
and from there you can get access to the internal systems in that network.
And guess what? That VPN was using default credentials.
It's not very hard to find default credentials. It's not very hard to find default credentials. A Google search. So, and I would say
that 95% of, you know, initial accesses are gained based off of some type of EC guessable or default
credentials. I mean, look at the, you know, IoT world right now. That's exactly what's happening.
Take note, listeners. Change your default passwords and don't use any of the top 100 most common passwords like QWERTYOPE or 12345. Make it hard for people like this to break into
your stuff. Double check your routers, firewalls, computers, phones, emails, VPN servers, and make
sure none of them are using easy to guess passwords.
So when you, when, when somebody at your shop gets into this thing, now this is where you shine, right?
Being able to move laterally in a network, pivot around, find the goods.
Is that right?
Um, it's sort of one of the things that I was trained in and, you know, and, and again,
I'm really good at ideas that. Hey, let's do this.
And then it's like a bunch of research if nobody's done that before.
The idea they had here was let's start reading emails within this.gov organization.
And so they found the organization was being managed by an MSP.
An MSP is a managed service provider.
Basically, this.gov organization didn't have the expertise or headcount
to handle all the routers, firewalls, servers, phones, or whatever. And so they contracted all
this out to someone else to take care of it. And that's what an MSP does. It manages, patches,
oversees, and troubleshoots the network devices. I think in this case, they did a bad job at
managing the network since they left default passwords on the VPN, but who am I to judge? David's team found a device on the network managed by this MSP. It was a server
running an app called Managed Engine, which is basically a tool to help you monitor your network
better. The default credentials on this platform, again, default creds, are administrator,
administrator. You log in, and there's a known vulnerability for this where you actually have to,
you're creating a ticket, but in that process of creating a ticket, you can upload a document.
In that process of uploading a document, since you're an administrator, you go back to the
administrator console where it tells you where do you want the documents to go that you upload,
and then you can change that to a new location. Say, for instance, if you know it has a var www.html space, and you know, hey, I can actually just drop these right in there,
you know the subfolder creation naming convention for each ticket number, then you go and create a
ticket, you put an ASPX web shell on there, you can upload it as part of that ticket, and now you browse to your ASPX web shell, and you have either a web shell or if your ASPX is a reverse, let's just say
interpreter session, now you have access to that server.
Realizing that they had credentials stored in the machine that we just used their encryption
process to just took that down, reversed their encryption process.
Again, somebody else significantly smarter than me did this.
Reversed this encryption process to actually decrypt the passwords for administrators for
peered networks in this platform.
Okay, so now they have a whole bunch of usernames and passwords of people who log into this managed engine server. And from here, they figured out that some of the users also worked for this MSP. And they also found a tunnel back to the MSP. So now they decide to try to get into that MSP's network. you have two different ways. If you have a credential, you just use your, your again, living off the land,
your net BIOS,
your SMB,
passing the hash or even the plain text password,
log in remotely until you get where you want to go to the domain controller,
dump all the credentials and then install persistence throughout the
environment.
Whoa.
Oh man.
Like this is,
do you realize what's happening here?
David's team has access into the managed service provider, this MSP.
This is a company that has a map to all the critical infrastructure for this.gov organization.
And it also has all the passwords and IP addresses and access to all these systems.
But not only that, this MSP had many more clients, like other.gov networks in this
target country. Do you see now? David's team just got tons and tons of access into that target
government's network by gaining access to this single MSP. I mean, where do you even begin
looking for emails or communications saying that they're paying the terrorists.
The UAE government asked Project Raven for an update.
Did you find anything yet?
The team responded by saying, We gain access to Ministry of Foreign Affairs,
you know, their Royal Family Airline,
some of their military infrastructure.
This was very interesting to the UAE government.
They then asked the team to track the Royal Family Airlines of this target nation.
Yeah, where they're flying at least.
And then we started getting requests for daily pulls.
We want this particular flight tracker on a daily basis.
Again, that was sort of another red flag of like, why is this important?
Like, if you guys are just looking for proof that they're funding Muslim motherhood,
why do you guys need this information?
And so more internal conversations that we didn't do actually were becoming the intelligence shop, intelligence gathering shop for essentially local countries' intelligence agency.
So we're no longer really focused on getting this particular type of information.
And that's when questions started to come up.
Why are we doing this?
What is the point of this? And in reality, from a political perspective, I can see that there's a lot of
points. They want to know who else this country's talking to, if they're lying behind their back,
or so on and so forth. But I mean, those are just speculation. I would assume that they're
doing this, but I don't really have any idea.
Let's put our ethics cap on here.
If you were hired to work in another country as a cyber mercenary, if you will,
and you come for the money and to help the government fight terrorism, but now you're just helping the UAE collect intelligence off a foreign government's royal family,
do you question it, or do you do it diligently with no questions asked?
This scratched something in the back of David's head. Something wasn't exactly right with this.
But he kept on doing his work anyway.
He went back into that foreign government network and started looking around for anything about
terrorist funding. And sometimes when David was in that network, he would see someone else was also in there at the same time, another hacker.
Maybe another government agency has hacked into the same system that he was sitting on.
And seeing something like this always makes you slow down and take a breath.
We're not going to like going in and help clean up an entire environment because
we're in there. So, but you can see that there's stuff there.
You kind of can do some research, in fact, figure out what it is.
But lots of times in those environments,
you either don't use those particular machines that might have other
infrastructure on there,
or you just do your best to sort of blend in.
And also, if you have proprietary tools, you don't use those tools on that piece of infrastructure.
This makes sense, right?
Exploits are weapons.
And if you load up your best weapon so that you can hop into another computer,
anyone else who's on that system can also see your exploit or weapon and grab it for themselves.
So it's best to use off-the-shelf stuff because you really have no idea who else is hacking their way around this network too.
The UAE called up Project Raven and gave them a new request.
Hey, is there any indication that bribing happened
for a particular sport? We want to know if a sport happened, like if it was bribing because
we both bid on this to take place in our country and then they won it. And we think that we probably
bid higher and we had a much better chance, but they won. And then we realized that the requests were all political. I mean, there's no,
there's no real request about funding the Muslim Brotherhood.
I mean, it was just sort of the shady request designed to push us forward to gain access to this.
Hmm. Again, this was odd for David, because he came here to do something else.
He quit the NSA and moved with his wife all the way across the world to here, the UAE, to battle terrorists.
Now he's learning that's not what this role is actually for.
It's kind of changed.
And this is kind of hard to handle.
I mean, if he knew this was what the job was from the beginning,
he might not have moved all the way over here to do it.
I think this is when David starts to really question his work here.
There were other teams in the villa, like I was saying earlier.
David was there to extract information from the target.
But his team would give that information to another team for analysis, which is just in another room in this villa. One of the people in that analysis team was named Lori Stroud. Lori would take the information collected and try to make sense
of what it was and then give it to management and then the UAE officials. Before coming to Project
Raven, Lori was a technology consultant for a company called Booz Allen Hamilton. And after that, she went on to work for the NSA.
But now she's here in this villa with David.
Lori, too, was getting suspicious of the motives that the UAE was giving her.
We start getting requests for targeting of, let's just be honest, journalists and human rights activists.
And again, they started to sort of raise some pretty significant flags.
There were journalists and activists that were being critical of the UAE government and their leaders.
Basically, the UAE saw these people as threats to the nation and wanted this team to get anything they could off them.
What stories were they working on? Where were they rallying? Where were they located? What were
their phone calls about? Now back in the U.S. where David and Lori are from, this is wrong.
The First Amendment of the Constitution protects against this. In short, it says Congress shall
make no law prohibiting the freedom of press or the right of people to peaceably assemble. So this was not okay for them to morally or ethically do.
As David said, this was starting to go too far.
This was becoming a bigger red flag now.
No, there's no potential threat.
The only potential threat is going to be political.
It just sort of turned into something that we didn't really quite,
none of us really agreed with. None of us thought it was the right direction for us to be going.
And we started to raise questions. We started to say, hey, I don't think this is the right way.
The UAE was requesting more and more from Project Raven, which clearly looked like it was for political reasons and not for threats against the nation. At one point, they asked the team at Project Raven if they would
consider targeting U.S. computers. Like if a known terrorist was using a computer in the U.S.,
then they wanted the data off that computer. But David is from the NSA and military, and he
remembers clearly reading through FISA, the Foreign Intelligence Service Act, and in section OVSC 1203, it clearly says if you find yourself targeting a U.S. person, you should de-target them at an emergency priority.
This was clearly going over the line for David, so he advised management to push back on this objective.
We told them that, you know, we're encouraging you not to do this. Yep. With that,
a lot of conversations went back and forth between this company that David and Lori worked for and
the UAE government. At one point during her analysis, Lori found that data was collected
on U.S. citizens, and she decided this was wrong. She said, quote, I don't think Americans should
be doing this to other Americans. I'm a spy. I get that.
And I'm an intelligence officer, but I'm not a bad one. End quote. Lori was not happy with this
and started to raise even more questions. By now, over at the villa where Project Raven was,
the seams were starting to show. Employees were asking questions and they were feeling hesitant
about the work they were doing. Probably at this point around October, November, there's sort of a lot of red flags going up
for people.
And then my wife and I, we left for Christmas break to go back to the States around Christmas
time.
And I think it was December 17th or 16th or 17th
when I got an email saying from our U.S. contracting agency
that they're essentially giving everyone a reprieve on their contract
and if you want to go back to the United States,
they'll pack you up and ship you home at no cost.
And we decided to do that.
And a lot of people, I mean, there's also a lot of people who decided to stay.
But a lot of the people that I operated with on a daily basis decided, I'm not staying here.
And so we took off.
After David left, Project Raven continued.
They carried out new operations and tasks that were given to them. And I'm going to switch gears here for a
minute and bring on someone new to talk about what happens next at Project Raven.
My name is Rory Donaghy and in 2012, I set up a human rights group that was effectively just a
WordPress website and a blog where I set out press releases from. It was called the Emirates
Center for Human Rights. And I wrote about human rights abuses in the United Arab Emirates
because I felt that they weren't getting enough coverage.
And I had built up some good contacts that helped me with information that happened there.
Rory was living in London in the UK, and he started this little WordPress blog
simply to call attention to some of the bad things that the UAE government was doing.
But this blog started to pick up, and it was getting noticed by some bigger journalists.
I was getting good coverage and getting access to big platforms.
So I was being interviewed semi-regularly by the BBC across its English and, crucially, its Arabic platforms.
And also, you know, the work was being covered a little bit more in places like the Financial Times and the Guardian.
So places where there was discussion about Dubai, other than in a positive tourist and business sense,
all of a sudden there were these stories about torture and how they were treating people in prison and political activists and shutting down a free speech.
So it was changing, I think, slightly the international image of the UAE at
the time. Here's a clip from Rory on the BBC. I'm joined by Rory Donaghy, who's campaign manager
for the Emirates Centre for Human Rights, based here in the UK. Why is this important?
This is important because they've been tortured and some have been held as enforced disappearances
over the last seven months. We've seen the European Parliament condemn the human rights abuses in the UAE over the past two weeks.
Well, let me quote to you what the Attorney General, Mr Kobayashi, has said.
He says that they were arrested for managing an organization with the aim of committing crimes against state security.
Well, there has been no evidence brought forward for that.
They haven't gone to court yet either.
They haven't gone to court. No. They haven't gone to court.
No charges have been brought against them.
The UAE government did not like Rory talking about them.
They told Project Raven to get in his computer and phone and spy on him.
One day at work in the Middle East, I got an email asking if i could take part in a human rights panel and uh if i wanted
to take part in it could i click on the following link and uh comment on a piece and the link looked
like it would go to an al jazeera english's website um but the email address was very odd
it was random and the english was poor missp But nonetheless, I was foolish enough to click on the link.
And when I did, it didn't go anywhere, and so I thought it was very strange.
So I just forwarded it on to Citizen Lab and Bill Marzak there, who I knew through work.
And he got to work on it because even at that point when I sent the email to him,
I couldn't have thought that I was being
surveilled. I just thought it was a bit strange. So I really had no idea what was going on.
So Roy gave this email to Citizen Lab. They basically do research on espionage going around
against civil society. So if a journalist or an activist thinks they're being targeted by malware
or espionage from some government, they can go to Citizen Lab to get help. So Rory sent this
suspicious email to them to check into it. After some time, Bill came go to Citizen Lab to get help. So Rory sent this suspicious email to them to check into it.
After some time, Bill came back to me and told me that
I had been the target of this spyware.
Besides the URLs riddled with spyware,
there were a lot of people tweeting at Rory too.
Citizen Lab found 31 public tweets sent to Rory that were suspicious. These were all
tweets about human rights activities in the UAE with shortened URLs that contained spyware.
These tweets were publicly sent to Rory. But what was really interesting about these tweets is that
about six of the accounts that sent these tweets were actually UAE citizens, except they had been
arrested. And these tweets were sent after their arrest oh yeah
so uh this is a common tactic in UAE which would be to once they'd had arrested a political
activist or dissident that they would then take control of their social media accounts and then
use them to try and uh sort of lure other people they would want to pull into their web of
surveillance um because obviously they couldn't arrest me because I was living in London.
So yeah, that's quite a common tactic.
It's a really frightening tactic.
A very freaky tactic, but an effective one,
because the team at Project Raven did completely infiltrate Rory's computer and phone.
Bill at Citizen Lab told Rory the bad news.
He said he believed that ultimately it was the UAE government
to spy on me and probably listen and read all my communications.
They weren't just surveilling me from what I understand.
It was also my parents, a younger brother who's got special needs,
who poses no threat to anyone, the school he went to, my partner.
So I did feel really violated.
I guess the thing that I would say most about it is that
when people ask about this story, is that it all happens silently.
So I was just carrying on with my life when I think about the experience of it there wasn't really an experience of it it was this
all happened so silently there's it's such an effective way of surveilling someone that you
have no idea about um just how pervasive it is or or what they have access to um and so it's not
really it's not an experience as such. It's just something that
happens and then someone tells you about later. And it's quite hard to retroactively feel something
because it's already happened at that point. So it's just, it's a very bizarre experience.
I don't know, if I learned that a foreign government has infiltrated my computer and
was looking at my emails, private messages, texts, and knowing what stories I was working on, I'd be extremely freaked out.
So I think it's a little weird that Rory didn't panic more.
Actually, when you talk about my response to it being weird, I think it's because I felt safe in London. And if I'd lived in the UAE under the fear of this authoritarian government that's
capable of torture and imprisonment for a long period of time, I'd have felt very differently
about it. Hmm, that does make sense. If you compare torture and arrests versus being spied on,
I guess he got the lesser of two consequences for speaking up against the UAE on that one.
He was able to clean up his computer, wipe the spyware off, and was careful not to be infected again. But he looks back on this
experience, and it's still a bit shocking to him. Yeah, do you know, the fact that there was like a
whole team of people, and they must have spent quite a significant sum of money on this,
I find that frightening, because that's still going on now, but just to someone else, I imagine.
While Rory was writing about human rights in the UAE from London, there was another activist also writing about this same stuff, but he was an Emirati.
His name was Ahmed Mansour, and Rory talked with him a lot back then. Yeah, I mean, Ahmed was a close contact and I'd say, you know, a friend
throughout the time that I
covered human rights abuses in the UAE
and Ahmed
was
the number one political
and human rights activist in the UAE.
Here's a clip from YouTube that's
Ahmed talking about human rights.
Hello, ladies and gentlemen.
My name is Ahmed Mansour from United Arab Emirates.
I will focus this presentation on the latest development
related to human rights situation in UAE.
The first point that I would like to talk about is the arbitrary detention.
Once again, this is another person that the UAE government was not happy about and assigned
Project Raven to spy on Ahmed as well.
And the same tactics were used, phishing emails from so-called activists, tweets from people
who were arrested.
And Project Raven also got into Ahmed's phone and computer and could see pretty much everything
he was doing.
But Ahmed had a much worse fate than Rory.
So Ahmed was arrested by the Emirati authorities
and accused of some crime that wouldn't exist in any democratic state.
I think it was communicating with foreign enemies or something along those lines.
He was actually charged with damaging the country's unity,
which kind of sounds like a made-up crime to me.
And sentenced to, I think, 10 years in prison.
And there's been credible reports of his torture
and kept in really terrible conditions in the UAE.
Jeez, can you imagine if you speak out against your government
and then the government hires a bunch of ex-NSA people to spy on you
and this leads them to find where you live
and what you're doing
which then gets you arrested
and then you get put in prison for 10 years
and placed into solitary confinement
with terrible living conditions
and let's not ignore that
all of Ahmed's family is also spied on
his wife's phone was also hacked by this group
and she now lives in fear
and social isolation as a result of all this. And the reason that this has happened to Ahmed
is because he has been the lone light in covering human rights abuses in his country for many years
and led to him winning prestigious human rights awards, including the Martin Reynolds Award for
Human Rights Defender of the Year. And his growing stature as an international human rights defender
is really what I think led to his arrest,
because he was known as being,
he wasn't affiliated to any religious or political group
that could be used to undermine his credibility by the UAE.
So Ahmed stood alone as this really respected human rights activist.
And I can't stress enough how brave and courageous he was to do that work in a country where he knew
that if when he was going to get arrested, which was inevitable, that he would be tortured and
in such a terrible way. And prior to his arrest, Ahmed was being surveilled in the most pernicious and obtrusive way,
which, as I'm sure you know, led to Apple having to issue an update to their software
because of the way he was surveilled, which was through, you know, it was sent to his iPhone.
Oh, right, Apple and the iPhone. Let's talk about that.
Project Raven had access to this crazy
hacking tool called Karma. When I read about Karma, it kind of reads like how Hollywood
hacking is portrayed. It's crazy simple and it blows my mind. In 2016, the UAE purchased this
hacking tool Karma from some outside vendor. We don't know who made it or where it was purchased
from. The UAE told Project Raven,
look, we have this great new tool and you can target iPhones with it.
But this was its limitation too, just iPhones. And here's how it works.
If someone in Project Raven knew their target had an iPhone and wanted data off it, they might
decide to use Karma. And all you have to do is give Karma the phone number
or email address of your target. A text was then sent to that target's phone. And here's the
craziest part. The user doesn't even have to click on a link or do anything in order for this exploit
to work. The text just has to get to the phone. And once it got to the phone, the exploit could
then steal photos, emails, text messages, and location data,
all without user interaction. It really was an amazing tool for getting the data off these
targets. It was too easy even. We aren't sure exactly how, but it looks like it was exploiting
a flaw in Apple's iMessage. By sending this crafted text through iMessage, it enables the exploit.
In 2017, Apple pushed an update which made this tool much less effective.
There isn't a lot known about this tool,
but even just this gives us a sense of what its capabilities were
and what Project Raven had at its disposal.
David told me he never used Karma himself,
but I wonder if that just means he just
told other people to use it. The UAE government terminated the contract with Project Raven,
brought in a new contractor named Dark Matter. Dark Matter is a UAE company owned and operated
by UAE citizens. The people who were at Project Raven had the option, either join Dark Matter
or quit. And about a quarter of them quit, but the rest moved on to Dark Matter. Lori was one
of the ones that moved on to Dark Matter. You have to understand, Lori was working for government
contractors for a while, and the NSA. She's used to doing this kind of clandestine work. In fact,
she loves doing cyber espionage. It's what she's good at. And this was a good paying gig. So Lori
kept at it. And the UAE was now working with Dark Matter to carry out these objectives and offensive
intelligence operations. Lori continued to work for Dark Matter for a while. And at one point,
she got a list of targets. When she looked at the list,
she saw that some of them were Americans. And she looked up their occupation and saw these were American journalists. Oh, this made her sick to her stomach. She raised even more questions about
this and started to say this isn't right. So Dark Matter put her on leave. They escorted her out of the building and had her
passport revoked. That had to be extremely scary for her. To be in the UAE, upset with the UAE
government, and to have your passport taken? She felt like she was probably now a target and being
surveilled. She was stuck in this country with no way out. This had to be a very dark time
for her. After two months, she was allowed to go back to America. And upon arriving in the States,
at the airport, the FBI agents questioned her and asked, what U.S. citizens were you spying on?
But she refused to tell them anything. I think she thought she was under UAE
surveillance still at that point. And it was all probably just so stressful.
The FBI still, to this day, has an ongoing investigation about all this.
They want to know whether or not classified information was given to the Emiratis,
and if targeting U.S. citizens actually happened.
Because these are both clearly illegal, and the FBI wants to know if these laws were
broken. And still now, Dark Matter is operating and working with the UAE government and NISA.
And they're probably continuing to do all the espionage on behalf of the UAE government.
Now you might be wondering, how do I know all this? Well, David just told us, right?
But he only told us some of the story. Back in January of this
year, Lori came forward and told her whole story to Reuters. Journalists Christopher Bing and Joel
Schechtman took her story and fact-checked it against a lot of people, including eight ex-Project
Raven employees. Chris and Joel did an amazing job reporting the story and published it earlier this
year. And of course, I fact-checked their story too. I made a lot of phone calls and wrote a lot of emails and had some very interesting conversations about this
whole story. I even called up an ex-NSA person that I know who has contacts in Dark Matter to
learn a little more. And yeah, Reuters did a great job on the story. And when the story came out,
it made really big news. But the only one who allowed her name to be in the story was Lori.
Now, for the first time, you heard a second person
come forward, David. He has never spoken publicly about this until now, which is pretty exciting to
hear someone else tell us this inside story. It's kind of a big deal. I asked Rory what he thought
of this story when he read it. I remember telling my partner about the story before it was going to come out. She obviously doesn't think I'm a liar, but I mean, she thought it sounded a bit crazy and that maybe I'd been duped into thinking that this had happened because of just how crazy it sounded. Reuters guys phoned me initially um I felt that even at that point even with all my knowledge and
experience of the UAB and the Gulf I still felt that this sounded like it had gone a bit like far
like really would they really have gone through this much effort to surveil me um so I was I was
still a bit surprised by it all I was glad that it came out because I think that people should know the truth about a
country that invests huge sums of money to portray itself as a friendly, open, global country that is
tolerant and happy, but in reality is nothing more than a tin pot dictatorship with billions and
billions of dollars to keep hold of power and lock up anyone who challenges them. And that's a really
important thing to know when they're a close ally of not only my country and the UK, but also of
America and other European allies. Do you think you'll ever go to the UAE again? I wouldn't feel
comfortable going to the UAE, even if the president of the country gave me a personal assurance that nothing would happen to me
if I went there.
And again, it's not because I feel important or whatever,
it's just that I wouldn't trust authorities to not harm me
because they've so consistently done that to a whole range of people
from petty criminals who've been there on drugs charges or
written a bad check in bad faith to political activists. So I would never feel comfortable
going to the UAE. Project Raven was a hacking unit working for a company called CyberPoint,
which is based in Baltimore. The CEO of CyberPoint was questioned about all this and flat out said the mission of Project Raven was to help the Emiratis defend their network,
very similar to what that Purple meeting said they were doing. But perhaps the CEO didn't
actually know. Perhaps that unit was initially set up to do that, but somehow transformed to
become offensive all on its own, without proper oversight from CyberPoint.
And David even said, over time, the missions changed.
And so this was a secret operation in the UAE.
How much of a secret operation is really going to be reported back to Baltimore?
Dark Matter has publicly said that this entire story written up in Reuters is false,
made up, it's defamatory, and it's unsubstantial, and they deny
any wrongdoing. Oh, and check this out. You might have a Dark Matter root certificate in your
browser. In 2017, Dark Matter applied to be a sort of certificate authority. They wanted to issue SSL
certificates to websites so those websites are secure. And all major browsers granted Dark
Matter the ability to become a certificate authority with provisional status. Ah! So yes,
their root certificates were trusted in all our browsers. And after that happened, Dark Matter
approved 275 websites to be trusted. But this year that changed. When Reuters published that report,
Firefox and Google read it,
and they saw what Dark Matter was doing, and they decided to revoke that root certificate from being
trusted. So now certificates from them will show up as untrusted sources. I hope the other browsers
follow suit too. While I was putting this episode together, I went to BlackHat, the security
conference in Vegas. And there, Natalie Silvanovich gave a presentation on exploiting iMessage. Let me tell you about Natalie, because
in my book, she's amazing. Natalie works for Project Zero. Project Zero is amazing too. It's
a project that Google started. Basically, the Project Zero team at Google has the job of finding
vulnerabilities in software of any kind. It doesn't have to be just Google vulnerabilities.
It could be software with Microsoft or Apple or anything. Natalie works on this team and simply
obsesses over finding vulnerabilities in software. After hearing about Karma and what this Project
Raven was doing, she decided to take a deep dive and try to figure out how Karma could have worked.
Because it's really remarkable to just send a message to an iPhone
and to get back pictures, text, location, and more. So Natalie began trying to exploit iMessage
on the iPhone. And I won't go into how she found the bugs, but she found three vulnerabilities on
the iPhone. Now, when someone at Project Zero finds a vulnerability, they tell the vendor and
they give them 90 days to fix it. If it's not fixed in 90 days, they're going to publicly
disclose this vulnerability.
So software companies better move quick
once Project Zero tells them about the bugs.
Natalie told Apple about these three bugs,
I think back in May of this year.
Then she waited.
Apple acknowledged the bugs and patched their phones.
And once that happened,
Natalie published her report about the vulnerabilities found
and gave a presentation on it at Black Hat.
And what she found was really interesting. It's not the smoking gun, and there's no evidence that this
is what Karma was or used, but it might be. Basically, Natalie found that if you send a zip
file to an iPhone, the iPhone then tries to peek inside it to look at the object file within it
and then display on the iPhone what kind of files are in there.
And it does this automatically without the user even trying to open the file or click anything.
And here's the crazy part. When your iPhone gets this file and looks inside it, it looks at this
object file inside it, which can instruct your phone to go to a URL without the user clicking
anything. Now, this alone is useful information. Just by visiting a URL,
you get that phone's IP address and other metadata about the browser type. And this could give you a rough idea of where that person is. But on top of that, it's requesting a certain thing from that
URL. And if you send it back on malicious payload to execute, you could do extra stuff to the phone
that you shouldn't be able to do. This is a fascinating exploit,
but it doesn't quite capture all the text and pictures. But remember that Apple did a patch
to iMessage back in 2017, which Project Raven operatives said made Karma less effective.
So, hmm, hopefully now, now that Natalie has found three vulnerabilities in the iPhone,
hopefully this makes karma completely useless.
But we don't know for sure.
Now, I wanted to give the last word to David because one of the main reasons why he wanted to come on and share this story is because he wants to give a warning to anyone accepting foreign contract work.
If a recruiter comes to you with a high paying job in another country, you might want to think twice about it.
I guess my encouragement from that perspective is if you are transitioning out of a space like, you know, from a technical or offensive space, and you sort of hear of jobs, hey, let me go ahead and take this job over there and do this because it's going to be this low-level networking position, just kind of understand and know that what you're signing up for may not
be actually what you're doing. What you're going to go, what you're being promised or what the
job description is, if you're going overseas, is more than likely not what you're going to do.
Creating a safety net for yourself is really the right way forward. So say, for instance, if you're married
and you're going to go take a foreign job and you don't actually know what you're going to be doing,
then go without your spouse for the first couple of weeks. Kind of see, let me go over there and
fill it out. That way, if you do have to leave and you have to leave in a hurry, you're not buying
two plane tickets out of a country, you're only buying one. Or if you're deciding this is sort of not the
right space for you, then you can leave significantly faster. If you are going over a
certain spot and you have experience doing things and people contact you and reach out to you
that you don't know, you never heard of before from, you know, even especially if it's a foreign contracting vehicle,
if it's not an American contracting company, that should, of course, be a significant red flag.
If you're being recruited for dark matter and you have any type of cyber or offensive space or offensive background in the cybersecurity world,
chances are you're not going to be doing what you think you're doing. a big thank you to david for being brave enough to come forward with this story amazing amazing
thanks so much to rory donahay for sharing his story also thanks to christopher bing and joel
schachtman from reuters their article is titled Inside the UAE's Secret Hacking Team of American Mercenaries.
And that article is amazing and you should all check it out. It's got the floor plan of the
villa and it goes into so much more detail. And of course, thank you to Laurie Stroud. None of
this would even be known if it wasn't for your bravery bringing all this to light.
For show notes and links, check out darknetdiaries.com. And while you're there,
you might as well check out the shop where you can buy stickers and shirts.
And trust me, it'll make your friends jealous if you have one of these,
and you'll also look really good in one of the shirts from there.
This show was created by me, the Pulit Packard, Jack Recider.
Editing help this episode was by the Dot Matrix, Damien,
and the theme music is by the helmet wearer, Breakmaster Cylinder.
And even though my name is probably put on a list somewhere within dark Matter, whenever I say it, this is Darknet Diaries. Thank you.