ToTok, Part 3: Becoming a Spyware Superpower

The fact that ToTok came out of the United Arab Emirates is no surprise: in recent years, the UAE has deployed some of the most sophisticated mobile device exploits ever seen. But they got a lot of help from one country in particular... today’s episode is about the UAE. But it’s really about the Americans.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Christopher Bing

Cyber-security reporter with Reuters

Journalist with Reuters. I report on how cyber-security impacts national security, policy, business and foreign affairs.

ToTok, Part 3: Becoming a Spyware Superpower

Two episodes ago, Patrick Wardle of Jamf described ToTok–one of the most clever hacks ever designed. Last episode, Bill Marczak from Citizen Lab identified some of the powerful people behind that app.

The fact that ToTok came out of the United Arab Emirates is no surprise. In recent years, the UAE has deployed some of the most sophisticated mobile device exploits ever seen. They’ve emerged as one of the world’s leading superpowers in mobile hacking, and not by accident. They got a lot of help from one country in particular.

Today’s episode–the third and final iteration in this mini-series we’re doing–is about the UAE. But it’s really about the Americans.

LORI STROUD

“[Chrisr Bing] My name is Chris Bing. I’m a cybersecurity reporter with Reuters in Washington DC and I cover a nation state hacking.”

Last year Chris Bing, in collaboration with his investigative partner, Joel Schectman, published a story that rewrote the narrative on international government surveillance. Together, they interviewed more than a dozen former U.S. intelligence operatives who all shared one dirty secret. Only one of those former operatives agreed to be identified for the story. Her name is Lori Stroud, and she’s one of the more interesting characters you’ll ever find in cybersecurity. She’s middle-aged, with blonde hair and very dark brown eyes.

“[Chrisr Bing] Lori worked at the NSA. She originally joined the military out of college. And after a number of years at NSA Hawaii became a Booz Allen contractor.”

Booz Allen Hamilton is a consulting firm (whatever that means) whose business is nearly 100 percent comprised of government intelligence contracts. If you know about the military-industrial complex, you can think of Booz Allen as being part of a kind of military-intelligence complex. They are an extension of the CIA, NSA and so on.

Lori Stroud was one of their talented cyber experts, who just happened to make one very ill-informed decision. Through little fault of her own! Everything was fine, or so it seemed–she had a comfortable job based out of Hawaii, which isn’t such a bad place to have to live. But early in 2013, she made a hiring recommendation to her superiors. The candidate in question was a Dell technician, who’d already been working in the building for some time. He was a young guy, thin, pretty pale, glasses, very well-spoken and cool in demeanor. You might have heard of him, actually…

“[Chrisr Bing] she was part of the team at NSA Hawaii that employed Edward Snowden directly before the Snowden leaks and its known disclosures.”

Booz and the NSA approved Snowden to join Lori’s team. Two months later, he fled the country. Which left Lori in the awkward position of, you know, being vilified by her entire community.

“[Chrisr Bing] Snowden being part of her team and her being involved in his hiring at NSA Hawaii ultimately caused many of her colleagues to be fired or simply pushed out or reassigned from NSA Hawaii.”

So what do you do now, if you’re Lori Stroud? Down and out, because of a terrible decision nobody on Earth could have predicted. No longer welcome in the world you’ve dedicated your career to. You could, I don’t know, open a bakery or something.

But Lori wouldn’t have to learn how to make banana bread, in the end. Just as she hit rock bottom, opportunity struck.

MARC BAIER/RECRUITMENT

“[Chrisr Bing] She had spoken to a colleague of hers [. . .] and he described this kind of exciting new career path that she could take that had paid very well that will allow her to directly transfer her skills from the NSA.”

At a time when nobody else was interested, Marc Baier, a widely respected network operations expert, was reaching out to personally recruit her. Some of the job’s specifics were fuzzy, but he was charismatic, trusted, and sported an impressive resume. He’d formerly worked for the NSA’s elite Tailored Access Operations team, also known as Equation Group.

“[Chrisr Bing] It’s a certain level of comfort and trustworthiness that you get when you’re offered a job somewhere and you know someone that’s already working in that environment. It just gives you maybe that little extra that’s going to push you over the line and say yes, I will be taking this job although maybe I don’t have all the details for what it’s going to directly involve.”

In the high-stakes, secretive world of government cyber ops, it’s quite common to have sensitive information withheld until you’re actually hired. After all, governments can’t just give away what they’re doing to any candidate who walks in the door.

So Lori only had a general outline of what she was in for. But even that seemed almost too good to believe. The job involved counterterrorism–fighting ISIS, for example. Her role would be largely similar to what she had with Booz Allen. The pay would be tantalizing. Over 200,000 dollars a year in starting salary, plus housing and other stipends. Lastly, while not quite Hawaii, she’d be relocated to the equally exciting, equally sunny city of Abu Dhabi.

Lori wasn’t the only person of her kind to be approached by Marc Baier at that time. Baier officially represented CyberPoint, an intelligence contractor founded in Baltimore which did much of its business in the UAE specifically.

“[Chrisr Bing] And it was his relationships and his kind of charisma with former colleagues at the NSA that ultimately benefited the UAE and allowed so many former NSA employees to want to move over there and do that work.”

Marc Baier facilitated the transition of dozens of CIA and NSA agents to work for the Emiratis he represented. Together, they became the elite cyber ops team called DREAD, or the Development Research Exploitation Analysis Department. They were also referred to as “Project Raven.”

Lori moved to Abu Dhabi and walked in for her first day of work in May 2014. Project Raven’s offices were located in a converted mansion–not half-bad, especially when you’re used to the rather drab architecture of U.S. government buildings.

“[Chrisr Bing]  The Villa was more or less the headquarters for Project Raven. It was a mansion in a district near a number of government buildings in Abu Dhabi where all the equipment, the system, the computers, the actual internet infrastructure was set up to launch hacking operations for Project Raven. It was designed in a way it’s kind of stealthy. It wouldn’t be how they got the agency that’s separate from any of the government buildings. And just from the outside, it looks like a large mansion in a residential area. But it was designed and engineered entirely for different components of the team to run the hacking operations.

So for example, in one room they ran the collection operations and another was data filtering and siphoning where they would take, collect, analyze, and break down the stolen data they are taking from this hacking operations and then it was funneled back in kind of circular intelligence gathering fashion going back to the client and then them requesting new targets, new areas of data to steal.”

BRIEFINGS

Upon arrival, each new Raven recruit is given the rundown on what Project Raven is all about.

“[Chrisr Bing] They were told “Your mission is going to be a purely cyber defense mission helping the UAE defend its systems from foreign hacking attacks.””

The briefing stated that, quote:

“Personnel will assist with the development of defensive measures within the cyber security discipline. These measures may include the development and deployment of firewalls, intrusion detection systems and other defensive measures and techniques as deemed appropriate.”

So that sounds simple enough, right? Cyber defense operations for the UAE government.

“[Chrisr Bing] A smaller segment on the total contractor includes right there for CyberPoint receive a second briefing, the Black briefing. And in that briefing they were told to disregard the first briefing.”

Just after being told about the project, and what her job was going to be, Lori was informed that everything she was just told was a lie. She was then given a second briefing.

“[Chrisr Bing] And in that briefing they were told to disregard the first briefing. And this, in fact, is a offensive cyber operation in which you will be helping collect intelligence, target individuals, and working directly with intelligence agencies in these countries.”

Let’s pause for a moment here.  Listeners: go ahead and disregard everything I’ve been going on about for the past fifteen minutes. In today’s episode of Malicious Life, we’re going to be talking about toenails.

To kick off our discussion today, I’m sitting in the studio today with toenail expert Nate Nelson…

“[Nate] Hey Ran, happy to be here. You know, the thing I always tell people is that toenails really aren’t as complicated as you think. You can think of them, in a sense, as the fingernails of the foot. The history of toenails dates all the way back to…”

Okay, okay, you get the idea.  If you listened to fifteen minutes of a podcast, then all of a sudden I completely changed what I was saying, it would be weird! And suspicious! Why would I do that?

New Project Raven employees were given two, diametrically opposed job briefings on their first day at work. The first, called the “Purple briefing,” described a purely defensive operation. The second, called the “Black briefing,” read, in part, quote:

“Project DREAD is, in fact, more extensive than briefed in the Purple Briefing ….[DREAD] will be the offensive, operational division of NESA, and will never be acknowledged to the general public. DREAD focuses on the targeting and electronic exploitation of information derived from intelligence related cyber activities.”

The reason that they segmented it in this way was that not all of the workforce in the UAE fromthis contractor was supposed to know about the second mission and it allows for the members of Project Raven to have a cover and a level of deniability

In other words, if anybody outside Project Raven asks about Project Raven, you give them the Purple briefing. Otherwise, disregard it.

This double briefing might be jarring to most people, but Lori and her colleagues were NSA-trained.

“[Chrisr Bing] I think it was – there is this feeling of familiarity in the culture and the people they were working with. In many cases, they had worked with those people previously at the NSA or in another government agency.

And that allowed them to feel like everything was normal that even though they were working for a foreign spy agency that it was all above board because it was [A] important ally of the US in the Middle East. They were helping in some way on the counterterrorism efforts that the Americans were in – that that the US government was interested in.”

MORAL DILEMMA

The nature of Lori’s work wasn’t so different in the UAE as it was in the U.S. And she would be using her skills to target terrorists, like Islamic State militants. Project Raven’s managers often emphasized–to employees and outsiders alike–how they were targeting terrorist groups like ISIS. In reality, targeting terrorists allowed them to create an air of legitimacy behind which they covertly targeted human rights activists, political dissidents, journalists and world leaders from the UAE and around the world. Anybody seen as an enemy to the state was fair game.

“[Chrisr Bing] And so, you know Project Raven while it had multiple dimensions and responsibilities including counterterrorism, the campaign against ISIS, it did not differentiate in terms of the effort of surveillance against a terrorist figure and a prominent critic or a foreign leader that was seen as rival to the Abu Dhabi government.”

Speaking with Christopher Bing, Lori recounted some of her moments of doubt. “Some days it was hard to swallow,” she said, “like [when you target] a 16-year-old kid on Twitter. But it’s an intelligence mission, you are an intelligence operative. I never made it personal.”

“[Chrisr Bing]  What I came away with from the conversation that Lori as well as the dozens of other sources that we spoke with, [. . .] they were able to kind of segment their feelings on these types of target saying that it was more or less familiar to the job they had done at the NSA or at the CIA. But sometimes, the purpose or the really important target is not entirely clear but you do the job, it’s an intelligence job where sometimes you’re not going to have all the answers and you just need to kind of get past that first feeling of apprehension or guilt.”

If American staff had any reservations about targeting innocents, such feelings were quickly put aside. Lori began to believe in the work she was doing. She was excited about her job. In 2016, for example, Raven bought a highly valuable iMessage exploit which allowed them to build the “Karma” malware. Karma became, essentially, the world’s most effective mobile malware–able to hack any iPhone on the planet simply by sending a text, with no action required from the victim.

Speaking to Chris and Joel, Lori recalled buying that exploit with fondness. “It was like Christmas,” she said.

DARKMATTER TAKEOVER

In 2015, control over Project Raven was transferred from CyberPoint to a local Emirati company called DarkMatter. You can think of DarkMatter as an Emirati equivalent to Booz Allen Hamilton.

Some of the Americans weren’t so happy with the group’s new direction. Their Emirati managers were becoming more aggressive, and more secretive. Americans were being left out of certain conversations and meetings. In their target database, certain targets were labeled “Emirate-eyes only.” When American staff began asking questions, they were given vague explanations. At least eight quit. Lori did not.

In fact, things were going well for her. She got a promotion. As “lead analyst,” she was responsible for probing the potential vulnerabilities in possible new targets’ email and messaging systems.

Meanwhile, word got back to the States that Raven might be targeting Americans. On a trip home in 2016, at Virginia Dulles airport, Lori was approached by two FBI agents. They wanted to know if Raven was targeting Americans, and using classified American cyber techniques. She refused to answer any questions.

LORI’S DISCOVERY

Things started to change one morning in Spring 2017 when, after finishing up her work for the day, Lori began working on a backlog of assignments belonging to one of her Emirati colleagues. Included in her colleague’s database was an American passport. She complained to her superiors. They said it was collected by mistake, and would be deleted from the database.

But, perhaps with that FBI visit in the back of her mind, her interest was now piqued. As lead analyst, she had the credentials to probe other databases otherwise reserved for “Emirate-eyes only.” She found two American targets. A couple days later, three more. All journalists.

“[Chrisr Bing] This was something that she thought unacceptable. It was something that if seen at the NSA would be immediately reported and some sort of administrative or disciplinary action will be taken to curb that.”

Lori turned to the only person left whom she could trust: Marc Baier, the charismatic NSA operative who recruited her. She told him about the Americans in the database. He asked her to forget about it.

She didn’t. So she was fired and escorted from the Villa, with her phone and passport confiscated. Lori was now unable to leave the country, and almost certainly under surveillance. A prisoner of the very machine she’d helped create.

AMERICAN IMPACT

Today’s story took place in the United Arab Emirates but, as I said, it’s really about the United States.

Respected American officials worked for, with, or overtly or tacitly signed off on Project Raven and its actions. Americans were drawn to the UAE on promises from people like Marc Baier, who assured that the NSA was being regularly briefed on Raven projects. It’s unclear what exactly the NSA knew, but a State Department contract with CyberPoint from 2014 states that Raven would be used in, quote, “surveillance analysis,” and “collection of information from communications systems inside and outside the UAE.” The goal was, quote, “protection of UAE sovereignty.” This language leaves a lot of room for interpretation, doesn’t it?

This is the very nature of modern, state-level cyberintel. It’s why NSA employees were so easily convinced to work for a country notorious for spying on ordinary citizens. They already were working for a country notorious for spying on ordinary citizens! The PRISM documents that revealed years of unwarranted NSA spying on innocent Americans were leaked from the same computers that Lori Stroud used to write emails and play Tetris.

“[Chrisr Bing] I mean all these people came out of these agencies and it’s not like they were out of the government for a very long time, often, they transfer directly from NSA or CIA to Project Raven carrying on the same mentality, thought process, techniques, thinking in general. And in that way, I think it was valuable to get revealed not just the individual process that they went through in collecting targets but revealed something about their former employers and the way that that work is done here in the US.”

TARGETS

“[Nate] So what in the worst cases has resulted from UAE cyber spying?

“[Chrisr Bing] Yeah. So there were a few cases that we came across that were particularly disturbing. [. . .] Another case that’s a little disturbing was the targeting of a Saudi Women’s Right activist who was put under surveillance using the Karma tool that we talked about earlier following a protest where she was trying to promote women’s rights around driving in Saudi Arabia. Driving between the border of the UAE and Saudi Arabia, she was put under surveillance. She too is in jail right now, have her subject to torture and there is no record of her being involved in any violent conduct advocating for violence or posing a serious security threat.”

Notable Raven targets include powerful Middle Eastern politicians like the Deputy Prime Minister of Turkey, Oman’s Head of Foreign Affairs, and an Emir of Qatar. Rori Donaghy, a British journalist, ended up on the list because of an opinion piece he wrote for The Guardian when he was 25 years old. In it, he criticized the UAE government’s human rights record.

In 2016, while Lori Stroud was a lead analyst for Project Raven, the group targeted a prominent Emirati human rights activist named Ahmed Mansoor. Mansoor was a high-value target–a thorn in the side of his government, after spending years speaking out against them online.

“[Chrisr Bing] Mr. Mansoor as we understand it has never posed a serious security threat or advocated for violence against anyone including the UAE government.”

Mansoor was so important to Project Raven that they gave him a special nickname, “Egret.” In their pursuit of him, they managed to hack the mobile phone of the individual referred to as “Purple Egret,” Mansoor’s wife.

“[Chrisr Bing] And you know, it’s really an unfortunate case because with our reporting, we drew a direct line between American expertise, techniques, tactics, and procedures taught by the NSA which were used by the Americans transferred to the UAE and then used to surveil Mr. Mansoor and eventually put him in jail.”

Mansoor was arrested and jailed in March, 2017. In March, 2018, he was sentenced to ten years in prison, where he remains today. He has been kept in solitary confinement, and tortured.

Two months after being fired, Lori was allowed to return to the United States. Just as quickly, she called those FBI agents who’d stopped her at the airport one year prior. Later, of course, she would recount her story to Reuters.

Today, she’s made for a suitable villain to our story. But I’d like to add a caveat before we end here. Lori was just one member of a larger machine. And, unlike the rest of her colleagues, she was willing to put her face and name on record.

“[Chrisr Bing] We reached out to dozens nearly 100 or if not more than 100 people to talk about this activity in the UAE. And many of them had similar feelings to Lori. The mission went off the rails, that it fell into areas they’re not comfortable with. But you know a large majority just want Lori to speak about it. They just weren’t willing to put their name to it or even speak in general because they felt like they had too much to lose either financially or in terms of their career path.

And so Lori Stroud does faced the risk. She took on some risks by speaking to us, but I think what she did was important. And as a result of Lori coming forward, there has been legislation in Congress, there has been attention from Washington at the highest levels on that story. And hopefully, in some way as a result of legislation and initiatives in Washington, this activity won’t happen that leads the way in the future.”

Today, Lori Stroud has to live in an undisclosed location.

The UAE government, armed with the tactics, tools, and talent that she provided them, is stronger and more repressive than ever.