By Christopher Bing & Joel Schectman
Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists.
PART TWO
WHAT WASHINGTON KNEW
Former Raven operatives believed they were on the right side of the law because, they said, supervisors told them the mission was blessed by the U.S. government.
Although the NSA wasn’t involved in day-to-day operations, the agency approved of and was regularly briefed on Raven’s activities, they said Baier told them.
CyberPoint founder Gumtow said his company was not involved in hacking operations.
“We were not doing offensive operations. Period,” Gumtow said in a phone interview. “If someone was doing something rogue, then that’s painful for me to think they would do that under our banner.”
Instead, he said, the company trained Emiratis to defend themselves through a program with the country’s Ministry of Interior.
A review of internal Raven documents shows Gumtow’s description of the program as advising the Interior Ministry on cyber defense matches an “unclassified cover story” Raven operatives were instructed to give when asked about the project. Raven employees were told to say they worked for the Information Technology and Interoperability Office, the program document said.
Providing sensitive defense technologies or services to a foreign government generally requires special licenses from the U.S. State and Commerce Departments. Both agencies declined to comment on whether they issued such licenses to CyberPoint for its operations in the UAE. They added that human rights considerations figure into any such approvals.
But a 2014 State Department agreement with CyberPoint showed Washington understood the contractors were helping launch cyber surveillance operations for the UAE. The approval document explains CyberPoint’s contract is to work alongside NESA in the “protection of UAE sovereignty” through “collection of information from communications systems inside and outside the UAE” and “surveillance analysis.”
One section of the State Department approval states CyberPoint must receive specific approval from the NSA before giving any presentations pertaining to “computer network exploitation or attack.” Reuters identified dozens of such presentations Raven gave to NESA describing attacks against Donaghy, Mansoor and others. It’s unclear whether the NSA approved Raven’s operations against specific targets.
The agreement clearly forbade CyberPoint employees from targeting American citizens or companies. As part of the agreement, CyberPoint promised that its own staff and even Emirati personnel supporting the program “will not be used to Exploit U.S. Persons, (i.e. U.S. citizens, permanent resident aliens, or U.S. companies.)” Sharing classified U.S. information, controlled military technology, or the intelligence collection methods of U.S. agencies was also prohibited.
Gumtow declined to discuss the specifics of the agreement. “To the best of my ability and to the best of my knowledge, we did everything as requested when it came to U.S. rules and regulations,” he said. “And we provided a mechanism for people to come to me if they thought that something that was done was wrong.”
An NSA spokesman declined to comment on Project Raven.
A State Department spokesman declined to comment on the agreement but said such licenses do not authorize people to engage in human rights abuses.
By late 2015, some Raven operatives said their missions became more audacious.
For instance, instead of being asked to hack into individual users of an Islamist Internet forum, as before, the American contractors were called on to create computer viruses that would infect every person visiting a flagged site. Such wholesale collection efforts risked sweeping in the communications of American citizens, stepping over a line the operators knew well from their NSA days.
U.S. law generally forbids the NSA, CIA and other U.S. intelligence agencies from monitoring U.S. citizens.
Working together with managers, Stroud helped create a policy for what to do when Raven swept up personal data belonging to Americans. The former NSA employees were instructed to mark that material for deletion. Other Raven operatives would also be notified so the American victims could be removed from future collection.
As time went on, Stroud noticed American data flagged for removal show up again and again in Raven’s NESA-controlled data stores.
Still, she found the work exhilarating. “It was incredible because there weren’t these limitations like there was at the NSA. There wasn’t that bullshit red tape,” she said. “I feel like we did a lot of good work on counterterrorism.”
DARKMATTER AND DEPARTURES
When Raven was created in 2009, Abu Dhabi had little cyber expertise. The original idea was for Americans to develop and run the program for five to 10 years until Emirati intelligence officers were skilled enough to take over, documents show. By 2013, the American contingent at Raven numbered between a dozen and 20 members at any time, accounting for the majority of the staff.
In late 2015, the power dynamic at the Villa shifted as the UAE grew more uncomfortable with a core national security program being controlled by foreigners, former staff said. Emirati defense officials told Gumtow they wanted Project Raven to be run through a domestic company, named DarkMatter.
Raven’s American creators were given two options: Join DarkMatter or go home.
At least eight operatives left Raven during this transition period. Some said they left after feeling unsettled about the vague explanations Raven managers provided when pressed on potential surveillance against other Americans.
DarkMatter was founded in 2014 by Faisal Al Bannai, who also created Axiom, one of the largest sellers of mobile devices in the region. DarkMatter markets itself as an innovative developer of defensive cyber technology. A 2016 Intercept article reported the company assisted UAE’s security forces in surveillance efforts and was attempting to recruit foreign cyber experts.
The Emirati company of more than 650 employees publicly acknowledges its close business relationship to the UAE government, but denies involvement in state-backed hacking efforts. Project Raven’s true purpose was kept secret from most executives at DarkMatter, former operatives said.
DarkMatter did not respond to requests for comment. Al Bannai and the company’s current chief executive, Karim Sabbagh, did not respond to interview requests. A spokeswoman for the UAE Ministry of Foreign Affairs declined to comment.
Under DarkMatter, Project Raven continued to operate in Abu Dhabi from the Villa, but pressure escalated for the program to become more aggressive.
Before long, senior NESA officers were given more control over daily functions, former Raven operatives said, often leaving American managers out of the loop. By mid-2016, the Emirates had begun making an increasing number of sections of Raven hidden from the Americans still managing day-to-day operations. Soon, an “Emirate-eyes only” designation appeared for some hacking targets.
FBI QUESTIONS
By 2016, FBI agents began approaching DarkMatter employees reentering the United States to ask about Project Raven, three former operatives said.
The FBI wanted to know: Had they been asked to spy on Americans? Did classified information on U.S. intelligence collection techniques and technologies end up in the hands of the Emiratis?
Two agents approached Stroud in 2016 at Virginia’s Dulles airport as she was returning to the UAE after a trip home. Stroud, afraid she might be under surveillance by the UAE herself, said she brushed off the FBI investigators. “I’m not telling you guys jack,” she recounted.
Stroud had been promoted and given even more access to internal Raven databases the previous year. A lead analyst, her job was to probe the accounts of potential Raven targets and learn what vulnerabilities could be used to penetrate their email or messaging systems.
Targets were listed in various categories, by country. Yemeni targets were in the “brown category,” for example. Iran was gray.
One morning in spring 2017, after she finished her own list of targets, Stroud said she began working on a backlog of other assignments intended for a NESA officer. She noticed that a passport page of an American was in the system. When Stroud emailed supervisors to complain, she was told the data had been collected by mistake and would be deleted, according to an email reviewed by Reuters.
Concerned, Stroud began searching a targeting request list usually limited to Raven’s Emirati staff, which she was still able to access because of her role as lead analyst. She saw that security forces had sought surveillance against two other Americans.
When she questioned the apparent targeting of Americans, she received a rebuke from an Emirati colleague for accessing the targeting list, the emails show. The target requests she viewed were to be processed by “certain people. You are not one of them,” the Emirati officer wrote.
Days later, Stroud said she came upon three more American names on the hidden targeting queue.
Those names were in a category she hadn’t seen before: the “white category” — for Americans. This time, she said, the occupations were listed: journalist.
“I was sick to my stomach,” she said. “It kind of hit me at that macro level realizing there was a whole category for U.S. persons on this program.”
Once more, she said she turned to manager Baier. He attempted to downplay the concern and asked her to drop the issue, she said. But he also indicated that any targeting of Americans was supposed to be done by Raven’s Emirate staff, said Stroud and two other people familiar with the discussion.
Stroud’s account of the incidents was confirmed by four other former employees and emails reviewed by Reuters.
When Stroud kept raising questions, she said, she was put on leave by superiors, her phones and passport were taken, and she was escorted from the building. Stroud said it all happened so quickly she was unable to recall the names of the three U.S. journalists or other Americans she came across in the files. “I felt like one of those national security targets,” she said. “I’m stuck in the country, I’m being surveilled, I can’t leave.”
After two months, Stroud was allowed to return to America. Soon after, she fished out the business card of the FBI agents who had confronted her at the airport.
“I don’t think Americans should be doing this to other Americans,” she told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”
***
Christopher Bing – Reuters investigative reporter
Joel Schectman – Reuters investigative reporter
________________________
