Hacked - The Black Folder
Episode Date: September 30, 2021Jordan Bloemen & Scott Francis Winder discuss Project Raven, and the fuzzy line between a good spy and a bad one. If you like the show and want to make sure we can keep making it, please subscribe an...d if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
It's your first day to a new job, and you walk into the room and on the table in front of you are two folders.
The first folder is purple, and the second folder is black.
Inside the first folder is a document that explains the job you're there to do, and the job is as follows.
You are a cybersecurity professional. It's your job to build firewalls, stop intruders, and plan and build defensive measures.
Which makes sense to you. That's the job you showed up to do.
But right there on the table is that other folder, the black folder.
And you pick it up and you open it.
And the black folder says,
you know the purple folder?
Like the one you just read?
It was a lie.
It's your cover.
It's what you're going to tell people,
but it's not what you're actually here to do.
You are not a defensive cybersecurity professional.
You are an offensive one.
You are a cyber spy tasked with hacking whoever we tell you to.
You were to use your considerable knowledge to hack people's emails, steal personal information,
monitor the conversations, and if possible, track their movement.
But you've got the purple folder.
You've got the cover.
No one has to know what you're actually here to do.
And it's all legal.
It's totally above board.
And you're going to be paid super well.
So you got those two folders, those two different stories.
And the question that we're going to talk about today,
the question kind of at the heart of this whole story,
is do you show up for work the next day?
So this year, years after that question, the exact question,
was posed to a handful of people who showed up for work in a villa in the desert.
This year, charges were laid.
And this month, a settlement was reached.
Regarding their participation in something called Project Raven,
our subject this episode.
This is the black folder here on Hacked.
Doon, do, do, do, do, do, do, do, do no, no.
Is that the theme song?
That's the new theme song, yeah.
I don't remember that part of the theme song.
I can remix that and put it at the end.
Well, good news.
It's in my audio file.
So like many other things that shouldn't end up in the podcast episodes that you feel
that need to include, I'm sure it will include.
It's open to the final edit.
Editorial discretion.
So, Scott, say you used to work for the NSA or,
like CIS here in Canada.
Yeah.
You were a cyber spy for like your government.
Yeah.
But then you quit being a cyber spy for your government and you move to another country,
a country that has their own cyber intelligence organization.
Here's a very big question.
Is it legal for you to go and work for them?
I have no idea.
I would assume.
I would assume that when you start working for the NSA, that there is some life-binding contracts
and agreements that are partaken in.
So I have no clue, but my best guess would be probably not.
I think the trees and hammer is probably pretty close to you at that point.
Sure, sure.
It's kind of just hanging over your head the second you get off the airplane.
Yeah, you're like, hey, I'm here to work in your cybersecurity division with all
of the knowledge I have from their cybersecurity division.
I'm sure it's not a good look.
That would make a lot of sense, wouldn't it?
Would.
According to U.S. national security lawyers, it's shockingly legal.
Wow.
The laws are pretty muddy.
Yeah.
You can totally do it.
You can get on a plane and if you work for the NSA,
you can go work for someone else.
But there are importantly two things.
that remain super, super illegal in that very, very specific situation.
It is, A, mega illegal to go work for a foreign government and share classified information
regarding hacking.
Of course.
Like, you can't share classified methods, classified tools.
And it is, B, illegal to go to another country and then spy on your own countrymen.
Sure, actual treason.
It's just treason at that point.
It doesn't matter if you used to spy on Americans legally.
because you were doing it for the NSA.
If you do it for someone else, it's still, it's treason.
Which sounds like a pretty, like, okay, I can follow those rules.
Don't share classified stuff and don't spy on their countrymen.
But no part of this story is nearly as clean cut as that because the cast of the story is spies.
And they are not a historically forthcoming bunch.
Totally.
And once you learn something, as has been historically proven time and time again,
an intellectual property lawsuit, it's probably,
Once you learn something, it's hard to not know it and have it not guide your decision making.
So violation of rule one is probably very common as well.
Yeah, it's pretty tough to be like year four at a job and to know how to do something and to not say something because the solution is classified.
Yeah, and be like, I don't know, guys.
What if we tried this?
Who knows?
Yeah, it's a real thinker and they're all looking at you.
Like, we know the NSA knows how to do that, my guy.
Like, can you please just tell us?
So only one person has made their name public and told their experience of working at Project Raven, our subject.
So we're going to tell her story.
And it is the story of a woman named Lori Stroud.
Lori Stroud worked for the NSA for over a decade for the first six years as a military service member from 2003 to 2009,
for jumping over to being an external vendor from 2009 to 2014, where she worked at a consultancy called Booz Allen Hamilton.
It was Lori's job to go digging around for vulnerabilities in foreign government systems.
So she would try and get into some government computers in China or Russia, figure out and
identify who targets were that the rest of the team would then go after.
But in 2013, Strouds like shine at the NSA wears off.
She's been crushing it for a decade, but then she does something that she characterized
an interview as quote, ruining her brand. Can you recall anything that happened at the NSA in 2013,
Scott? I feel like there was a young programmer who released a pile of inside information
about surveillance and maybe he ran away to other countries landing in, I believe, Russia? Does that
Sound familiar?
Yeah.
So our girl, Lori, while stationed in Hawaii,
Stroud recommended that this technician who is working in the building join her team.
I want this guy.
He's great.
He should join my team.
A guy by the name of Edward Snowden.
Man.
And it is a good name.
It's a great name.
It's a great name.
Very memorable.
It's historical even.
We don't need to explain what Edward's.
Snowden did, right? You kind of already did. Yeah, it was here as part of her team. Yeah, I said
the word trees and like 12 times. So I think people. Yeah, they get it. Uh, it was as part of her team,
based on her recommendation to join her team that Edward Snowen gained access to the information
that he would go on to leak. Less than 60 days after joining Stroud's team, Snowden had vanished
with all of that data. And Stroud had kind of accidentally inadvertently given him access to it.
So yeah, her brand at the NSA was not in good shape.
And in the aftermath of all that, Stroud gets this really interesting offer.
This old colleague, a guy named Mark Baer, that name is going to come up again,
offers her a job to work for a different government contractor at a different government.
A company called CyberPoint, who did work in the United Arab Emirates,
the setting of this whole story.
So, like, Stroud looks around at the big Edward Snowden-shaped smoldering pit that she
standing in and she figures, yeah, I should probably go seek some new opportunities.
So she takes the offer.
She goes to work at CyberPoint.
CyberPoint is a small cybersecurity firm based out of Baltimore.
And they've done work for the U.S. Department of Defense and they do work in the UAE.
For context in 2014, today actually, the UAE and the U.S. are close allies born of shared
enemies, in this case, ISIS.
Neither of them likes ISIS.
both use their intelligence organizations and hacking specifically to go after ISIS and other terror groups in the region.
So the idea of an American consulting company working for the UAE and the American government is not crazy at all.
And CyberPoint for context has claimed that they have done nothing improper throughout this entire story,
which if you define improper as illegal, they might actually be in the clear, whether or not it was like cool stuff they did is a different story.
But we're going to get to that.
Right.
So, CyberPoint, generally above board company, pay their managers close to half a million bucks a year, offer Stride this job, and she says, let's do this.
Scott, say you run a cybersecurity consultancy and you've got this very sensitive client.
When do you tell a new hire like Stroud, hey, this is what your job is actually going to entail?
When do you reveal that to them?
I feel like it's either day one or.
the one day after their legal probation's over.
It's one of those two.
Right.
Yeah, whatever it says in that very thick NDA, you make them sign?
Yeah, exactly.
Yeah.
So Strout signs that very lengthy NDA, which comes up again.
She gets on a plane and she arrives in the UAE and she goes to their office,
which is this big, huge converted mansion known by the team as the villa.
And it's here that she's brought into a room with,
two folders on a table. The purple folder and the black folder. The purple folder is her cover.
They are contractors in the UAE protecting the government from hackers and other threats.
And then there's the other one, the black briefing. It explains what Project Raven actually is.
To directly quote the black briefing that Stroud received, Raven was, quote,
the offensive operational division of NISA and will never be acknowledged to the general public.
NISA is the UAE's version of the NSA.
It's their cybersecurity agency.
So whenever you think NISA, think Emirates NSA.
Stroud was going to be part of Raven's analysis and target development shop.
She was tasked with helping the government profile their enemies online, hack them, and collect data.
And those targets were provided to CyberPoint by the client, Nisa.
So she works for a company, and the company gets assignments from the UAE's NSA, essentially.
Sure.
All of this kind of like cloak and dagger, all the language of it,
Strad said it made her feel right at home because it's exactly how the NSA worked.
Yeah.
The security infrastructure that they were feeding is the subject of a lot of international criticism,
like that CyberPoint was feeding information into.
People talk a lot about what the UAE does with hacking.
And in the words of critics of the UAE, they've been accused of suppressing free speech,
detaining dissidents, going after domestic targets, not because they're dangerous,
but because they're political.
politically challenging in some way.
Vocally opposed.
In their words, the UA says, no, it works with Washington to fight extremism.
That's it.
The disregarding what is said about them and what they say about themselves, there's
who this whole thing is revealed they're actually targeting in the sort of legal and
journalistic follow.
We have a very good sense of who this organization was looking at.
And some of them are the foreign adversaries that you would expect.
Iran, Qatar, Turkey.
These are governments going after other governments.
This is kind of what you expect.
But then there are the domestic actors.
People inside the UAE that the UAA government is targeting using this cyberpoint company.
A quote directly from Stroud.
Quote, some days it was hard to swallow.
Like when you target a 16-year-old kid on Twitter.
But it's an intelligence mission and you're an operative.
I never made it personal.
And this is where I guess a really interesting boundary between what the American contractors
for Project Raven would do, the people who worked for CyberPoint and what the Emeraldi
operatives who also worked for Project Raven but not part of CyberPoint would do because there's
a difference.
There's a really hard line between what one would do and the other would because of those
American laws.
The Americans would identify the vulnerability of the target.
They might develop a tool or a hack to go after them, but it was typically a, you know,
an Emeraldi operative who would like press the button.
Because a law might kind of shake out later that, oh, actually going after them was illegal.
So it's just easier to create this really clean line in the sand that says, no, the person who was always doing it wasn't an American citizen.
Oh, interesting.
And I imagine that, yeah, and I'm curious.
Like, I feel like that kind of compartmentalization probably doesn't exist in most other cybersecurity operations, but it probably exists in every national cybersecurity operation.
I feel, oh, I don't know about every.
I think there's a lot of countries that don't really care.
They're more than willing to push the button themselves,
but I just find it fascinating because it, you know,
it ties back a lot to their, you know, post-9-11, you know,
treatment of prisoners, you know, the whole debacle around torture
and, like, you know, Guantanamo, and it's,
Guantanamo is in Cuba, it's not in the States,
so therefore it's not happening on American soil,
and, you know, all these weird legalese and legal loopholes.
And it's like, yeah, yeah, no, we're fine.
to essentially write the script, the plan, the action, the everything.
Yeah.
You know, we just want to make sure that we've, you know, covered our own.
So we're just not going to put the go button.
But if you could just get somebody that you pay to push the go button
and then just give us the information we'd appreciate it.
Thanks.
It's like it's, we just got to hire a guy to press the go button.
It just, it just feels so brutally patriot act American.
And I'm probably going to catch flack on Twitter for saying that.
Well, I mean, without getting too much into it, it would kind of make sense that it would imitate the cybersecurity tactics of the people that they're paying to teach them how to do cybersecurity.
Yeah.
It's interesting.
Yeah.
So on the subject of these targets, the people on the receiving end of that go button push, we're going to talk about two.
And I want to start with a guy named Rory Donahey.
So in 2012, Rory was a 25-year-old British journalist and activist who'd written a bunch of articles criticizing the country's human rights record.
In 2012, he wrote an opinion piece for the garden, looking at the UAE government's activist crackdown and warning that if continued, quote, those in power face an uncertain future.
Based on that writing, Project Raven gets the assignment from on high to go after this guy.
And remember, they had been brought in to bring over all their spy craft from their time at the NSA to kind of mentor and to.
teach these UAE operatives.
Prior to their arrival, prior to 2021, former operatives explained that the early intelligence
gathering operations largely relied on agents like physically breaking into homes while they
were like the subject was away and physically placing spyware on computers.
The Americans start to try and build Project Raven's thing that looks a lot more like what they
were doing over in the States.
And they're looking for wins that show that this style of, you know, we're not going to physically
break in.
We're going to find all these other ways to get stuff onto the.
to the victims devices and whatnot.
They wanted like a way to show that that worked really well.
And Donahey was this big public target that offered these contractors at CyberPoint
a really visible win, kind of a proof of concept.
Social engineering is one of our oldest subjects on this show.
And they weren't really doing it.
They were just physically breaking it.
They weren't tricking people.
And so CyberPoint says this is what we're going to do.
We're going to show off how well this can work.
To quote members of the team from declassified reports, to get close to Donahey,
the Raven team set out to, quote, ingratiate themselves to the target by espousing similar beliefs.
Okay.
predicting that Donahey would be, quote, unable to resist an overture of this nature.
So they invent these characters.
Human rights activists like Donahy, they start pretending to be them.
And they start emailing Donahy asking for help to bring hope to those who are long suffering.
And they kind of cultivate this relationship pretending to be whistleblowers that want to talk to him
until they finally get Donahy to download and install software
that they claimed would make it difficult to track messages,
sort of like a signal-style encrypted messaging app.
He does.
And you can guess where this going.
The software reinstalled was actually malware
that allowed Project Raven to continuously monitor his email accounts,
internet browsing.
This project started a little bit before Stroud got there
well into the reign of kind of the Americans being there,
and it continued well into Stroud's time there.
And it was like a really big priority for Project Raven.
Until one day, Donahy eventually figures out, oh, my email's been hacked.
In 2015, he gets like a different dodgy email from a similar account, decides to get in touch with Citizen Lab, who we've interviewed on this show before.
And they figured out that he'd been a target for years.
He gets the stuff locked down.
Donahy's okay.
He was spied on his privacy, he was invaded, but he's like physically okay.
And a large part of that has to do with the fact that he's not from there.
He's British.
And importantly, not an American.
So not illegal for the ex-NSA members to hack in the way that it would be if he was from the States.
Sure.
And that brings us to the other victim, the other kind of kind of victim.
The victim on the far side of that veil of deniability that this whole place operated on,
a guy named Ahmed Mansour.
He's a prominent Emirati activist, and he was codenamed in their system, Erit.
And he was the target of another kind of one of these campaigns.
For years, Mansour had been a very public critic of the government from their war in Yemen to the treatment of migrant workers.
And in September 2013, Raven operatives roll into the office of a bunch of senior NISA officials with this big folder of material they've been getting off his computer.
Big Grins on their face.
Look how good we did.
Inside the folder are photographs that Mansour took of a dissident being held in prison.
And it turns out that taking those pictures of that prisoner is against prison policy, and therefore the law.
And then when Mansour gets them on his computer, sees them, thinks probably shouldn't have these and deletes them, he's now tried to destroy the evidence.
It's not the crime. It's the cover up, right?
It's not the crime. It's the cover up.
All of this helped lead to Mansour's conviction in a secret trial in 2017 when he was charged with damaging the country's unity and sentencing.
to a decade in jail.
Yikes.
That's kind of a spread on the kinds of folks that Raven was targeting.
You've got British journalists who are critical of the government.
You've got domestic activists who are trying to, you know, highlight abuses in prison and
getting sent in jail for it.
Which brings us to their tactics, kind of how they did all this.
And a big question, if we go back to the legal tension in the middle of this story,
is where the line between Spycraft and a client.
confidential technique is.
And that's sort of what makes all of this legal or not.
General Spycraft cool, a specific tool, not okay.
And a big example of that in this story is this piece of technology called Karma.
Karma is a bit like the no-click iOS exploit that made the news like I think three or four
months ago.
And it had been turned into essentially a, I don't know if you could call it a commercial product,
But Karma used most prominently in like 2016 and 2017 is a tool that could remotely give you pretty much full access to an iPhone just by uploading the phone number of the person who used that iPhone or their email account into this automated targeting system front end of Karma.
Sure.
Yeah.
And you can probably think of the part of Apple's like service ecosystem that relies on either your phone number or your email.
email. It's iMessage.
Yeah, it's a backdoor that causes something to auto-preview or load or run in the background
that drags the exploit onto your computer and runs it before you've even had the chance to
delete the message.
Three former operatives said that they understood karma to work, at least based on this, yeah,
the zero-day exploit in built-in iMessage. The blue bubble has finally betrayed us.
And the way it worked was that you would punch in an email or a number, and karma would
send this message that leverage this exploit to install malware and take control of the device,
which is like a very, very powerful product when you start thinking of those terms, because you
can upload hundreds of phone numbers and hundreds of emails and just see what you get.
Just collect phones.
It's basically collect phone numbers of everyone that you want to hack and just hit enter.
And an interesting thing that occurred to me is that you would also have to keep that tool in a very,
very small number of hands,
less Apple find out about it and patch the vulnerability.
A tech tip about malware installed on your phone.
Apple has done such a good job
kind of creating a sandboxed OS
that writing to the permanent kind of OS image
is very, very hard.
So even if your phone does get exploited,
often chances, it won't actually write itself to the boot volume.
it'll kind of just live an active memory.
So one of the best things you can oddly do
to just like turn off malware on your phone
is just reboot it.
Really?
The classic IT thing
of just like, you know,
your phone could probably literally be
actively hacked running malware
and if you just reboot it,
it will flush the malware out of memory.
So it, you know, obviously
if there's a date,
zero exploit that no one knows about that they can use to keep getting access. That's a bigger deal.
But as it stands now, I think one of the best security tips for iPhone users is, you know,
when in doubt, just reboot it once a day.
Man, four years ago, with bangers like that, you probably could have made like 400K
working for Project Reagan over there. They would have loved to know about that.
I'd be like, yeah, hey guys. Yeah, I'm here. There, I got this tidbit for you.
Just reboot your phone or a couple times a day.
Hot tip, have you tried on plugging it?
Yeah.
I can't remember, like, I maybe, like, I do my reboot my phone every day now.
Oh, really?
But most people never do it.
Like, I remember before I kind of had ever thought about it or had heard that, I think it, you know,
it was probably pretty frequent that I would go months and months without rebooting my phone.
Me as well.
So in 2016, when this comes out, Stroud says that, like, the whole team is, is,
Very, very excited.
Quote, it was like we have this great new exploit that we just bought.
Get us a huge list of targets that have iPhones right now.
It was like Christmas, which is cute and insidious at the same time.
According to experts, there's only about 10 countries in the world that really have the capacity to even develop a tool like karma,
which means that the UAE government purchased karma from a vendor outside of the country,
a kind of conclusion that was confirmed by the operatives who anonymously spoke with writers for the piece,
a lot of this is based on.
Let's talk about what something like karma sells for.
Something that's based on a day zero bug.
So essentially an unknown exploit that will probably be patched at some point in the future.
But it's super valuable right now.
Yep.
What is, like, do you know what they paid for it?
Do you have any idea of the licensing fee for something like karma is?
For karma?
No, I don't know what the licensing fee is.
And then you add in the extra layer of, and you can't sell it openly because then it stops working.
Totally.
They would fix it.
So it means that you have this immensely valuable thing that only an incredibly tiny number of buyer and sellers can participate in the market for.
Totally.
And you also don't want to tell them what it is because then the people who don't buy it will actively try and patch it.
So you're literally like throwing out an RFQ.
like, hey, we have the ability to hack anybody with, you know, some conditionals, but most
of those conditions are met by most people.
What would you pay for this question?
Please respond with dollar value.
I would love to sit on the like procurement committee for that one.
Yeah, it's especially interesting when you think of it as like this weird intelligence
economy of the country that developed it, ex-employees might work for the company that you hire
to teach your people how to do it.
Totally.
And they can't bring over confidential tools, but that government is trying to sell you
one of those confidential tools.
It's like to say the lines are blurry implies that there are lines.
It's such a crazy gray mess.
Well, you're also would be like standing at the market, like the market for this tool.
And whoever you sell it to, you're now a national hero that will never be recognized.
But to every other person in the market that didn't buy it, you're now an enemy of the state.
100%.
Because I've just given this tool to your essentially opponents.
Like, what a weird economy that's got to be to hang out in.
Yeah, the idea of, this keeps coming up on this show.
but the like the marketplaces that emerge around the cybercrime products and services is
fascinating to me the last episode was about that and we've done a few and as it gets more and
mature they start looking much more like really traditional marketplaces and that's there's just
all kinds of things you can infer from that it's very interesting I like I want to see
the 2020 version of Lord of War totally but in
Instead of it being like selling guns and ammo, it being like this crazy intelligence community where you're like, you know, you've got a bunch of like hackers that like come up with a day zero exploit and they're like, okay, we think this one's got, you know, one point two billion, you know, kind of coverage of 1.2 billion people.
Therefore it should be worth, you know, at least 120 million or like whatever they value it at.
And then you get like a Nicholas Cage type that goes out and like tries to sell it to like weird esoteric government.
governments and they're like cyber crime divisions.
Like I'm,
I would watch that film or series,
which I would be happy to help write if anybody's listening.
Yeah,
if you want to develop that show,
we're right here.
We're just hanging out.
We're right here.
Call me.
I want to see that opening montage of the bullet getting manufactured
from like raw metal all the way through to final destination.
Except it's like a zero day exploit,
someone discovering all the way to the point where it's like a cyber product
being sold from one government to another.
I want to follow that process.
Yeah, the Lord of War intro is special.
It's so good.
That one shot, it's great.
Yeah, yeah.
So we've got this film.
Anyway.
Folks hacking.
And the legality of this entire option,
this whole operation,
really hinges on those two big questions.
Is it legal in the country where it's happening,
the UAE,
and is it legal in the country
where the contractor's cyberpoint is based out of the U.S.?
And regarding the latter, if you want to provide very sensitive defense technologies or services like CyberPoint was providing to a foreign government, you need to get a very special license from both the U.S. state and commerce departments, both of whom declined to comment on the fallout of this whole thing.
But a 2014 State Department agreement at CyberPoint did show that Washington understood that the contractors were helping launch a cyber surveillance operation in the UAE.
They understood the basics of what was going on here.
The approval document explains that CyberPoint's contract was to work along NISA in the quote protection of UAE's severity by, you know, collecting information and all that stuff.
One thing that is very clear and is very, very forbidden.
Again, it's going to say it again, CyberPoint employees were not allowed to target American citizens or companies.
As part of those terms, as part of that agreement, CyberPoint promised that its own staff and even Emirati,
personnel supporting the program, the button pusher, quote, will not be used to exploit U.S.
persons.
And I'm going to keep saying that because it's a pretty big point of how this whole thing
falls apart.
Because by 2015, stuff starts to get dodgier.
And we're going to get to that right after this break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something.
too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground
up for a world where attackers are already using AI. They created the Aurora superintelligence
platform, a fully agenic system powered by the swarm of experts. Instead of single-purpose bots
or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy, and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every
week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally
buries human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the
model entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI insecurity operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
You get an assignment at work.
Hack into individual users of this ISIS internet forum.
That's the assignment.
So Project Ravens American contractors get called on to make a computer virus
that would infect every person who goes to said ISIS website.
Makes sense.
Except for, what's the one rule?
You can't hack Americans for a foreign government.
And even if they're Americans visiting an ISIS site, they're still Americans.
And this tactic kind of risks capturing them in this.
And that little tension is the start of this whole thing dissolving.
Because Stroud, she finds herself facing this question in 2015, and she cooks up a policy
for what they're going to do for when Project Raven inevitably accidentally hacks an American
using kind of a big net approach like this.
And it's simple, they're just going to flag that shit for deletion.
Accidentally capture some American data, like the second you know it's American,
there's a thing that just deletes it.
But as time goes on, Stroud starts to notice that American data flagged for removal.
The same little bit of data is showing up again somewhere else in Ravens, importantly,
NISA controlled data storage.
So you can write a rule to make sure you're not breaking the law at work,
but the people who that law doesn't apply to might not follow the rule.
And where exactly does that leave you?
Sure.
They're cleaning out the trash can and pouring it into their filing cabinet.
So by this point, it's like 2015 or so, Raven has been chugging along for like six years.
And when it started in 2009, Abu Dhabi had relatively little cyber expertise compared to some other countries.
And the original goal, Project Raven, was for Americans to come in and develop and run this program for like maybe five years, a decade, until those UAE intelligence officers knew enough to take over.
It was never meant to be permanent.
And by 2013, the opposite had kind of happened.
The Americans at Raven made up the majority of the team.
And so, it's right around here when Stroud is starting to ask these questions that the UAE starts to get kind of uncomfortable with that reality, that this increasingly sensitive.
National Security Program is being run by foreigners. So they decide this is going to change.
This program, Raven, is going to be run through one domestic local company. No more external
contractors. It's all going to go through this company called Dark Matter. And the American
contractors were given a very simple choice. You can join Dark Matter or you can go home.
And at least eight operatives took the second choice. They left.
There's this guy in the UAE called Fassal Albani.
He's an entrepreneur created one of the big mobile device companies over there called Axiom.
That company does incredibly well.
He decides I'm going to make a cybersecurity company and he calls it Dark Matter.
Dark Matter pretty quickly gets the UAE's security forces as a client and they start recruiting.
They employ 650 people.
They acknowledge that they work with the government but they deny that they're hackers.
And this is an interesting aside, according to one of the operatives interviewed, that
might actually be true. The black-purple folder cover thing was so universally and like
rigidly maintained a dark matter that the actual purpose of Project Raven, even after
dark matter absorbed it, was kept secret from at least most of their like top level executives,
according to this operative. But it's when dark matter took over that the assignments from
NISA, like from the UAA government, started to change and escalate. And more and more like
physical rooms of the villa where Stroud worked started to become what they called
Emirates eyes only like whole projects teams that the foreign contractors were never supposed to see
the beginning of this big shift which like you know what they're doing in there because
otherwise you would know what they were doing in there like the second they start locking the door
you can kind of intuit well they must be breaking one of the two rules I'm not allowed to break sure
like do you quit by now yeah yeah okay me too
Do I quit by now?
Do I quit by now?
I quit six months ago.
Yeah, for sure.
Yeah.
I never got on the plane to go over there.
I don't know.
That's a, that's a, like, let's just hang there for a sec, because it's like, I feel like most people, and like I think our audience will probably confirm or deny this.
But I think that most people that are interested in cyber crime.
And maybe this is just me projecting, but it's like, it's the puzzle aspect of it, you know.
It's the gamesmanship of it.
Totally.
And it's like, I feel like if you're that kind of person, like I'm that kind of person.
Right.
It's like, if somebody was like, hey, do you want to solve logic problems all day for $500,000 a year?
I'd have a hard time not taking that.
100%.
And it's like, and it's like that's going to speak to a lot of people.
So it's like, you know, it's a personality type.
And it's a person, like it speaks to like a core.
you know, driver for like a lot of people that like games and like that kind of aspect of it.
And I don't know.
I don't know.
Like, it'd be tough.
It'd be tough.
Would you take it?
If you walked into the room and, and I'd put in those two folders in front of you, would you, would you?
Like, I think, I think me, I think I would have taken it, you know?
I think it's tough.
But there's a big part of me that would want to.
It's an interesting thing.
Like, there's lines in this and moments.
in this where it feels so patently unethical.
Totally.
And then there's other moments where it's so compelling and provocative.
And I'm just vacillating back and forth between those two states.
And then you add in like hundreds of thousands of dollars a year.
I don't know where I fall.
But like you also need to like think about it from the other side where it's like,
it seems so unethical now.
Because we're looking back through these like binary glasses of being like,
oh my God, you know, they were spying on people.
For sure.
And it's like, you know, it's super easy to see the ethical jump there.
But when you were a former NSA operative, which in a job, which all you did was spy on people,
and then you got hired to go work for another national security agency where all you do is spy on people.
Yeah.
It's like, you know, you're so watered down at that point that do you even really notice the difference?
For sure.
like it's like it's there's still just people and like I'm looking at you know so many people's
information already like what is an extra person and why is it now unethical you know I like I feel like
your your morality at that point has been rewritten and it's like it would not it would not feel
unethical no it's it's kind of the the whole thing we have with systemic problems in our society now
where they becomes the norm.
And, you know, you have to kind of buck the norm to rewrite, you know, the system.
And it's like that's probably the same thing that happened to them is, you know, it's become the norm to be unethical.
So like, what you probably don't even notice.
Totally.
One with how blurry the morality gets, it then raises this other interesting question of what finally functions as a tripwire?
Like what can cut through that?
That haze.
Exactly.
And that, it's been an interesting part of the story since the beginning,
considering her relationship to Edward Snowden.
And it becomes a very interesting part of the story again at the end.
So at this point, though, it's 2016.
Some of these American operatives are coming back to the States.
And they get off a plane in the U.S.
And a bunch of FBI agents come up and they have some questions for them,
which is weird.
Sure.
Because as far as they're concerned, Nisa, who is giving them their,
assignments is supposed to be working with NSA. So their assignments are supposed to be coming in
like kind of pre-tees crossed and eyes dotted. But the FBI rolling in with a bunch of questions
would suggest that that's not the case. And the FBI is asking these contractors, hey guys,
are you spying on Americans? Hey guys. Did classified U.S. collection techniques end up in the hands
of a foreign government because of you? Because those are all crimes. And those are pretty
stressful questions.
Two of those agents did approach Stroud in 2016 at Virginia's
Dulles Air.
Dulles? Dulles? I think it's Dulles.
In Virginia's big airport, cool.
They bump into her in Virginia.
She's on her way back to the UAE after a trip home.
And Stroud, who is just a fun little scene, she said she was afraid she might be under
surveillance, which is why she told them, I'm not telling you guys, Jack.
And then she got on the plane and she went back.
but she would.
She would go on to tell them, Jack.
Back at the villa.
Stroud had been starting to get even more access to internal project Raven databases
after she got this big promotion the year before.
And by this point, it was her job as lead analysts to go looking for user accounts of potential
Raven targets and figure out what kind of vulnerabilities they could use to get a foothold
into the victims like email or messaging app.
And the way that they kept trying to.
track of all of these targets was by organizing, they had sort of like a big spreadsheet that
organized people based on different parameters, one of which was the country that they're from.
Iranian targets are coated gray and Yemeni targets are in the brown category.
One morning in spring 2017, after she'd gotten through all of her targets, Stroud said that she
began working through a backlog of other assignments intended for Nisa officers, her bosses
essentially that she had access to because of this promotion.
And she noticed that a passport page of an American was in the system.
So Stroud emails their supervisors to complain, and they tell her,
oh, no, that data was collected by mistake.
We're just going to delete it.
She kind of asked questions.
And with her new lead analyst position, she actually has the ability to go into some of these
lists and documents that she couldn't see before.
So she dives into essentially a targeting request list.
that's typically only limited to Raven's Emeraldi staff.
And she finds that the security forces, Nisa, had given two other homework assignments.
It asked for surveillance against two other people, two Americans, which is not the deal.
When she takes that up the line instead of getting a, oh, no, that's a mistake, we'll remove it.
Her bosses give her like a bunch of help for accessing the list and tell her to just stop.
One emirati officer wrote to her that the target request that she,
viewed were to be processed by quote, certain people and you are not one of them. And over the days
that follow, she keeps going through and she keeps bumping into more Americans on this list
actively being targeted. In the short window that fall, she found another three. And in the notes,
along with the nationality, there are other things listed, including their occupations. And she
saw that they were targeted because they were journalists, which meant that just down the
hall from her here in the villa, that's who they were going after.
American journalists that were critical of the UAE government.
She said, quote, it kind of hit me that at a macro level, realizing there was a whole
category for U.S. persons in this program, I was sick to my stomach.
So again, she goes to her manager, Mark Bear, the guy who way back when brought her into
CyberPoint, he recommends, yeah, you should drop this.
She doesn't.
She asks again and again until finally they decided.
to put her on leave. But getting put on leave from the intelligence agency of a country that
you're not from, but you are living in where you were working as a spy, is not like getting
put on leave at most other jobs. Her phone is immediately taken. Her passport is taken and she's
rushed out of the building. And she described it kind of ironically as feeling like, quote,
one of those national security targets. I'm stuck in the country. I'm being surveyed. I can't
leave. Two months later, they finally let her go. And she gets on a plane and she flies home and
on the way she digs out that business card that the FBI agent gave her back at the airport and she
makes a call saying, quote, I'm a spy. I get that. I'm an intelligence officer, but not a bad one.
Which apparently puts the line between a good spy and a bad spy somewhere between targeting a
British journalist but not an American one. So that brings us to 2021. And the only other three
three names aside from Laurie Stroud that we know in this entire drama.
And there are not the names of people who have come forward, but whose names we nonetheless know.
Because in September 2021, charges were laid against Mark Baer, the man who invited her,
a guy named Ryan Adams, no relation, and a guy named Daniel Garicki, who admitted the three of them
to violating U.S. hacking laws against selling sensitive military technology to a foreign government,
all is part of a deal to avoid further prosecution.
The three men admitted to hacking into computer networks in the United States
and exporting sophisticated cyber intrusion tools without gaining required permission from the U.S. government.
As part of the deal, with federal authorities to avoid prosecution,
the three former intelligence officials agreed to pay a combined $1.69 million
and to never again seek a U.S. security clearance.
Lori, after fishing out that business card, reached out to the FBI to discuss what had happened.
she then reached out to journalists and participated in the kind of public exposé that formed the foundation for this episode.
She decided when she got back to the States that she was going to blow the whistle.
There were three charges laid and a relatively large fine levied.
And that's kind of where this story leaves you.
And on one hand, it's the story of, it's kind of a classic story of a whistleblower.
Like Stroud saw something wrong and she said something and stuff occurred.
I feel like this is one of those weird situations where it's like, we all know that nations kind of spy on each other.
For sure. For sure.
It's kind of just a thing that they do. And they've been doing it since way before it was cyber spying.
And it was like just real spying.
You know, there's a reason why we have, you know, ambassadors and, you know, intelligence people in other countries and other countries.
You know, there's a reason why these agencies exist.
And it's like, really at the heart of this story, it's just the fact that it was.
contracted Americans doing it for another nation.
For sure.
That then also happened to be gathering intelligence,
even though it wasn't like,
it would be naive to think,
I would think,
my personal opinion is that I think it would be naive to think
that because I'm not allowed to spy on Americans,
that other people aren't spying on Americans.
And it's like,
you know,
you're giving me,
a Lamborghini and I work in a, in a, like a mysterious villa.
Like, it sounds like too, it sounds like too much of like a, like a, like a bond movie.
100% already. And it's like, you, I don't know, like, to me it just seems like, yeah, of course people are spying out of the people.
Like this really, the ethical thing here is just the fact that it's like, you know, it just happened to be American contractors that we're doing it instead of nations, a nation's own people.
or subcontracting it to some big Israeli syndicate
or one of the Italian syndicate
or one of the Russian syndicates or one of the, you know,
it's like it's going to happen.
It just depends on who's doing it.
Yeah.
Like will the UAE ever hire ex-NSA staff
who might end up hacking Americans?
Probably not.
Why would they?
They learned everything they like got,
they wanted.
But that doesn't mean that other countries won't,
like almost certainly.
Maybe Americans, like an ex-NSA person, might think twice about doing it, which says nothing
about all of the other countries that are just as sophisticated who could then go work
for someone else after they're done working for CIS or whoever.
Like there's a market for people that know how to hack for governments.
Yeah.
And it's an international market made of spies.
And that's going to be really hard to regulate.
Well, totally.
It's like you train the, it's like when you think of, you know, they train military soldiers.
and lots of them go on to do security forces afterwards,
and those security forces get similar contracts
for other nation states or the same nation states
or major pipeline companies in foreign countries,
et cetera, et cetera, et cetera.
And it's like a government spent a bunch of money
turning these people into tools.
Other people are going to want to use those tools.
And those people are going to want to use themselves as tools
because it's what they do to earn a living
and support their families.
And it's like, I don't know,
It's just the world we live in at this point.
And it's like that's, that is why Stroud did it.
It was a job.
It was a career move.
Totally.
You go from a government salary to tax free and the UAE at a half a million, you know, working
in a fancy villa living in probably paid accommodations and housing.
Like, you know, sounds pretty sweet.
For sure.
If that's what you're into.
It's a pretty sick deal.
And it invites all these really fascinating questions.
about whistleblowing as a general concept.
Like whether Stroud saw something wrong or whether she saw something that was going to get her in trouble is a very interesting question.
And the probable answer is that it's a bit of both.
Like that maybe after being the person to let Snowden into the NSA, a guy who would go on to have a crisis of faith and do something drastic, like the optimistic version is like maybe she did find herself in a similar situation.
Maybe she saw that in herself.
and seeing that one person blow a whistle
making you want to do the same thing.
And maybe that's the whole point of it.
I don't know.
It's interesting.
So now that you know it's in that black folder,
you get pulled in that room,
do you show up for work the next day?
I don't know.
Tough, tough one.
Thanks for listening, everybody.
But a special thanks.
And I do mean this,
because if you made it,
If you made it this far and you're a new Patreon patron, it's a very special thanks.
Two, Alexander Gendro, Jacob Boy Hanson, Brian Martin, Laurent shootback, and Jay Freak.
You're all freaky in my books.
You're our new Patreon patrons, and your support means a lot.
That might be the most new patrons in one month ever.
I'm just saying, get on board.
It's movement.
Thank you so much.
It's the best way to support the show.
Patreon.com slash hacked podcast. Thank you so much for listening. If you're interested in this story,
the Reuters piece by Christopher Bing and Joel Schechtman on which it is based is
and I mean this some of the coolest journalism I've read in a very long time. I highly recommend
it. Thank you again for listening. We'll catch you on the next one.