Project Raven
Project Raven was a confidential initiative to help the UAE surveil other governments, militants, and human rights activists. Its team included former U.S. intelligence agents, who applied their training to hack phones and computers belonging to Project Raven's victims. The operation was based in a converted mansion in a suburb of Abu Dhabi in Khalifa City nicknamed "the Villa."
The project originated in 2008 as the Development Research Exploitation and Analysis Department (DREAD), developed by Richard A. Clarke through his security advisory group Good Harbor Consulting, as an arm of UAE royal Mohamed bin Zayed Al Nahyan's court.[15] By the end of 2010, Good Harbor had stepped back from DREAD, ceding control to Karl Gumtow, the co-founder and CEO of CyberPoint.[15][16]
From around 2014 to 2016, CyberPoint supplied U.S.-trained contractors to Project Raven. In 2016, news reports emerged that CyberPoint had contracted with the Italian spyware company Hacking Team, which damaged CyberPoint's reputation as a defensive cybersecurity firm. Reportedly dissatisfied with relying upon a U.S.-based contractor, the UAE replaced CyberPoint with DarkMatter as its contractor, and DarkMatter induced several CyberPoint staff to move to DarkMatter. After this, Project Raven reportedly expanded its surveillance to include the targeting of Americans, potentially implicating its American staff in unlawful behaviour.[17][18]
Following a 24 October 2016 The Intercept article revealing DarkMatter surveillance for UAE, Samer Khalife, the chief financial officer for DarkMatter, transferred some United States citizens from DarkMatter to a new company Connection Systems and tiger teams were established by DarkMatter to counter the allegations contained in The Intercept article.[19]
On 1 February 2019, Ars Technica published comments from a former employee of DarkMatter, Daniel Wolford. He stated, "We did not hack Americans...Our mission was simple: advise and assist UAE to create a national cyber security program similar to NTOC (NSA/CSS Threat Operations Center)." The work done creating a "target list," Wolford said, was part of a training operation "to teach the Emiratis about lawful targeting and collection," he asserted. "We tried to show them who is and isn't a threat to their national security."[20]
On 9 December 2021, Loujain al-Hathloul filed a lawsuit in a US district court in Oregon against three former US intelligence and military officers, who carried out hacking operations on behalf of the UAE. According to the lawsuit, the three men — Marc Baier, Ryan Adams, and Daniel Gericke — worked for DarkMatter and assisted the Emirati security officials to exfiltrate data from her iPhone. The hacking had led to al-Hathloul's arrest from the UAE and rendition to Saudi Arabia, where she was detained, imprisoned and tortured.[21]
On 22 December 2019, a very popular messaging app named ToTok was deemed to be a secret mass surveillance tool, developed by the UAE, used to gather private information from users' phones. As a result, the app was pulled from Google and Apple's app stores.[22][23]
In December 2021, U.S. lawmakers urged the Treasury and State Departments to sanction DarkMatter, NSO Group, Nexa Technologies, and Trovicor. The letter signed by the Senate Finance Committee Chairman Ron Wyden, House Intelligence Committee Chairman Adam Schiff, and 16 other lawmakers, asked for Global Magnitsky sanctions, as the companies were accused of enabling human rights abuses. The letter demanded that high-ranking executives at DarkMatter, along with the three other firms, be sanctioned.[24]
On 26 August 2022, the three former U.S. intelligence operatives who helped the UAE spy on human rights activists, journalists, and governments were barred from arms export activities under a deal announced by the State Department. The operatives, Baier, Adams, and Gericke, admitted their involvement in Project Raven on 15 September 2022, resulting in them relinquishing their security clearance and paying $1.68 million in exchange for their criminal charges being dropped.[25] The three were prohibited for three years from participating directly or indirectly in any activities subject to the International Traffic in Arms Regulations (ITAR).[26] Gericke subsequently served as Chief Technology Officer at ExpressVPN, a subsidiary of British-Israeli company Kape Technologies,[27] leading Edward Snowden to warn the company's customers.[28][29]
Karma spyware
In 2016, Project Raven bought a tool called Karma. Karma was able to remotely exploit Apple iPhones anywhere in the world, without requiring any interaction on the part of the iPhone's owner as long as a username was provided, such as Apple ID, Email address associated with the phone, or phone number. It apparently achieved this by exploiting a zero-day vulnerability in the device's iMessage app. Project Raven operatives were able to view passwords, emails, text messages, photos and location data from the compromised iPhones.
People whose mobile phones have been deliberately compromised using Karma reportedly include:
Around mid-2017, Apple patched some of the security vulnerabilities exploited by Karma, unknowingly reducing the tool's effectiveness.
- The Emir of Qatar, Sheikh Tamim bin Hamad Al Thani, nicknamed "Crybaby", Hamad bin Khalifa Al Thani, nicknamed "AngryFather", plus his brother and several other close associates.
- Nadia Mansoor, wife of imprisoned UAE human rights activist Ahmed Mansoor. (Nadia was nicknamed "Purple Egret" by Project Raven; Ahmed was nicknamed "Egret".)
- British journalist Rori Donaghy. (Donaghy was nicknamed "Gyro" by Project Raven.)
- Prime Minister of Lebanon Saad Hariri (UAE associated him with supporting Hezbollah.)
Karma spyware
In 2016, Project Raven bought a tool called Karma. Karma was able to remotely exploit Apple iPhones anywhere in the world, without requiring any interaction on the part of the iPhone's owner as long as a username was provided, such as Apple ID, Email address associated with the phone, or phone number. It apparently achieved this by exploiting a zero-day vulnerability in the device's iMessage app. Project Raven operatives were able to view passwords, emails, text messages, photos and location data from the compromised iPhones.
People whose mobile phones have been deliberately compromised using Karma reportedly include:
Around mid-2017, Apple patched some of the security vulnerabilities exploited by Karma, unknowingly reducing the tool's effectiveness.
- The Emir of Qatar, Sheikh Tamim bin Hamad Al Thani, nicknamed "Crybaby", Hamad bin Khalifa Al Thani, nicknamed "AngryFather", plus his brother and several other close associates.
- Nadia Mansoor, wife of imprisoned UAE human rights activist Ahmed Mansoor. (Nadia was nicknamed "Purple Egret" by Project Raven; Ahmed was nicknamed "Egret".)
- British journalist Rori Donaghy. (Donaghy was nicknamed "Gyro" by Project Raven.)
- Prime Minister of Lebanon Saad Hariri (UAE associated him with supporting Hezbollah.)[30]
Certificate authority controversy
In 2016, two DarkMatter whistleblowers and multiple other security researchers expressed concerns that DarkMatter intended to become a certificate authority (CA). This would give it the technical capability to create fraudulent certificates, which would allow fraudulent websites or software updates to convincingly masquerade as legitimate ones. Such capabilities, if misused, would allow DarkMatter to more easily deploy rootkits to targets' devices, and to decrypt HTTPS communications of Firefox users via man-in-the-middle attacks.
On 28 December 2017, DarkMatter requested that Mozilla include it as a trusted CA in the Firefox web browser. For more than a year, Mozilla's reviewers addressed concerns about DarkMatter's technical practices, eventually questioning on that basis whether DarkMatter met the baseline requirements for inclusion.
On 30 January 2019, Reuters published investigations describing DarkMatter's Project Raven. Mozilla's reviewers noted the investigation's findings. Subsequently, the Electronic Frontier Foundation (EFF) and others asked Mozilla to deny DarkMatter's request, on the basis that the investigation showed DarkMatter to be untrustworthy and therefore liable to misuse its capabilities. On 5 July 2019, after Mozilla's public consultation it was decided to not allow DarkMatter to become a trusted CA in Firefox.[32]
In July 2019, Mozilla