WEBVTT 00:00:00.399 --> 00:00:02.570 JACK: What’s a mercenary? 00:00:02.570 --> 00:00:05.470 Let me look this up; okay, there are two main definitions. 00:00:05.470 --> 00:00:10.570 One is a soldier hired to do work for another army and the second is a person who works 00:00:10.570 --> 00:00:13.110 purely because of monetary gains. 00:00:13.110 --> 00:00:17.470 I’m gonna guess that they don’t have allegiance other than whoever is paying them. 00:00:17.470 --> 00:00:21.610 They’re hirelings; they get paid to do a job and to get it done and they’re not supposed 00:00:21.610 --> 00:00:22.670 to ask why. 00:00:22.670 --> 00:00:26.820 But mercenaries are people and people are complex. 00:00:26.820 --> 00:00:31.340 They’re filled with emotions and they actually do have allegiance even if they’re paid 00:00:31.340 --> 00:00:33.490 to forget about that. 00:00:33.490 --> 00:00:39.190 If you pay a mercenary to do something that goes over their moral line they’ve got internally, 00:00:39.190 --> 00:00:43.149 conflict happens and everything falls apart. 00:00:43.149 --> 00:00:51.559 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:00:51.559 --> 00:00:56.790 I’m Jack Rhysider. 00:00:56.790 --> 00:00:59.250 This is Darknet Diaries. 00:00:59.250 --> 00:01:03.210 [INTRO MUSIC ENDS] 00:01:03.210 --> 00:01:08.479 JACK: Let’s get started. 00:01:08.479 --> 00:01:13.750 Ready? DAVID: Yes, sir. 00:01:13.750 --> 00:01:21.150 JACK: Let’s start with your name, or what do you want to be called on this show, and 00:01:21.150 --> 00:01:22.150 what do you do? 00:01:22.150 --> 00:01:29.409 DAVID: Yeah, my name’s David and I am a type of offensive intelligence analyst. 00:01:29.409 --> 00:01:32.990 I track foreign intelligence hacking in the United States. 00:01:32.990 --> 00:01:34.490 That’s what I do now. 00:01:34.490 --> 00:01:37.790 JACK: Oh my gosh, I have like, twenty questions already just from saying that. 00:01:37.790 --> 00:01:40.110 Did you say ‘offensive intelligence analyst?’ 00:01:40.110 --> 00:01:41.740 DAVID: That’s correct. 00:01:41.740 --> 00:01:43.930 JACK: I’ve never heard of that. 00:01:43.930 --> 00:01:45.750 What does that mean? 00:01:45.750 --> 00:01:52.549 DAVID: If a foreign intelligence organization would gain access to any type of US-based 00:01:52.549 --> 00:01:57.180 critical infrastructure, that would be something that I would help investigate. 00:01:57.180 --> 00:01:59.830 JACK: This is gonna be a great episode. 00:01:59.830 --> 00:02:05.240 It’s very exciting to me because David is going to tell us a story that was a secret 00:02:05.240 --> 00:02:09.040 up until this year and still remains somewhat shrouded. 00:02:09.040 --> 00:02:11.670 So, let’s get into it. 00:02:11.670 --> 00:02:15.290 [MUSIC] Let’s start when he was a teenager. 00:02:15.290 --> 00:02:18.250 In high school, David really wasn’t into computers at all. 00:02:18.250 --> 00:02:19.510 DAVID: Well, I was a long-distance runner. 00:02:19.510 --> 00:02:25.459 I was involved of all different types of extra-curricular things; student government and stuff like 00:02:25.459 --> 00:02:26.459 that. 00:02:26.459 --> 00:02:28.310 JACK: After high school he went to college and got his degree. 00:02:28.310 --> 00:02:30.400 DAVID: It was actually in religion and philosophy. 00:02:30.400 --> 00:02:31.400 JACK: Interesting. 00:02:31.400 --> 00:02:35.590 Take note here; imagine all the morals and ethics one has to consider while majoring 00:02:35.590 --> 00:02:37.290 in religion and philosophy. 00:02:37.290 --> 00:02:45.099 DAVID: My goals at that point were to pursue a career alongside some of my other peers 00:02:45.099 --> 00:02:46.680 that I might be able to make a difference to. 00:02:46.680 --> 00:02:53.870 I did look into hey, how could I potentially join as a chaplin? 00:02:53.870 --> 00:02:58.520 Talking to other people in that same world, they’d say well, I’ve never even met my 00:02:58.520 --> 00:03:02.760 chaplin, or I’ve never had a real conversation with him, or I don’t know who they are. 00:03:02.760 --> 00:03:08.150 I realized if I really wanted to make any type of difference in people’s lives, it 00:03:08.150 --> 00:03:09.489 wasn’t gonna be as a chaplin. 00:03:09.489 --> 00:03:13.340 JACK: After getting his degree, David decides to join the military. 00:03:13.340 --> 00:03:16.220 Off to the Navy he goes. 00:03:16.220 --> 00:03:21.480 [MUSIC] He does his initial bootcamp, graduates from that; fairly easy and is a full-fledged 00:03:21.480 --> 00:03:22.480 Navy sailor. 00:03:22.480 --> 00:03:24.720 But David was hungry for more. 00:03:24.720 --> 00:03:31.110 DAVID: My initial school was in BUDS so I joined to sort of become – go through that 00:03:31.110 --> 00:03:33.290 Navy SEAL track and see how that went. 00:03:33.290 --> 00:03:37.280 JACK: Whoa, BUDS is Basic Underwater Demolition Training. 00:03:37.280 --> 00:03:40.780 It’s what you need to go through to become a Navy SEAL. 00:03:40.780 --> 00:03:45.569 This is the most rigorous, demanding, and crazy training there is in the Navy. 00:03:45.569 --> 00:03:49.510 This is what they call Hell Week and it’s much longer than a week. 00:03:49.510 --> 00:03:52.200 Those who make it through this become practically drown-proof. 00:03:52.200 --> 00:03:55.790 They become frog-men and most of all, they become weapons experts. 00:03:55.790 --> 00:04:03.720 DAVID: [MUSIC] When I talked to a Navy SEAL and his mindset was, the last time I was deployed, 00:04:03.720 --> 00:04:06.030 I got every type of kill other than a knife kill. 00:04:06.030 --> 00:04:07.970 He was bragging about that. 00:04:07.970 --> 00:04:10.150 He just really wanted to get a knife kill. 00:04:10.150 --> 00:04:14.170 That was like okay, [00:05:00] you know what, I don’t want that to be me. 00:04:14.170 --> 00:04:20.720 I’m not saying that every Navy SEAL is like that but the potential if somebody can become 00:04:20.720 --> 00:04:24.030 like that, then there’s the potential that I could become like that. 00:04:24.030 --> 00:04:25.360 That was something that I wanted to avoid. 00:04:25.360 --> 00:04:30.669 That’s an important job and I have a lot of respect for Navy SEALs but I just had this 00:04:30.669 --> 00:04:34.440 fear that I really don’t want that to become me. 00:04:34.440 --> 00:04:38.500 JACK: That’s some intense training and you definitely need to do some soul-searching 00:04:38.500 --> 00:04:39.500 while there. 00:04:39.500 --> 00:04:43.509 You question yourself on whether you want this bad enough or if you’re fit enough 00:04:43.509 --> 00:04:44.509 to do it. 00:04:44.509 --> 00:04:48.479 You have to put mind over matter and push yourself beyond limits you think you can’t 00:04:48.479 --> 00:04:49.570 ever get over. 00:04:49.570 --> 00:04:53.940 If you’re gonna push yourself beyond your own limits, you better really want what you’re 00:04:53.940 --> 00:04:55.070 working for. 00:04:55.070 --> 00:04:58.720 David wasn’t sure if being a Navy SEAL was for him. 00:04:58.720 --> 00:05:02.850 He knew that Navy SEALs just weren’t a bunch of killers, but he started to question if 00:05:02.850 --> 00:05:05.100 he really wanted it bad enough. 00:05:05.100 --> 00:05:08.639 He rang the bell and quit BUDS, and looked for something else to do in the Navy. 00:05:08.639 --> 00:05:11.120 Still, he wasn’t interested in computers like, at all. 00:05:11.120 --> 00:05:14.360 The only thing he knew how to do was check Facebook and e-mails at that point. 00:05:14.360 --> 00:05:17.919 He’s fit, buff even, and understands religion and philosophy. 00:05:17.919 --> 00:05:23.430 He looked at his options and for some reason, computers and cyber-warfare caught his attention. 00:05:23.430 --> 00:05:26.400 He decided to sign up for that in the Navy. 00:05:26.400 --> 00:05:28.569 Immediately, he needed training, though. 00:05:28.569 --> 00:05:31.470 DAVID: Well, the training is pretty basic. 00:05:31.470 --> 00:05:36.140 Actually, when I say basic, I don’t mean basic. 00:05:36.140 --> 00:05:40.970 It’s the same type of training you would get everywhere else from a cyber-security 00:05:40.970 --> 00:05:46.970 perspective, but the pace is significantly faster. 00:05:46.970 --> 00:05:55.039 Instead of going through a twelve-week course to learn how to code, you do all of that in 00:05:55.039 --> 00:05:56.039 one week. 00:05:56.039 --> 00:05:57.800 You literally learn all of it in a single week. 00:05:57.800 --> 00:06:04.840 You’re set to learn everything from assembly language all the way up to coding languages 00:06:04.840 --> 00:06:08.889 and then how that’s interacting with different type of assembly languages and how coding 00:06:08.889 --> 00:06:13.290 – you understand the process, how it all sort of builds. 00:06:13.290 --> 00:06:16.870 You go all the way up to that spot and then you get back to the application layer, and 00:06:16.870 --> 00:06:21.250 then you move back down to the exploitation layer. 00:06:21.250 --> 00:06:29.479 The exploitation layer in that environment is not taught – buffer overflows and exploitation 00:06:29.479 --> 00:06:36.470 analysis is not taught until you get into more OJT or following courses for different 00:06:36.470 --> 00:06:37.470 shops. 00:06:37.470 --> 00:06:39.040 JACK: This amazes me. 00:06:39.040 --> 00:06:41.979 The Navy teaches people how to hack. 00:06:41.979 --> 00:06:47.270 I sort of know they do that, but it kind of boggles my mind every time I hear it. 00:06:47.270 --> 00:06:51.349 He got training and then started doing security analyst work for the Navy. 00:06:51.349 --> 00:06:55.670 DAVID: Yeah, I applied maybe three or four months before I realized – in that time 00:06:55.670 --> 00:07:00.319 period when I was learning how to be a certain type of cyber-security analyst or an exploitation 00:07:00.319 --> 00:07:05.039 analyst or in training, how to be a general IT person. 00:07:05.039 --> 00:07:14.880 I sort of enjoyed it and I realized that I’m in no ways an expert at exploit development, 00:07:14.880 --> 00:07:21.680 but I didn’t understand the concepts and I don’t give up; it allows me to push through. 00:07:21.680 --> 00:07:28.630 [MUSIC] From that time period being at the shop, what I did next basically was purchased 00:07:28.630 --> 00:07:34.140 a Mac Pro server, for instance, installed ESXI on that, and started building stacks 00:07:34.140 --> 00:07:36.729 and learning hey, I’m learning this at work. 00:07:36.729 --> 00:07:41.040 I’m not gonna take the exact thing that I’m doing, the exact concept ‘cause we’re 00:07:41.040 --> 00:07:46.069 not really supposed to do that, but I can – similar layout, similar designs, and let 00:07:46.069 --> 00:07:49.540 me just replicate this at home so I can continue to learn how to do it. 00:07:49.540 --> 00:07:57.030 It might be let’s learn how to pivot through a machine or let’s learn how to exploit 00:07:57.030 --> 00:08:01.501 active directory trust relationships, so on and so forth. 00:08:01.501 --> 00:08:06.169 Being able to build those up and stuff like that allowed – it sort of grew my fascination 00:08:06.169 --> 00:08:07.940 with it. 00:08:07.940 --> 00:08:11.180 JACK: [MUSIC] This is an important quality about David. 00:08:11.180 --> 00:08:15.909 He didn’t just show up and do his work and go home; instead, he built a lab and practiced 00:08:15.909 --> 00:08:18.690 on his off-hours and got better and better. 00:08:18.690 --> 00:08:22.410 Anyone who really wants to excel in this kind of stuff has to have the mindset of always 00:08:22.410 --> 00:08:25.130 trying to learn and not just doing the minimum. 00:08:25.130 --> 00:08:29.789 With the Navy teaching him formally in his home lab, he became pretty good at hacking. 00:08:29.789 --> 00:08:34.789 In fact, his specialty was not just getting in but then pivoting around, moving laterally, 00:08:34.789 --> 00:08:38.039 and finding what else is in that network. 00:08:38.039 --> 00:08:42.539 After about four months of doing that, he moved over to the NSA. 00:08:42.539 --> 00:08:48.460 [MUSIC] Because David was an exploit analyst in the Navy, the NSA came and said hey, why 00:08:48.460 --> 00:08:51.250 don’t you come work for us, and recruited him over. 00:08:51.250 --> 00:08:54.760 He started working for the NSA as an analyst there. 00:08:54.760 --> 00:08:56.060 He worked at the NSA for a while. 00:08:56.060 --> 00:09:01.089 DAVID: I’d say August of 2011 to August of 2014, so about three years. 00:09:01.089 --> 00:09:04.330 JACK: Then around that time, a new opportunity showed up. 00:09:04.330 --> 00:09:06.390 DAVID: At that point I had gotten married. 00:09:06.390 --> 00:09:11.930 Probably, while I was up there, it would have been maybe almost two years I’ve been married. 00:09:11.930 --> 00:09:14.250 [00:10:00] It’s time for me to get out of the service. 00:09:14.250 --> 00:09:18.640 I had gotten an offer to stay there on campus which is at the NSA. 00:09:18.640 --> 00:09:23.660 Then a different organization, or actually, an individual recruiter reached out to me 00:09:23.660 --> 00:09:24.970 and said hey… 00:09:24.970 --> 00:09:28.000 JACK: There was this recruiter from a company called CyberPoint. 00:09:28.000 --> 00:09:32.240 This is a company that’s contracted to do various types of hacking. 00:09:32.240 --> 00:09:37.080 Basically, if he were to work for this company, he would become a hacker for hire. 00:09:37.080 --> 00:09:40.660 The US government actually grants certain companies’ extra permissions to conduct 00:09:40.660 --> 00:09:41.810 stuff like this. 00:09:41.810 --> 00:09:45.860 The details of this are foggy but this company that was trying to recruit David was vetted 00:09:45.860 --> 00:09:48.280 by the US government to do this. 00:09:48.280 --> 00:09:51.089 David listened to the recruiter tell him what the job entails. 00:09:51.089 --> 00:09:57.620 DAVID: That I would be doing a lot of different types of offensive work, offensive maybe security, 00:09:57.620 --> 00:09:59.080 maybe offensive intelligence. 00:09:59.080 --> 00:10:04.260 That would be some of our goals. 00:10:04.260 --> 00:10:05.260 Whether or not… 00:10:05.260 --> 00:10:09.700 JACK: Give me an example of what some of the offensive work is that you expected to do. 00:10:09.700 --> 00:10:14.380 DAVID: Just from previous conversations, I’d understood well, you might be doing some tracking 00:10:14.380 --> 00:10:19.570 of terrorist organizations to help out and alleviate some of the workload in the United 00:10:19.570 --> 00:10:20.570 States. 00:10:20.570 --> 00:10:26.010 [MUSIC] We’re helping them out over there; protect their country as well. 00:10:26.010 --> 00:10:29.670 Our main understanding was we’re going over there to help them protect their country. 00:10:29.670 --> 00:10:34.070 JACK: This sounded good to David; to help protect the country, to help battle terrorists 00:10:34.070 --> 00:10:37.170 and to reduce some of the workload for the US forces? 00:10:37.170 --> 00:10:38.170 Alright! 00:10:38.170 --> 00:10:41.830 The company was called CyberPoint and it’s based in Baltimore, in the US. 00:10:41.830 --> 00:10:45.660 It’s typical that not all the details are given about your duties until after you sign 00:10:45.660 --> 00:10:48.200 an NDA, a Non-Disclosure Agreement. 00:10:48.200 --> 00:10:51.470 But there was one more detail in this contract. 00:10:51.470 --> 00:10:57.029 If he was to accept it, he would have to move to Abu Dhabi in the United Arab Emirates for 00:10:57.029 --> 00:10:59.829 two years which was the duration of this contract. 00:10:59.829 --> 00:11:02.189 DAVID: Not really ever traveled, not really ever gone anywhere. 00:11:02.189 --> 00:11:05.950 I had before, but being married, my wife had not. 00:11:05.950 --> 00:11:07.760 We made a decision together. 00:11:07.760 --> 00:11:11.510 JACK: They decided to take the job in Abu Dhabi. 00:11:11.510 --> 00:11:13.380 [MUSIC] Off they go. 00:11:13.380 --> 00:11:18.040 They packed up everything they needed, said bye to the family, and moved to the UAE which 00:11:18.040 --> 00:11:19.279 is right in the Middle East. 00:11:19.279 --> 00:11:24.240 The name of the hacking unit Dave was assigned to was called Project Raven. 00:11:24.240 --> 00:11:32.089 DAVID: For the first thirty days to sixty days, you’re actually living in a hotel. 00:11:32.089 --> 00:11:38.600 There are so many red flags when you first get over there, you should know to yourself; 00:11:38.600 --> 00:11:39.850 I shouldn’t be doing this. 00:11:39.850 --> 00:11:41.750 JACK: What were some of them? 00:11:41.750 --> 00:11:47.140 DAVID: Well, the fact that you have two different folders that explain different confidential 00:11:47.140 --> 00:11:48.140 information. 00:11:48.140 --> 00:11:49.140 That should be one of them. 00:11:49.140 --> 00:11:51.209 Like, this is what we told you you’re gonna be doing and this is what you’re actually 00:11:51.209 --> 00:11:52.209 gonna be doing. 00:11:52.209 --> 00:11:56.899 JACK: When a new person would show up at Project Raven, they would get two back-to-back meetings. 00:11:56.899 --> 00:11:58.850 First was the Purple Meeting. 00:11:58.850 --> 00:12:03.670 [MUSIC] In this Purple Meeting, you’re given a folder with information. 00:12:03.670 --> 00:12:08.269 It says you’re here strictly to carry out defensive measures within the cyber-security 00:12:08.269 --> 00:12:13.570 discipline such as deploying firewalls, intrusion detection systems, and other defensive measures. 00:12:13.570 --> 00:12:19.940 But as soon as that Purple Meeting was over, new employees were told that’s just a front; 00:12:19.940 --> 00:12:24.860 it’s a cover story that you can tell your family or anyone who pushes you to ask what 00:12:24.860 --> 00:12:25.860 you’re doing. 00:12:25.860 --> 00:12:32.899 Then immediately, you’re given the Black Meeting with a new folder. 00:12:32.899 --> 00:12:35.920 In this Black Meeting, you’re told a very different story. 00:12:35.920 --> 00:12:41.890 Here, you’re told you’re gonna be helping NISSA conduct offensive cyber operations. 00:12:41.890 --> 00:12:47.139 This meeting further explained that NISSA was the secret part of the UAE government 00:12:47.139 --> 00:12:52.620 which is similar to the NSA and that you’re gonna be helping them conduct electronic exploitation 00:12:52.620 --> 00:12:56.260 and collect information from specific targets. 00:12:56.260 --> 00:13:02.310 Yeah, for you and me, seeing these two back-to-back meetings like this would be a red flag for 00:13:02.310 --> 00:13:06.600 sure, but for someone who’s used to a lot of secrets coming out of the military and 00:13:06.600 --> 00:13:11.310 the NSA, this is actually a sort of common thing to experience. 00:13:11.310 --> 00:13:16.690 Covers and fronts for what your actual official duties are, yeah, that happens. 00:13:16.690 --> 00:13:19.079 It wasn’t an immediate flag for David. 00:13:19.079 --> 00:13:25.560 DAVID: The location we worked out of was actually a villa, a converted villa. 00:13:25.560 --> 00:13:28.840 Our spouses were not even really supposed to know where the villa was at even though 00:13:28.840 --> 00:13:31.700 that’s ridiculous ‘cause some people dropped their spouses off. 00:13:31.700 --> 00:13:33.860 JACK: Let’s talk about this villa he worked out of. 00:13:33.860 --> 00:13:35.750 I saw a floor plan to this. 00:13:35.750 --> 00:13:37.199 Let me describe it. 00:13:37.199 --> 00:13:42.700 [MUSIC] It was a big mansion and it was just converted into an office space that these 00:13:42.700 --> 00:13:44.589 contractors could work out of. 00:13:44.589 --> 00:13:47.430 I think that was there to blend in and hide out. 00:13:47.430 --> 00:13:50.380 A mansion is typically private and secluded and quiet. 00:13:50.380 --> 00:13:53.279 It’s a great place to set up a spy agency. 00:13:53.279 --> 00:13:56.450 This villa is where Project Raven was to take place. 00:13:56.450 --> 00:14:01.339 The villa was two stories and it consisted of a server room, a management office, a conference 00:14:01.339 --> 00:14:05.800 room, an operations center, a data-processing room, a couple of kitchens, and some security 00:14:05.800 --> 00:14:07.160 guards hanging out. 00:14:07.160 --> 00:14:11.240 Dozens of people either worked there or had business there and would come and go. 00:14:11.240 --> 00:14:14.509 I’m guessing [00:15:00] around thirty people worked in this villa. 00:14:14.509 --> 00:14:17.460 The operation would go down like this; first, an order. 00:14:17.460 --> 00:14:22.290 A mission was relayed to the management office and managers would then work with those in 00:14:22.290 --> 00:14:25.370 the targeting room to properly identify the targets. 00:14:25.370 --> 00:14:28.459 Then, the team who worked in the infrastructure room would get busy. 00:14:28.459 --> 00:14:33.670 They would use fake identities and Bitcoin to anonymously rent server space around the 00:14:33.670 --> 00:14:34.670 world. 00:14:34.670 --> 00:14:38.351 This is a precaution that in case the target figures out they’re being spied on and they 00:14:38.351 --> 00:14:42.240 try to track it down, it doesn’t come all the way back to this villa; there’s this 00:14:42.240 --> 00:14:44.360 anonymous, untrackable gap. 00:14:44.360 --> 00:14:49.870 Then, the targeting team would get to work scouring the target’s social media and trying 00:14:49.870 --> 00:14:54.480 to learn as much as they can about the target to strategize on a way to get into the victim’s 00:14:54.480 --> 00:14:55.780 computers and phones. 00:14:55.780 --> 00:14:59.620 Once they knew a method of attacking, the target team would figure out what attacks 00:14:59.620 --> 00:15:02.630 to use or create an exploit from scratch. 00:15:02.630 --> 00:15:04.470 The target team was very good. 00:15:04.470 --> 00:15:08.130 They knew that the more you knew about the target, the easier it will be to create exploits 00:15:08.130 --> 00:15:09.829 for them. 00:15:09.829 --> 00:15:11.490 The operations team would then step in. 00:15:11.490 --> 00:15:15.260 They’d be given all the tools to do the job and all the information on the target. 00:15:15.260 --> 00:15:19.510 Then, they exploited the target’s computer or cell phone to get data off of it and learn 00:15:19.510 --> 00:15:22.720 about that person or get the information that they’re after. 00:15:22.720 --> 00:15:28.930 They vacuumed up photos, e-mails, call records, conversations, texts, locations; anything 00:15:28.930 --> 00:15:29.930 of value. 00:15:29.930 --> 00:15:34.610 It was all done very secretly and covertly so the target wouldn’t even know they’re 00:15:34.610 --> 00:15:36.050 being spied on. 00:15:36.050 --> 00:15:41.250 Then, this information was given to management who then relayed it to whoever hired them. 00:15:41.250 --> 00:15:43.320 Pretty good little operation they had going on there. 00:15:43.320 --> 00:15:47.670 At this point, you might be wondering who’s hiring this group and conducting this spying 00:15:47.670 --> 00:15:48.870 and hacking? 00:15:48.870 --> 00:15:53.610 It was the UAE government who was hiring them to conduct these hacks. 00:15:53.610 --> 00:15:57.300 It sounds like the UAE government was in the process of getting their own internal hacking 00:15:57.300 --> 00:16:01.610 group stood up but they needed to hire this group of mostly Americans, many of whom were 00:16:01.610 --> 00:16:05.440 ex-NSA agents or ex-military intelligence-trained. 00:16:05.440 --> 00:16:09.940 This way, the UAE government can see how they operate and learn from them and build their 00:16:09.940 --> 00:16:10.980 own hacking team. 00:16:10.980 --> 00:16:17.270 DAVID: At this point, whenever I first started, everything was on the level; what we were 00:16:17.270 --> 00:16:21.649 doing, what we were operating on, what our targets were. 00:16:21.649 --> 00:16:24.459 We all agreed and we understood this is what we’re gonna be working on. 00:16:24.459 --> 00:16:28.610 JACK: The targets that David was given to extract data from seemed okay. 00:16:28.610 --> 00:16:31.440 He was given the same sort of mission each time. 00:16:31.440 --> 00:16:37.150 DAVID: Was just on what could be perceived as terrorist activity and we were protecting 00:16:37.150 --> 00:16:38.180 the local infrastructure. 00:16:38.180 --> 00:16:39.560 JACK: Makes sense, right? 00:16:39.560 --> 00:16:40.899 Anyone can get behind this. 00:16:40.899 --> 00:16:45.620 Let’s use hacking to get into terrorist cells and anyone planning to attack the UAE 00:16:45.620 --> 00:16:48.960 infrastructure, and stop any terrorist attacks before they happen. 00:16:48.960 --> 00:16:53.730 That’s what happened; David and the team at Project Raven were learning what terrorists 00:16:53.730 --> 00:16:57.779 were planning and giving this information to the UAE government to stop them. 00:16:57.779 --> 00:17:02.839 Now, I should add an important note here; all of this hacking was done by citizens of 00:17:02.839 --> 00:17:04.689 the UAE which are called Emiratis. 00:17:04.689 --> 00:17:07.790 I’m gonna use that term a lot so make sure you understand it. 00:17:07.790 --> 00:17:12.050 An Emirati is simply a citizen of the United Arab Emirates. 00:17:12.050 --> 00:17:16.199 Since the UAE was trying to train up their own team to do this, it made sense to teach 00:17:16.199 --> 00:17:17.490 them how. 00:17:17.490 --> 00:17:20.949 David really never really had hands-on-keyboard to conduct any of this. 00:17:20.949 --> 00:17:26.350 Instead, he was right next to an Emirati doing it, telling him exactly what keys to press 00:17:26.350 --> 00:17:30.760 and what exploits to use, and giving advice on how to move around the network. 00:17:30.760 --> 00:17:34.500 Most Emiratis speak English so the language barrier wasn’t a problem. 00:17:34.500 --> 00:17:38.860 This sounds okay too, but it also might be a red flag. 00:17:38.860 --> 00:17:42.320 Things get murky regarding how legal Project Raven was. 00:17:42.320 --> 00:17:47.330 It’s clearly illegal to share classified information with other people so David couldn’t 00:17:47.330 --> 00:17:51.560 tell these Emiratis any secret information that he was privy to at the NSA but in this 00:17:51.560 --> 00:17:55.960 case, David was sharing cyber-spying techniques with the Emiratis. 00:17:55.960 --> 00:18:01.710 Provided it’s not proprietary NSA style tactics and exploits, there isn’t any hard 00:18:01.710 --> 00:18:06.840 law prohibiting him from teaching others how to hack, such as how to set up a phishing 00:18:06.840 --> 00:18:10.070 e-mail and use Metasploit to gain access to the victim’s machine. 00:18:10.070 --> 00:18:12.130 Anyone can learn this just on YouTube. 00:18:12.130 --> 00:18:14.240 That part, okay, that’s legal. 00:18:14.240 --> 00:18:18.720 But then we start trying to figure out whether an Emirati hacking into a terrorist phone 00:18:18.720 --> 00:18:22.130 who’s also in the UAE is legal or not. 00:18:22.130 --> 00:18:26.440 In the US, it probably isn’t legal unless you’re given express written consent from 00:18:26.440 --> 00:18:27.990 the US State Department. 00:18:27.990 --> 00:18:29.780 But what about over there? 00:18:29.780 --> 00:18:33.789 Keep in mind, this company did have all the approvals they needed from the UAE government 00:18:33.789 --> 00:18:35.950 and the US State Department to do this. 00:18:35.950 --> 00:18:41.280 Yeah, it might be a little easier to get approvals for things if Emiratis hack other Emiratis, 00:18:41.280 --> 00:18:44.750 but if an American were to do it, I don’t know, would it be different? 00:18:44.750 --> 00:18:49.299 It’s complicated and it makes my head spin but you see how murky this gets, right? 00:18:49.299 --> 00:18:52.340 But whatever, it’s not something I’m gonna be able to solve here. 00:18:52.340 --> 00:18:56.260 At this point, the UAE government was pleased with the work that Project Raven was doing. 00:18:56.260 --> 00:18:58.602 DAVID: The first four to six months, that’s what we were doing. 00:18:58.602 --> 00:19:08.711 Anytime we had an alert or a red flag of a probable or anticipated event, we would start 00:19:08.711 --> 00:19:12.952 the process of doing research to see if we can identify whether or not [00:20:00] it 00:19:12.952 --> 00:19:13.952 was a valid threat. 00:19:13.952 --> 00:19:16.080 JACK: Now, it’s also important to say that all of this data exfiltration David was doing 00:19:16.080 --> 00:19:18.890 on the targets was only that; data exfiltration. 00:19:18.890 --> 00:19:23.860 He was never on a mission to drain a terrorist’s bank account or disable a car remotely, or 00:19:23.860 --> 00:19:28.790 do any disrupting, degrading, or destroying things that other hackers might do. 00:19:28.790 --> 00:19:31.280 This was just collecting communications. 00:19:31.280 --> 00:19:36.429 This went on for a while but then at some point, the requests from the UAE government 00:19:36.429 --> 00:19:39.580 started to get a little weird. 00:19:39.580 --> 00:19:46.470 DAVID: [MUSIC] You know, the unfortunate thing is, things didn’t get weird for quite some 00:19:46.470 --> 00:19:50.799 time because the requests looked very similar to what we were currently working on. 00:19:50.799 --> 00:19:57.780 Hey, this looks like that some of their funding might have come from over here. 00:19:57.780 --> 00:20:03.929 What would be necessary for you guys to prove that a country, for instance, is funding terrorist 00:20:03.929 --> 00:20:05.409 activity? 00:20:05.409 --> 00:20:11.039 Our response would be gain access to the country and gain access to this particular shopper, 00:20:11.039 --> 00:20:16.340 this person, and then read this stuff from the perspective of we’re still sanctioned 00:20:16.340 --> 00:20:21.450 to perform these activities under the State Department. 00:20:21.450 --> 00:20:26.630 Again, this might have been just me being naïve about the entire situation. 00:20:26.630 --> 00:20:31.780 Chances are, other people on the shop knew the answers to the questions of this is not 00:20:31.780 --> 00:20:33.350 sanctioned. 00:20:33.350 --> 00:20:39.510 But me being so new to this entire community and this whole world, I’m like okay, well, 00:20:39.510 --> 00:20:41.230 this is approved. 00:20:41.230 --> 00:20:43.730 They wouldn’t be asking unless it was an approved request. 00:20:43.730 --> 00:20:50.650 JACK: Keep in mind, the government branch of the UAE communicating with Project Raven 00:20:50.650 --> 00:20:54.570 is called NISSA and this is UAE’s version of NSA. 00:20:54.570 --> 00:21:00.789 NISSA told them to gain access to that foreign government country’s network to see if they’re 00:21:00.789 --> 00:21:02.010 funding terrorists. 00:21:02.010 --> 00:21:07.180 David’s team got busy scanning the IP space of that target country’s government network. 00:21:07.180 --> 00:21:09.419 You’ll never believe what they found. 00:21:09.419 --> 00:21:13.340 Stay with us. 00:21:13.340 --> 00:21:18.529 After the team at Project Raven scanned the .gov URLs for the target country, they found 00:21:18.529 --> 00:21:23.630 a VPN portal, a place you can log into and from there, you can get access to the internal 00:21:23.630 --> 00:21:25.940 systems in that network. 00:21:25.940 --> 00:21:26.940 Guess what? 00:21:26.940 --> 00:21:29.409 That VPN was using default credentials. 00:21:29.409 --> 00:21:36.059 DAVID: It’s not very hard to find default credentials; a Google search. 00:21:36.059 --> 00:21:44.309 I would say that 95% of initial accesses are gained based off of some type of easy guessable 00:21:44.309 --> 00:21:46.470 or default credentials. 00:21:46.470 --> 00:21:50.900 Look at the IOT world right now. 00:21:50.900 --> 00:21:53.390 That’s exactly what’s happening. 00:21:53.390 --> 00:21:58.470 JACK: [MUSIC] Take note, listeners; change your default passwords and don’t use any 00:21:58.470 --> 00:22:03.350 of the top 100 most common passwords like qwertyo or 12345. 00:22:03.350 --> 00:22:06.730 Make it hard for people like this to break into your stuff. 00:22:06.730 --> 00:22:11.179 Double-check your routers, firewalls, computers, phones, e-mails, VPN servers, and make sure 00:22:11.179 --> 00:22:16.510 none of them are using easy-to-guess passwords. 00:22:16.510 --> 00:22:22.070 When somebody at your shop gets into this thing, now this is where you shine, right, 00:22:22.070 --> 00:22:25.830 being able to move laterally in a network, pivot around, find the goods. 00:22:25.830 --> 00:22:26.830 Is that right? 00:22:26.830 --> 00:22:30.010 DAVID: It’s sort of one of the things that I was trained in. 00:22:30.010 --> 00:22:37.169 Again, I’m really good at ideas; hey, let’s do this, and then it’s a bunch of research 00:22:37.169 --> 00:22:39.360 if no one has done that before. 00:22:39.360 --> 00:22:44.390 JACK: The idea they had here was let’s start reading e-mails within this .gov organization. 00:22:44.390 --> 00:22:47.929 They found the organization was being managed by an MSP. 00:22:47.929 --> 00:22:50.919 An MSP is a managed service provider. 00:22:50.919 --> 00:22:55.419 Basically this .gov organization didn’t have the expertise or head count to handle 00:22:55.419 --> 00:22:58.550 all the routers, firewalls, servers, phones, whatever. 00:22:58.550 --> 00:23:01.730 They contracted all this out to someone else to take care of it. 00:23:01.730 --> 00:23:03.700 That’s what an MSP does. 00:23:03.700 --> 00:23:08.059 It manages, patches, oversees, and troubleshoots the network devices. 00:23:08.059 --> 00:23:12.080 I think in this case they did a bad job at managing the network since they left default 00:23:12.080 --> 00:23:16.050 passwords on the VPN [00:25:00] but who am I to judge? 00:23:16.050 --> 00:23:19.159 David’s team found a device on the network managed by this MSP. 00:23:19.159 --> 00:23:24.440 It was a server running an app called Managed Engine which is basically a tool to help you 00:23:24.440 --> 00:23:25.750 monitor your network better. 00:23:25.750 --> 00:23:30.059 DAVID: The default credentials on this platform, again default creds, are administrator/administrator. 00:23:30.059 --> 00:23:37.270 You login and there’s a known vulnerability for this where you actually have to – you’re 00:23:37.270 --> 00:23:42.070 creating a ticket but in that process of creating a ticket, you can upload a document. 00:23:42.070 --> 00:23:45.760 That process of uploading a document, since you’re administrator, you go back to the 00:23:45.760 --> 00:23:51.230 administrator console where it tells you where do you want the documents to go that you upload? 00:23:51.230 --> 00:23:52.919 Then you can change that to a new location. 00:23:52.919 --> 00:23:58.809 For instance, if you know it has a VaR dub dub dub HTML space and you know hey, I can 00:23:58.809 --> 00:24:03.980 actually just drop these right in there, you know the sub folder creation naming convention 00:24:03.980 --> 00:24:11.570 for each ticket number, then you go and create a ticket, you put an ASPX web shell on there, 00:24:11.570 --> 00:24:15.250 upload it as part of that ticket, and now you browse your ASPX web shell and you have 00:24:15.250 --> 00:24:23.120 either a web shell or if your ASPX is a reverse – let’s just say meterpreter session, 00:24:23.120 --> 00:24:26.880 now you have access to that server. 00:24:26.880 --> 00:24:31.880 Realizing that they had credentials stored in the machine that we just used their encryption 00:24:31.880 --> 00:24:36.820 process to – just took that down, reversed their encryption process – again, somebody 00:24:36.820 --> 00:24:42.090 else significantly smarter than me did this, reversed this encryption process to actually 00:24:42.090 --> 00:24:49.740 decrypt the passwords for administrators for peered networks in this platform. 00:24:49.740 --> 00:24:54.010 JACK: Okay, so now they have a whole bunch of usernames and passwords of people who log 00:24:54.010 --> 00:24:56.530 into this managed engine server. 00:24:56.530 --> 00:25:00.460 From here they figured out that some of the users also worked for this MSP. 00:25:00.460 --> 00:25:04.030 They also found a tunnel back to the MSP. 00:25:04.030 --> 00:25:07.870 Now they decide to try to get into that MSP’s network. 00:25:07.870 --> 00:25:12.029 DAVID: [MUSIC] You have two different ways; if you have a credential, you just use your 00:25:12.029 --> 00:25:19.559 – again, living off the land, your net bios, your SMB, passing the hash or even the plain 00:25:19.559 --> 00:25:23.110 text password, login remotely until you get where you want to go to the domain controller, 00:25:23.110 --> 00:25:28.860 dump all the credentials, and then install persistence throughout the environment. 00:25:28.860 --> 00:25:30.330 JACK: Whoa. 00:25:30.330 --> 00:25:35.270 Oh man, like, this is – do you realize what’s happening here? 00:25:35.270 --> 00:25:39.929 David’s team has access into the managed service provider, this MSP. 00:25:39.929 --> 00:25:45.539 This is a company that has a map to all the critical infrastructure for this .gov organization. 00:25:45.539 --> 00:25:49.930 It also has all the passwords and IP addresses and access to all these systems. 00:25:49.930 --> 00:25:56.149 But not only that; this MSP had many more clients, like other .gov networks in this 00:25:56.149 --> 00:25:57.149 target country. 00:25:57.149 --> 00:25:58.790 Do you see now? 00:25:58.790 --> 00:26:04.880 David’s team just got tons and tons of access into that target government’s network by 00:26:04.880 --> 00:26:07.210 gaining access to this single MSP. 00:26:07.210 --> 00:26:12.740 I mean, where do you even begin looking for e-mails or communications saying that they’re 00:26:12.740 --> 00:26:14.840 paying the terrorists? 00:26:14.840 --> 00:26:18.120 The UAE government asked Project Raven for an update. 00:26:18.120 --> 00:26:20.100 Did you find anything yet? 00:26:20.100 --> 00:26:21.570 The team responded by saying… 00:26:21.570 --> 00:26:29.611 DAVID: We gained access to Ministry of Foreign Affairs, their royal family heir line, some 00:26:29.611 --> 00:26:31.950 of their military infrastructure. 00:26:31.950 --> 00:26:36.160 JACK: This was very interesting to the UAE government. 00:26:36.160 --> 00:26:41.809 They then even asked the team to track the royal family airlines of this target nation. 00:26:41.809 --> 00:26:48.940 DAVID: [MUSIC] Yeah, when they’re flying, at least. 00:26:48.940 --> 00:26:54.000 Then we started getting requests for daily polls; we want this particular flight tracker 00:26:54.000 --> 00:26:55.070 on a daily basis. 00:26:55.070 --> 00:27:01.429 Again, that was another red flag of why is this important? 00:27:01.429 --> 00:27:07.710 You guys are just looking for proof that they’re funding Muslim Brotherhood. 00:27:07.710 --> 00:27:11.289 Why do you guys need this information? 00:27:11.289 --> 00:27:19.140 More internal conversation that we were actually becoming the intelligence-gathering shop for 00:27:19.140 --> 00:27:24.580 essentially the local country’s intelligence agency. 00:27:24.580 --> 00:27:29.940 We’re no longer really focused on getting this particular type of information. 00:27:29.940 --> 00:27:31.720 That’s when questions started to come up. 00:27:31.720 --> 00:27:33.100 Why are we doing this? 00:27:33.100 --> 00:27:37.260 What is the point of this? 00:27:37.260 --> 00:27:40.490 In reality, from a political perspective, I could see that there was a lot of point; 00:27:40.490 --> 00:27:45.360 they want to know who else this country’s talking to, they’re lying behind their back, 00:27:45.360 --> 00:27:47.640 and so on and so forth. 00:27:47.640 --> 00:27:49.159 Those are just speculations. 00:27:49.159 --> 00:27:54.289 I would assume that they’re doing this but I don’t really have any idea. 00:27:54.289 --> 00:27:57.350 JACK: Let’s put our ethics cap on, here. 00:27:57.350 --> 00:28:02.200 If you were hired to work in another country as a cyber-mercenary, if you will, and you 00:28:02.200 --> 00:28:06.340 come for the money and to help the government fight terrorism, but now you’re just helping 00:28:06.340 --> 00:28:10.330 the UAE collect intelligence off a foreign government’s royal family? 00:28:10.330 --> 00:28:15.390 Do you question it or do you do it diligently [00:30:00] with no questions asked? 00:28:15.390 --> 00:28:20.070 This scratched something in the back of David’s head; something wasn’t exactly right with 00:28:20.070 --> 00:28:23.730 this but he kept on doing his work anyway. 00:28:23.730 --> 00:28:31.600 [MUSIC] He went back into that foreign government network and started looking around for anything 00:28:31.600 --> 00:28:33.250 about terrorist funding. 00:28:33.250 --> 00:28:38.330 Sometimes when David was in that network, he would see someone else was also in there 00:28:38.330 --> 00:28:43.220 at the same time, another hacker. 00:28:43.220 --> 00:28:49.309 Maybe another government agency has hacked into the same system that he was sitting on. 00:28:49.309 --> 00:28:53.670 Seeing something like this always makes you slow down and take a breath. 00:28:53.670 --> 00:29:00.190 DAVID: We’re not gonna go in and help clean up an entire environment because we’re in 00:29:00.190 --> 00:29:01.190 there. 00:29:01.190 --> 00:29:04.410 But you can see that there’s stuff there and you can do some research and figure out 00:29:04.410 --> 00:29:05.730 what it is. 00:29:05.730 --> 00:29:12.120 But lots of times in those environments, you either don’t use those particular machines 00:29:12.120 --> 00:29:19.530 that might have other infrastructure on there or you just do your best to blend in. 00:29:19.530 --> 00:29:25.809 Also, if you have proprietary tools, you don’t use those tools on that piece of infrastructure. 00:29:25.809 --> 00:29:28.510 JACK: This makes sense, right? 00:29:28.510 --> 00:29:32.740 Exploits are weapons and if you load up your best weapon so that you can hop into another 00:29:32.740 --> 00:29:38.200 computer, anyone else who’s on that system can also see your exploit or weapon and grab 00:29:38.200 --> 00:29:40.149 it for themselves. 00:29:40.149 --> 00:29:45.669 It’s best to use off-the-shelf stuff because you really have no idea who else is hacking 00:29:45.669 --> 00:29:48.750 their way around this network, too. 00:29:48.750 --> 00:29:51.539 The UAE called up Project Raven and gave them a new request. 00:29:51.539 --> 00:29:57.220 DAVID: Hey, is there any indication that bribing happened for a particular sport? 00:29:57.220 --> 00:30:01.620 They want to know if a sport – if there was bribing is because we both bid on this 00:30:01.620 --> 00:30:05.840 to take place in our country and then they won it. 00:30:05.840 --> 00:30:10.870 We think that we probably bid higher and we had a much better chance but they won. 00:30:10.870 --> 00:30:15.120 Then we realized that the requests were all political. 00:30:15.120 --> 00:30:24.090 [MUSIC] There was no real request about funding the Muslim Brotherhood. 00:30:24.090 --> 00:30:33.640 There was just the shady request design to push us forward to gain access to this. 00:30:33.640 --> 00:30:39.779 JACK: Again, this was odd for David because he came here to do something else. 00:30:39.779 --> 00:30:44.570 He quit the NSA and moved with his wife all the way across the world to here, the UAE, 00:30:44.570 --> 00:30:45.570 to battle terrorists. 00:30:45.570 --> 00:30:51.559 Now he’s learning that’s not what this role is actually for; it’s kind of changed. 00:30:51.559 --> 00:30:52.990 This is hard to handle. 00:30:52.990 --> 00:30:56.410 If he knew this is what the job was from the beginning, he might not have moved all the 00:30:56.410 --> 00:30:58.269 way over here to do it. 00:30:58.269 --> 00:31:05.799 I think this is when David starts to really question his work here. 00:31:05.799 --> 00:31:08.680 There were other teams in the villa like I was saying earlier. 00:31:08.680 --> 00:31:13.179 David was there to extract information from the target but his team would give that information 00:31:13.179 --> 00:31:17.860 to another team for analysis which is just in another room in this villa. 00:31:17.860 --> 00:31:21.230 One of the people in that analysis team was named Lori Stroud. 00:31:21.230 --> 00:31:25.030 Lori would take the information collected and try to make sense of what it was, and 00:31:25.030 --> 00:31:28.499 then give it to management and then the UAE officials. 00:31:28.499 --> 00:31:32.409 Before coming to Project Raven, Lori was a technology consultant for a company called 00:31:32.409 --> 00:31:34.429 Booz Allen Hamilton. 00:31:34.429 --> 00:31:36.799 After that, she went on to work for the NSA. 00:31:36.799 --> 00:31:39.570 But now she’s here in this villa with David. 00:31:39.570 --> 00:31:43.850 Lori, too, was getting suspicious of the motives that the UAE was giving her. 00:31:43.850 --> 00:31:50.409 DAVID: We start getting requests for targeting of, let’s just be honest, journalists and 00:31:50.409 --> 00:31:52.779 human rights activists. 00:31:52.779 --> 00:32:02.430 [MUSIC] Again, they started to raise some pretty significant flags. 00:32:02.430 --> 00:32:06.909 JACK: There were journalists and activists that were being critical of the UAE government 00:32:06.909 --> 00:32:07.909 and their leaders. 00:32:07.909 --> 00:32:12.380 Basically, the UAE saw these people as threats to the nation and wanted this team to get 00:32:12.380 --> 00:32:13.919 anything they could off them. 00:32:13.919 --> 00:32:15.690 What stories were they working on? 00:32:15.690 --> 00:32:16.690 Where were they rallying? 00:32:16.690 --> 00:32:17.880 Where were they located? 00:32:17.880 --> 00:32:20.830 What were their phone calls about? 00:32:20.830 --> 00:32:24.190 Back in the US where David and Lori are from, this is wrong. 00:32:24.190 --> 00:32:27.240 The First Amendment of the Constitution protects against this. 00:32:27.240 --> 00:32:31.880 In short, it says congress shall make no law prohibiting the freedom of press or the right 00:32:31.880 --> 00:32:34.690 of people to peaceably assemble. 00:32:34.690 --> 00:32:38.200 This was not okay for them to morally or ethically do. 00:32:38.200 --> 00:32:41.850 As David said, this was starting to go too far. 00:32:41.850 --> 00:32:44.810 This was becoming a bigger red flag now. 00:32:44.810 --> 00:32:48.389 DAVID: There’s no potential threat. 00:32:48.389 --> 00:32:51.370 The only potential threat is gonna be political. 00:32:51.370 --> 00:32:56.870 It turned into something that we didn’t really quite – none of us really agreed 00:32:56.870 --> 00:32:57.870 with. 00:32:57.870 --> 00:33:01.260 None of us thought it was the right direction for us to be going. 00:33:01.260 --> 00:33:03.350 We started to raise questions. 00:33:03.350 --> 00:33:06.490 We started to say hey, I don’t think this is the right way. 00:33:06.490 --> 00:33:11.880 JACK: The UAE was requesting more and more from Project Raven which clearly looked like 00:33:11.880 --> 00:33:15.549 it was for political reasons [00:35:00] and not for threats against the nation. 00:33:15.549 --> 00:33:20.240 At one point they asked the team at Project Raven if they would consider targeting US 00:33:20.240 --> 00:33:21.240 computers. 00:33:21.240 --> 00:33:26.350 If a known terrorist was using a computer in the US, then they wanted the data off that 00:33:26.350 --> 00:33:27.350 computer. 00:33:27.350 --> 00:33:30.019 But David is from the NSA, the military. 00:33:30.019 --> 00:33:34.309 He remembers clearly reading through FISA, the Foreign Intelligence Service Act, and 00:33:34.309 --> 00:33:41.100 in Section OVSC-1203 it clearly says if you find yourself targeting a US person, you should 00:33:41.100 --> 00:33:44.789 de-target them at an emergency priority. 00:33:44.789 --> 00:33:49.500 This was clearly going over the line for David so he advised management to push back on this 00:33:49.500 --> 00:33:50.500 objective. 00:33:50.500 --> 00:33:55.399 DAVID: We told them that we’re encouraging you not to do this, yeah. 00:33:55.399 --> 00:33:59.309 JACK: With that, a lot of conversations went back and forth between this company that David 00:33:59.309 --> 00:34:01.890 and Lori worked for and the UAE government. 00:34:01.890 --> 00:34:07.039 At one point during her analysis, Lori found that data was collected on US citizens. 00:34:07.039 --> 00:34:12.370 She decided this was wrong and she said, quote, “I don’t think Americans should be doing 00:34:12.370 --> 00:34:14.329 this to other Americans. 00:34:14.329 --> 00:34:19.320 I’m a spy; I get that, and I’m an intelligence officer but I’m not a bad one.” 00:34:19.320 --> 00:34:20.619 End quote. 00:34:20.619 --> 00:34:23.770 Lori was not happy with this and started to raise even more questions. 00:34:23.770 --> 00:34:28.960 By now, over at the villa where Project Raven was, the seams were starting to show. 00:34:28.960 --> 00:34:30.829 Employees were asking questions. 00:34:30.829 --> 00:34:33.500 They were feeling hesitant about the work they were doing. 00:34:33.500 --> 00:34:41.080 DAVID: Probably at this point, around October/November, there’s a lot of red flags going up for 00:34:41.080 --> 00:34:42.169 people. 00:34:42.169 --> 00:34:51.169 Then my wife and I, we left for Christmas break to go back to the states around Christmastime. 00:34:51.169 --> 00:34:58.520 I think it was December 17th or 16th or 17th when I got an e-mail saying – from our US 00:34:58.520 --> 00:35:04.570 contracting agency that they’re essentially giving everyone a reprieve on their contract. 00:35:04.570 --> 00:35:09.110 If you want to go back to the United States, they’ll pack you up and ship you home at 00:35:09.110 --> 00:35:10.280 no cost. 00:35:10.280 --> 00:35:11.500 We decided to do that. 00:35:11.500 --> 00:35:12.500 A lot of people did. 00:35:12.500 --> 00:35:19.130 There’s also a lot of people who decided to stay but a lot of the people that I operated 00:35:19.130 --> 00:35:25.079 with on a daily basis decided I’m not staying here, and so they took off. 00:35:25.079 --> 00:35:28.630 JACK: After David left, Project Raven continued. 00:35:28.630 --> 00:35:33.230 They carried out new operations and tasks that were given to them. 00:35:33.230 --> 00:35:38.369 I’m gonna switch gears here for a minute and bring on someone new to talk about what 00:35:38.369 --> 00:35:40.290 happens next at Project Raven. 00:35:40.290 --> 00:35:48.130 RORI: My name is Rori Donaghy and in 2012, I set up a human rights group that was effectively 00:35:48.130 --> 00:35:51.950 just a WordPress website and the blog where I set out press releases from. 00:35:51.950 --> 00:35:54.830 It was called the Emirate Center of Human Rights. 00:35:54.830 --> 00:35:59.619 I wrote about human rights abuses in the United Arab Emirates because I felt they weren’t 00:35:59.619 --> 00:36:04.200 getting enough coverage and I had built up some good contacts that helped me with information 00:36:04.200 --> 00:36:05.230 that happened there. 00:36:05.230 --> 00:36:09.540 JACK: Rori was living in London in the UK and he started this little WordPress blog 00:36:09.540 --> 00:36:13.290 simply to call attention to some of the bad things that the UAE government was doing. 00:36:13.290 --> 00:36:17.040 But this blog started to pick up and it was getting noticed by some bigger journalists. 00:36:17.040 --> 00:36:21.860 RORI: I was getting good coverage and getting access to big platforms. 00:36:21.860 --> 00:36:27.210 I was being interviewed semi-regularly by the BBC across the English and crucially, 00:36:27.210 --> 00:36:28.930 its Arabic platforms. 00:36:28.930 --> 00:36:33.619 Also, the work was being covered a little bit more in places like the Financial Times 00:36:33.619 --> 00:36:39.089 and The Guardian, places where it was never in discussion about Dubai other than in a 00:36:39.089 --> 00:36:41.940 positive tourist and business sense. 00:36:41.940 --> 00:36:47.270 All of a sudden there were these stories about torture and how they were treating people 00:36:47.270 --> 00:36:51.050 in prison, and political activists, and shutting down of free speech. 00:36:51.050 --> 00:36:56.740 It was changing, I think slightly, the international image of the UAE at the time. 00:36:56.740 --> 00:36:58.480 JACK: Here’s a clip from Rori on the BBC. 00:36:58.480 --> 00:37:02.330 HOST: I’m joined by Rori Donaghy who is campaign manager for the Emirates Center for 00:37:02.330 --> 00:37:04.819 Human Rights based here in the UK. 00:37:04.819 --> 00:37:05.900 Why is this important? 00:37:05.900 --> 00:37:11.569 RORI: This is important because they’ve been tortured and some have been held as – enforced 00:37:11.569 --> 00:37:13.359 its appearances over the last seven months. 00:37:13.359 --> 00:37:17.280 We’ve seen the European parliament condemn the human rights abuses in the UAE over the 00:37:17.280 --> 00:37:18.280 past two weeks. 00:37:18.280 --> 00:37:22.820 HOST: Let me quote to you what the attorney general has said. 00:37:22.820 --> 00:37:27.020 He says that they were arrested for managing an organization with the aim of committing 00:37:27.020 --> 00:37:28.460 crimes against state security. 00:37:28.460 --> 00:37:32.450 RORI: Well, there has been no evidence brought forward for that. 00:37:32.450 --> 00:37:33.780 HOST: Neither have they gone to court yet, either. 00:37:33.780 --> 00:37:34.780 RORI: They haven’t got to court. 00:37:34.780 --> 00:37:35.780 No charge has been brought… 00:37:35.780 --> 00:37:39.680 JACK: The UAE government did not like Rori talking about them. 00:37:39.680 --> 00:37:46.260 They told Project Raven to get in his computer and phone and spy on him. 00:37:46.260 --> 00:37:53.750 RORI: [MUSIC] One day at work in the Middle East, I got an e-mail asking if I could take 00:37:53.750 --> 00:37:59.550 part in a human rights panel and if I wanted to take part in it, could I click on the following 00:37:59.550 --> 00:38:03.000 link and comment on a piece? 00:38:03.000 --> 00:38:07.770 The link looked like it would go to an Al Jazeera English’s website. 00:38:07.770 --> 00:38:12.040 But the e-mail address was very odd; it was random and the English was poor, misspelled. 00:38:12.040 --> 00:38:16.930 [00:40:00] But none the less, I was foolish enough to click on the link. 00:38:16.930 --> 00:38:18.830 When I did, it didn’t go anywhere. 00:38:18.830 --> 00:38:25.480 I thought it was very strange so I just forwarded it onto Citizen Lab and Bill Marczak there, 00:38:25.480 --> 00:38:28.170 who I knew through work. 00:38:28.170 --> 00:38:32.060 He got to work on it because even at that point, when I sent the e-mail to him, I couldn’t 00:38:32.060 --> 00:38:34.760 have thought that I was being surveilled. 00:38:34.760 --> 00:38:36.820 I just thought it was a bit strange. 00:38:36.820 --> 00:38:39.010 I really had no idea what was going on. 00:38:39.010 --> 00:38:41.350 JACK: Rori gave this e-mail to Citizen Lab. 00:38:41.350 --> 00:38:45.680 They basically do research on espionage going around against civil society. 00:38:45.680 --> 00:38:49.869 If a journalist or an activist thinks they’re being targeted by malware or espionage from 00:38:49.869 --> 00:38:53.230 some government, they can go to Citizen Lab to get help. 00:38:53.230 --> 00:38:56.020 Rori sent this suspicious e-mail to them to check into it. 00:38:56.020 --> 00:39:02.950 RORI: After some time, Bill came back to me and told me that I had been the target of 00:39:02.950 --> 00:39:04.630 this spyware. 00:39:04.630 --> 00:39:10.660 JACK: Besides the URLs riddled with spyware, there were a lot of people tweeting at Rori, 00:39:10.660 --> 00:39:11.660 too. 00:39:11.660 --> 00:39:15.790 Citizen Lab found thirty-one public tweets sent to Rori that were suspicious. 00:39:15.790 --> 00:39:20.420 These were all tweets about human rights activities in the UAE with shortened URLs that contained 00:39:20.420 --> 00:39:21.420 spyware. 00:39:21.420 --> 00:39:25.550 These tweets were publically sent to Rori but what was really interesting about these 00:39:25.550 --> 00:39:31.350 tweets is that about six of the accounts that sent these tweets were actually UAE citizens, 00:39:31.350 --> 00:39:33.109 except they had been arrested. 00:39:33.109 --> 00:39:35.640 These tweets were sent after their arrest. 00:39:35.640 --> 00:39:41.760 RORI: Yeah, this is a common tactic in the UAE which would be to – once they had arrested 00:39:41.760 --> 00:39:46.170 a political activist or dissident, that they would then take control of their social media 00:39:46.170 --> 00:39:51.910 accounts and then use them to try and lure other people they would want to pull into 00:39:51.910 --> 00:39:55.710 their web of surveillance because obviously they couldn’t arrest me because I was living 00:39:55.710 --> 00:39:57.210 in London. 00:39:57.210 --> 00:39:59.830 That’s quite a common tactic. 00:39:59.830 --> 00:40:01.960 It’s a really frightening tactic. 00:40:01.960 --> 00:40:09.060 JACK: A very freaky tactic but an effective one because the team at Project Raven did 00:40:09.060 --> 00:40:13.500 completely infiltrate Rori’s computer and phone. 00:40:13.500 --> 00:40:17.369 [MUSIC] Bill at Citizen Lab told Rori the bad news. 00:40:17.369 --> 00:40:25.670 RORI: He said he believed ultimately was the UAE government to spy on me and probably listen 00:40:25.670 --> 00:40:28.349 and read all my communications. 00:40:28.349 --> 00:40:35.069 They weren’t just surveilling me from what I understand; it was also my parents, my other 00:40:35.069 --> 00:40:39.869 younger brother who’s got special needs who poses no threat to anyone, the school 00:40:39.869 --> 00:40:41.630 we went to, my partner. 00:40:41.630 --> 00:40:45.160 I did feel really violated. 00:40:45.160 --> 00:40:51.790 I guess the thing that I would say most about it is that when people ask about this story, 00:40:51.790 --> 00:40:54.950 is that it all happens silently. 00:40:54.950 --> 00:40:57.060 I was just carrying on with my life. 00:40:57.060 --> 00:41:00.750 When I think about the experience of it, there wasn’t really any experience of it. 00:41:00.750 --> 00:41:02.130 This all happened so silently. 00:41:02.130 --> 00:41:07.790 It’s such an effective way of surveilling someone that you have no idea about just how 00:41:07.790 --> 00:41:11.540 pervasive it is or what they have access to. 00:41:11.540 --> 00:41:15.010 It’s not an experience as such. 00:41:15.010 --> 00:41:18.030 It’s just something that happens and then someone tells you about later. 00:41:18.030 --> 00:41:25.700 It’s quite hard to retroactively feel something because it’s already happened at that point. 00:41:25.700 --> 00:41:27.609 It’s a very bizarre experience. 00:41:27.609 --> 00:41:33.190 JACK: I don’t know, if I learned that a foreign government has infiltrated my computer 00:41:33.190 --> 00:41:38.069 and was looking at my e-mails, private messages, texts, and knowing what stories I was working 00:41:38.069 --> 00:41:40.640 on, I’d be extremely freaked out. 00:41:40.640 --> 00:41:43.460 I think it’s a little weird that Rori didn’t panic more. 00:41:43.460 --> 00:41:48.349 RORI: Actually, when you talk about my response to it being weird, I think it’s because 00:41:48.349 --> 00:41:51.440 I felt safe in London. 00:41:51.440 --> 00:41:56.380 If I’d lived in the UAE under the fear of this authoritarian government that’s capable 00:41:56.380 --> 00:42:00.350 of torture and imprisonment for a long period of time, I’d have felt very differently 00:42:00.350 --> 00:42:02.030 about it. 00:42:02.030 --> 00:42:04.820 JACK: That does make sense. 00:42:04.820 --> 00:42:08.930 If you compare torture and arrests versus being spied on, I guess he got the lesser 00:42:08.930 --> 00:42:12.910 of two consequences for speaking up against the UAE on that one. 00:42:12.910 --> 00:42:16.430 He was able to clean up his computer and wipe the spyware off, and was careful not to be 00:42:16.430 --> 00:42:17.430 infected again. 00:42:17.430 --> 00:42:21.430 But he looks back on this experience and it’s still a bit shocking to him. 00:42:21.430 --> 00:42:25.440 RORI: Do you know, the fact that there was a whole team of people and they must have 00:42:25.440 --> 00:42:29.079 spent quite a significant sum of money on this. 00:42:29.079 --> 00:42:36.530 I do find that frightening because that’s still going on now but just to someone else, 00:42:36.530 --> 00:42:37.530 I imagine. 00:42:37.530 --> 00:42:41.630 JACK: While Rori was writing about human rights in the UAE from London, there was another 00:42:41.630 --> 00:42:45.780 activist also writing about the same stuff, but he was an Emirati. 00:42:45.780 --> 00:42:50.329 His name was Ahmed Mansoor and Rori talked with him a lot back then. 00:42:50.329 --> 00:42:57.599 RORI: Yeah, Ahmed was a close contact and I’d say a friend throughout the time that 00:42:57.599 --> 00:43:01.579 I covered human rights abuses in the UAE. 00:43:01.579 --> 00:43:07.680 Ahmed was the number one political and human rights activist in the UAE. 00:43:07.680 --> 00:43:11.270 JACK: Here’s a clip from YouTube that’s Ahmed talking about human rights. 00:43:11.270 --> 00:43:13.280 AHMED: Hello, ladies and gentlemen. 00:43:13.280 --> 00:43:17.349 [00:45:00] My name is Ahmed Mansoor from United Arab Emirates. 00:43:17.349 --> 00:43:24.260 I will focus in this presentation on the latest development related to human rights situation 00:43:24.260 --> 00:43:25.830 in UAE. 00:43:25.830 --> 00:43:31.099 The first point that I would like to talk about is the arbitrary detention. 00:43:31.099 --> 00:43:36.760 JACK: Once again, this is another person that the UAE government was not happy about and 00:43:36.760 --> 00:43:40.630 assigned Project Raven to spy on Ahmed as well. 00:43:40.630 --> 00:43:44.660 The same tactics were used; phishing e-mails from so-called activists, tweets from people 00:43:44.660 --> 00:43:50.060 who were arrested, and Project Raven also got into Ahmed’s phone and computer and 00:43:50.060 --> 00:43:52.990 could see pretty much everything he was doing. 00:43:52.990 --> 00:43:56.960 But Ahmed had a much worse fate than Rori. 00:43:56.960 --> 00:44:06.430 AHMED: Ahmed was arrested by the Emirati Authorities and accused of some crime that wouldn’t 00:44:06.430 --> 00:44:08.180 exist in any democratic state. 00:44:08.180 --> 00:44:12.380 I think it was communicating with a foreign enemy, something along those lines. 00:44:12.380 --> 00:44:16.740 JACK: He was actually charged with damaging the country’s unity which kind of sounds 00:44:16.740 --> 00:44:17.930 like a made-up crime to me. 00:44:17.930 --> 00:44:21.260 AHMED: …and sentenced to ten years in prison. 00:44:21.260 --> 00:44:27.471 There’s been credible reports of his torture and kept in really terrible conditions in 00:44:27.471 --> 00:44:28.471 the UAE. 00:44:28.471 --> 00:44:30.260 JACK: Jeez, can you imagine? 00:44:30.260 --> 00:44:34.030 If you speak out against your government and then the government hires a bunch of ex-NSA 00:44:34.030 --> 00:44:38.470 people to spy on you, and this leads them to find where you live and what you’re doing 00:44:38.470 --> 00:44:40.609 which then gets you arrested. 00:44:40.609 --> 00:44:44.880 Then you get put in prison for ten years and placed into solitary confinement with terrible 00:44:44.880 --> 00:44:46.710 living conditions. 00:44:46.710 --> 00:44:51.010 Let’s not ignore that all of Ahmed’s family is also spied on. 00:44:51.010 --> 00:44:55.420 His wife’s phone was also hacked by this group, and she now lives in fear and social 00:44:55.420 --> 00:44:57.319 isolation as a result of all this. 00:44:57.319 --> 00:45:02.849 AHMED: The reason that this has happened to Ahmed is because he has been the lone light 00:45:02.849 --> 00:45:08.770 in covering human rights abuses in his country for many years and led to him winning prestigious 00:45:08.770 --> 00:45:13.790 human rights awards including the Martin Ennals Award for Human Rights Defender of the Year. 00:45:13.790 --> 00:45:20.040 His growing stature as an international human rights defender is really, what I think, led 00:45:20.040 --> 00:45:26.349 to his arrest because he was known as being – he wasn’t affiliated to any religious 00:45:26.349 --> 00:45:31.589 or political group that could be used to undermine his credibility by the UAE. 00:45:31.589 --> 00:45:36.250 Ahmed stood alone as this really respected human rights activist. 00:45:36.250 --> 00:45:42.510 I can’t stress enough how brave and courageous he was to do that work in a country where 00:45:42.510 --> 00:45:48.050 he knew that when he was going to get arrested, which is inevitable, that he would be tortured 00:45:48.050 --> 00:45:50.500 and treated in such a terrible way. 00:45:50.500 --> 00:45:59.700 Prior to his arrest, Ahmed was being surveilled in the most pernicious and obtrusive way which, 00:45:59.700 --> 00:46:05.869 as I’m sure you know, led to Apple having to issue an update to their software because 00:46:05.869 --> 00:46:09.770 of the way he was surveilled which was through – it was sent to his iPhone. 00:46:09.770 --> 00:46:12.060 JACK: Oh right, Apple and the iPhone. 00:46:12.060 --> 00:46:13.310 Let’s talk about that. 00:46:13.310 --> 00:46:17.660 Project Raven had access to this crazy hacking tool called Karma. 00:46:17.660 --> 00:46:22.010 When I read about Karma, it kind of reads like how Hollywood hacking is portrayed. 00:46:22.010 --> 00:46:24.650 It’s crazy simple and it blows my mind. 00:46:24.650 --> 00:46:30.829 In 2016, the UAE purchased this hacking tool Karma from some outside vendor. 00:46:30.829 --> 00:46:33.290 We don’t know who made it or where it was purchased from. 00:46:33.290 --> 00:46:38.200 The UAE told Project Raven look, we have this great new tool and you can target iPhones 00:46:38.200 --> 00:46:39.530 with it. 00:46:39.530 --> 00:46:41.670 But this was its limitation, too; just iPhones. 00:46:41.670 --> 00:46:44.480 Here’s how it works. 00:46:44.480 --> 00:46:50.359 [MUSIC] If someone in Project Raven knew their target had an iPhone and wanted data off it, 00:46:50.359 --> 00:46:52.569 they might decide to use Karma. 00:46:52.569 --> 00:46:56.480 All you have to do is give Karma the phone number or e-mail address of your target. 00:46:56.480 --> 00:46:59.170 A text was then sent to that target’s phone. 00:46:59.170 --> 00:47:04.450 Here’s the craziest part; the user doesn’t even have to click on a link or do anything 00:47:04.450 --> 00:47:06.490 in order for this exploit to work. 00:47:06.490 --> 00:47:09.309 The text just has to get to the phone. 00:47:09.309 --> 00:47:14.510 Once it got to the phone, the exploit could then steal photos, e-mails, text messages, 00:47:14.510 --> 00:47:18.580 and location data all without user interaction. 00:47:18.580 --> 00:47:23.560 It really was an amazing tool for getting the data off these targets. 00:47:23.560 --> 00:47:27.910 It was too easy, even. 00:47:27.910 --> 00:47:32.700 We aren’t sure exactly how, but it looks like it was exploiting a flaw in Apple’s 00:47:32.700 --> 00:47:33.700 iMessage. 00:47:33.700 --> 00:47:37.580 By sending this crafted text through iMessage, it enables the exploit. 00:47:37.580 --> 00:47:41.970 In 2017, Apple pushed an update which made this tool much less effective. 00:47:41.970 --> 00:47:46.560 There isn’t a lot known about this tool, but even just this gives us a sense of what 00:47:46.560 --> 00:47:50.160 its capabilities were and what Project Raven had at its disposal. 00:47:50.160 --> 00:47:52.830 David told me he never used Karma himself. 00:47:52.830 --> 00:47:58.380 I wonder if that just means he told other people to use it. 00:47:58.380 --> 00:48:04.210 The UAE government terminated the contract with Project Raven and brought in a new contractor 00:48:04.210 --> 00:48:06.370 named DarkMatter. 00:48:06.370 --> 00:48:10.380 DarkMatter is a UAE company owned and operated by UAE citizens. 00:48:10.380 --> 00:48:16.829 The people who were at Project [00:50:00] Raven had the option; either join DarkMatter 00:48:16.829 --> 00:48:18.420 or quit. 00:48:18.420 --> 00:48:23.370 About a quarter of them quit but the rest moved on to DarkMatter. 00:48:23.370 --> 00:48:27.030 Lori was one of the ones that moved onto DarkMatter. 00:48:27.030 --> 00:48:31.119 You have to understand Lori was working for government contractors for a while and the 00:48:31.119 --> 00:48:32.119 NSA. 00:48:32.119 --> 00:48:34.250 She’s used to doing this kind of clandestine work. 00:48:34.250 --> 00:48:36.130 In fact, she loves doing cyber-espionage. 00:48:36.130 --> 00:48:41.790 It’s what she’s good at and this was a good-paying gig so Lori kept at it. 00:48:41.790 --> 00:48:47.160 UAE was now working with DarkMatter to carry out these objectives and offensive intelligence 00:48:47.160 --> 00:48:48.160 operations. 00:48:48.160 --> 00:48:52.990 Lori continued to work for DarkMatter for a while and at one point she got a list of 00:48:52.990 --> 00:48:53.990 targets. 00:48:53.990 --> 00:48:59.180 When she looked at the list, she saw that some of them were Americans. 00:48:59.180 --> 00:49:04.010 [MUSIC] She looked up their occupation and saw these were American journalists. 00:49:04.010 --> 00:49:06.260 Oh, this made her sick to her stomach. 00:49:06.260 --> 00:49:10.690 She raised even more questions about this and started to say this isn’t right. 00:49:10.690 --> 00:49:12.610 DarkMatter put her on leave. 00:49:12.610 --> 00:49:18.059 They escorted her out of the building and had her passport revoked. 00:49:18.059 --> 00:49:24.400 That had to be extremely scary for her; to be in the UAE, upset with the UAE government, 00:49:24.400 --> 00:49:27.180 and to have your passport taken. 00:49:27.180 --> 00:49:30.859 She felt like she was probably now a target and being surveilled. 00:49:30.859 --> 00:49:33.860 She was stuck in this country with no way out. 00:49:33.860 --> 00:49:37.079 This had to be a very dark time for her. 00:49:37.079 --> 00:49:40.720 After two months, she was allowed to go back to America. 00:49:40.720 --> 00:49:45.820 Upon arriving in the states at the airport, the FBI agents questioned her and asked what 00:49:45.820 --> 00:49:47.760 US citizens were you spying on? 00:49:47.760 --> 00:49:50.050 But she refused to tell them anything. 00:49:50.050 --> 00:49:54.720 I think she thought she was under UAE surveillance still at that point, and it was all probably 00:49:54.720 --> 00:49:56.370 just so stressful. 00:49:56.370 --> 00:50:03.180 The FBI still, to this day, has an ongoing investigation about all this. 00:50:03.180 --> 00:50:07.480 They want to know whether or not classified information was given to the Emiratis, and 00:50:07.480 --> 00:50:13.089 if targeting US citizens actually happened because these are both clearly illegal and 00:50:13.089 --> 00:50:16.619 the FBI wants to know if these laws were broken. 00:50:16.619 --> 00:50:22.270 Still now, DarkMatter is operating and working with the UAE government and NISSA. 00:50:22.270 --> 00:50:27.730 They’re probably continuing to do all the espionage on behalf of the UAE government. 00:50:27.730 --> 00:50:29.809 You might be wondering how do I know all this? 00:50:29.809 --> 00:50:31.819 Well, David just told us, right? 00:50:31.819 --> 00:50:33.890 But he only told us some of the story. 00:50:33.890 --> 00:50:39.369 Back in January of this year, Lori came forward and told her whole story to Reuters. 00:50:39.369 --> 00:50:43.329 Journalists Christopher Bing and Joel Schectman took her story and fact-checked it against 00:50:43.329 --> 00:50:47.349 a lot of people including eight ex-Project Raven employees. 00:50:47.349 --> 00:50:51.619 Chris and Joel did an amazing job reporting this story and published it earlier this year. 00:50:51.619 --> 00:50:53.580 Of course, I fact-checked their story too. 00:50:53.580 --> 00:50:56.970 I made a lot of phone calls and wrote a lot of e-mails, and had some very interesting 00:50:56.970 --> 00:50:58.940 conversations about this whole story. 00:50:58.940 --> 00:51:03.481 I even called up an ex-NSA person that I know who has contacts in DarkMatter to learn a 00:51:03.481 --> 00:51:04.481 little more. 00:51:04.481 --> 00:51:07.950 Yeah, Reuters did a great job on this story and when the story came out, it made really 00:51:07.950 --> 00:51:08.950 big news. 00:51:08.950 --> 00:51:12.270 But the only one who allowed her name to be in the story was Lori. 00:51:12.270 --> 00:51:17.230 Now, for the first time, you heard a second person come forward; David. 00:51:17.230 --> 00:51:22.132 He has never spoken publically about this until now which is pretty exciting to hear 00:51:22.132 --> 00:51:24.530 someone else tell us this inside story. 00:51:24.530 --> 00:51:26.809 It’s kind of a big deal. 00:51:26.809 --> 00:51:30.089 [MUSIC] I asked Rori what he thought of this story when he read it. 00:51:30.089 --> 00:51:35.829 RORI: I remember telling my partner about this story before it was going to come out. 00:51:35.829 --> 00:51:40.089 She obviously doesn’t think I’m a liar, but she thought it sounded a bit crazy and 00:51:40.089 --> 00:51:44.619 that maybe I had been duped into thinking that this had happened because of just how 00:51:44.619 --> 00:51:46.970 crazy it sounded. 00:51:46.970 --> 00:51:52.109 I had that response myself a little bit when the Reuters guys phoned me initially. 00:51:52.109 --> 00:51:58.049 I felt that even that at that point, even with all my knowledge and experience of the 00:51:58.049 --> 00:52:02.220 UAE and the Gulf, I still felt that this side of it had gone a bit far. 00:52:02.220 --> 00:52:03.220 Like, really? 00:52:03.220 --> 00:52:07.589 Would they really have gone through this much effort to surveil me? 00:52:07.589 --> 00:52:10.650 I was still a bit surprised by it all. 00:52:10.650 --> 00:52:15.230 I was glad that it came out because I think that people should know the truth about a 00:52:15.230 --> 00:52:21.849 country that invests huge sums of money to portray itself as a friendly, open, global 00:52:21.849 --> 00:52:28.630 country that is tolerant and happy but in reality is nothing more than a tin-pot dictatorship 00:52:28.630 --> 00:52:35.690 with billions and billions of dollars to keep hold of power and lock up anyone who challenges 00:52:35.690 --> 00:52:36.690 them. 00:52:36.690 --> 00:52:40.250 That’s a really important thing to know when they’re a close ally of not only my 00:52:40.250 --> 00:52:44.250 country, the UK, but also America and other European allies. 00:52:44.250 --> 00:52:47.350 JACK: Do you think you’ll ever go to the UAE again? 00:52:47.350 --> 00:52:53.520 RORI: I wouldn’t feel comfortable going to the UAE even if the president of the country 00:52:53.520 --> 00:52:57.270 gave me a personal assurance that nothing would happen to me if I went there. 00:52:57.270 --> 00:53:01.380 Again, it’s not because I feel important or whatever; it’s just that I wouldn’t 00:53:01.380 --> 00:53:11.349 trust authorities to not harm me because they’ve so consistently done that to a whole range 00:53:11.349 --> 00:53:16.490 of people from petty [00:55:00] criminals who’ve been there on drugs charges or written 00:53:16.490 --> 00:53:20.609 a cheque in bad faith, to political activists. 00:53:20.609 --> 00:53:25.480 I would never feel comfortable going to the UAE. 00:53:25.480 --> 00:53:30.780 JACK: Project Raven was a hacking unit working for a company called Cyber Point which is 00:53:30.780 --> 00:53:32.090 based in Baltimore. 00:53:32.090 --> 00:53:36.000 The CEO of Cyber Point was questioned about all this and flat-out said the mission of 00:53:36.000 --> 00:53:40.850 Project Raven was to help the Emiratis defend their network, very similar to what that Purple 00:53:40.850 --> 00:53:42.350 Meeting said they were doing. 00:53:42.350 --> 00:53:45.619 But perhaps the CEO didn’t actually know. 00:53:45.619 --> 00:53:50.299 Perhaps that unit was initially set up to do that but somehow transformed to become 00:53:50.299 --> 00:53:55.950 offensive all on its own without proper oversight from Cyber Point. 00:53:55.950 --> 00:53:59.720 David even said over time, the missions changed. 00:53:59.720 --> 00:54:04.069 This was a secret operation in the UAE; how much of a secret operation is really going 00:54:04.069 --> 00:54:06.940 to be reported back to Baltimore? 00:54:06.940 --> 00:54:12.010 DarkMatter has publically said that this entire story written up in Reuters is false, made 00:54:12.010 --> 00:54:13.010 up. 00:54:13.010 --> 00:54:17.420 It’s defamatory and it’s unsubstantial and they deny any wrongdoing. 00:54:17.420 --> 00:54:23.540 Oh, and check this out; you might have a DarkMatter root certificate in your browser. 00:54:23.540 --> 00:54:28.200 In 2017, DarkMatter applied to be a sort of certificate authority. 00:54:28.200 --> 00:54:33.099 They wanted to issue SSL certificates to websites so those websites are secure. 00:54:33.099 --> 00:54:37.750 All major browsers granted DarkMatter the ability to become a certificate authority 00:54:37.750 --> 00:54:39.810 with provisional status. 00:54:39.810 --> 00:54:40.829 Ah! 00:54:40.829 --> 00:54:45.920 Yes, their root certificates were trusted in all our browsers. 00:54:45.920 --> 00:54:51.680 After that happened, DarkMatter approved 275 websites to be trusted but this year, that 00:54:51.680 --> 00:54:52.680 changed. 00:54:52.680 --> 00:54:56.940 When Reuters published that report, Firefox and Google read it and they saw what DarkMatter 00:54:56.940 --> 00:54:57.980 was doing. 00:54:57.980 --> 00:55:01.610 They decided to revoke that root certificate from being trusted. 00:55:01.610 --> 00:55:05.650 Now certificates from them will show up as untrusted sources. 00:55:05.650 --> 00:55:07.859 I helped the other browsers follow suit, too. 00:55:07.859 --> 00:55:12.150 While I was putting this episode together, I went to Black Hat, the security conference 00:55:12.150 --> 00:55:13.200 in Vegas. 00:55:13.200 --> 00:55:18.430 There, Natalie Silvanovich gave a presentation on exploiting iMessage. 00:55:18.430 --> 00:55:21.460 Let me tell you about Natalie because in my book, she’s amazing. 00:55:21.460 --> 00:55:24.640 Natalie works for Project Zero and Project Zero is amazing, too. 00:55:24.640 --> 00:55:26.599 It’s a project that Google started. 00:55:26.599 --> 00:55:30.600 Basically, the Project Zero team at Google has the job of finding vulnerabilities in 00:55:30.600 --> 00:55:32.630 software of any kind. 00:55:32.630 --> 00:55:34.780 It doesn’t have to be just Google vulnerabilities. 00:55:34.780 --> 00:55:38.000 It could be software with Microsoft or Apple or anything. 00:55:38.000 --> 00:55:43.480 Natalie works on this team and simply obsesses over finding vulnerabilities in software. 00:55:43.480 --> 00:55:48.119 After hearing about Karma and what this Project Raven was doing, she decided to take a deep 00:55:48.119 --> 00:55:52.760 dive and try to figure out how Karma could have worked because it’s really remarkable 00:55:52.760 --> 00:55:57.869 to just send a message to an iPhone and to get back pictures, texts, location, and more. 00:55:57.869 --> 00:56:00.790 Natalie began trying to exploit iMessage on the iPhone. 00:56:00.790 --> 00:56:05.730 I won’t go into how she found the bugs, but she found three vulnerabilities on the 00:56:05.730 --> 00:56:06.730 iPhone. 00:56:06.730 --> 00:56:09.869 Now, when someone at Project Zero finds a vulnerability, they tell the vendor and they 00:56:09.869 --> 00:56:11.840 give them ninety days to fix it. 00:56:11.840 --> 00:56:16.200 If it’s not fixed in ninety days, they’re gonna publically disclose this vulnerability. 00:56:16.200 --> 00:56:20.160 Software companies better move quick once Project Zero tells them about the bugs. 00:56:20.160 --> 00:56:24.570 Natalie told Apple about these three bugs I think back in May of this year, then she 00:56:24.570 --> 00:56:25.570 waited. 00:56:25.570 --> 00:56:28.000 Apple acknowledged the bugs and patched their phones. 00:56:28.000 --> 00:56:31.789 Once that happened, Natalie published her report about the vulnerabilities found and 00:56:31.789 --> 00:56:34.440 gave a presentation on it at Black Hat. 00:56:34.440 --> 00:56:36.859 What she found was really interesting. 00:56:36.859 --> 00:56:41.740 It’s not the smoking gun and there’s no evidence that this is what Karma was or used, 00:56:41.740 --> 00:56:43.319 but it might be. 00:56:43.319 --> 00:56:48.010 Basically, Natalie found that if you send a zip file to an iPhone, the iPhone then tries 00:56:48.010 --> 00:56:53.460 to peek inside it to look at the object file within it and then display on the iPhone what 00:56:53.460 --> 00:56:54.990 kind of files are in there. 00:56:54.990 --> 00:56:59.710 It does this automatically without the user even trying to open the file or click anything. 00:56:59.710 --> 00:57:03.900 Here’s the crazy part; when your iPhone gets this file and looks inside it, it looks 00:57:03.900 --> 00:57:10.079 at this object file inside it which can instruct your phone to go to a URL without the user 00:57:10.079 --> 00:57:11.539 clicking anything. 00:57:11.539 --> 00:57:17.010 This alone is useful information; just by visiting a URL you get that phone’s IP address 00:57:17.010 --> 00:57:19.609 and other metadata about the browser type. 00:57:19.609 --> 00:57:22.300 This could give you a rough idea of where that person is. 00:57:22.300 --> 00:57:26.770 But on top of that, it’s requesting a certain thing from that URL and if you send it back 00:57:26.770 --> 00:57:32.060 a malicious payload to execute, you could do extra stuff to the phone that you shouldn’t 00:57:32.060 --> 00:57:33.859 be able to do. 00:57:33.859 --> 00:57:38.880 This is a fascinating exploit but it doesn’t quite capture all the texts and pictures. 00:57:38.880 --> 00:57:44.990 But remember that Apple did a patch to iMessage back in 2017 which Project Raven operatives 00:57:44.990 --> 00:57:47.730 said made Karma less effective. 00:57:47.730 --> 00:57:54.869 Hm, hopefully now that Natalie has found three vulnerabilities in the iPhone, hopefully this 00:57:54.869 --> 00:57:57.200 makes Karma completely useless. 00:57:57.200 --> 00:57:59.410 We don’t know for sure. 00:57:59.410 --> 00:58:03.530 Now, I wanted to give the last word to David because one of the main reasons why he wanted 00:58:03.530 --> 00:58:07.599 to come on and share this story is because he wants to give a warning to anyone accepting 00:58:07.599 --> 00:58:12.950 foreign contract work; if a recruiter comes to you with a high-paying job in another country, 00:58:12.950 --> 00:58:15.060 [01:00:00] you might want to think twice about it. 00:58:15.060 --> 00:58:18.369 DAVID: I guess my encouragement from that perspective is if you are transitioning out 00:58:18.369 --> 00:58:26.260 of a space like, you know, from a technical or offensive space and you hear of a job tailing, 00:58:26.260 --> 00:58:29.230 go ahead and take this job over there and do this ‘cause it’s gonna mean it’s 00:58:29.230 --> 00:58:32.000 a low-level networking position. 00:58:32.000 --> 00:58:38.680 Just understand and know that what you’re signing up for may not be actually what you’re 00:58:38.680 --> 00:58:39.680 doing. 00:58:39.680 --> 00:58:45.079 Where you’re gonna go, what you’re being promised, or what the job description is – is 00:58:45.079 --> 00:58:49.060 more if you’re going overseas, it’s more than likely not what you’re gonna do. 00:58:49.060 --> 00:58:53.609 Creating a safety net for yourself is really the right way forward. 00:58:53.609 --> 00:58:57.660 Say for instance, if you’re married and you’re gonna go take a foreign job and you 00:58:57.660 --> 00:59:00.960 don’t actually know what you’re gonna be doing, then go without your spouse for 00:59:00.960 --> 00:59:01.960 the first couple weeks. 00:59:01.960 --> 00:59:04.770 Kind of see, go over there and fill it out. 00:59:04.770 --> 00:59:09.059 That way if you do have to leave and you have to leave in a hurry, you’re not buying two 00:59:09.059 --> 00:59:11.800 plane tickets out of a country; you’re only buying one. 00:59:11.800 --> 00:59:18.420 Or if you’re deciding this is not the right space for you, then you can leave significantly 00:59:18.420 --> 00:59:20.349 faster. 00:59:20.349 --> 00:59:26.690 If you are going over a certain spot and you have experience doing things and people contact 00:59:26.690 --> 00:59:32.359 you and reach out to you that you don’t know, you’ve never heard of before, especially 00:59:32.359 --> 00:59:39.070 if it’s a foreign contracting vehicle, if it’s not an American contracting company, 00:59:39.070 --> 00:59:41.140 that should of course be a significant red flag. 00:59:41.140 --> 00:59:47.900 If you’re being recruited for DarkMatter and you have any type of cyber or offensive 00:59:47.900 --> 00:59:59.400 background in the cyber-security world, chances are you’re not going to be doing what you 00:59:59.400 --> 01:00:06.730 think you’re doing. 01:00:06.730 --> 01:00:21.220 JACK (OUTRO): [OUTRO MUSIC] A big thank you to David for being brave enough to come forward 01:00:21.220 --> 01:00:22.220 with this story. 01:00:22.220 --> 01:00:23.220 Amazing, amazing. 01:00:23.220 --> 01:00:26.770 Thanks so much to Rori Donaghy for sharing his story. 01:00:26.770 --> 01:00:30.599 Also, thanks to Christopher Bing and Joel Schectman from Reuters. 01:00:30.599 --> 01:00:35.700 Their article is titled Inside the UAE’s Secret Hacking Team of American Mercenaries. 01:00:35.700 --> 01:00:38.520 That article is amazing and you should all check it out. 01:00:38.520 --> 01:00:42.480 It’s got the floorplan of the villa and it goes into so much more detail. 01:00:42.480 --> 01:00:44.349 Of course, thank you to Lori Stroud. 01:00:44.349 --> 01:00:49.020 None of this would even be known if it wasn’t for your bravery bringing all this to the 01:00:49.020 --> 01:00:50.020 light. 01:00:50.020 --> 01:00:53.589 For show notes and links, check out darknetdiaries.com and while you’re there, you might as well 01:00:53.589 --> 01:00:56.820 check out the shop where you can buy stickers and shirts and trust me, it’ll make your 01:00:56.820 --> 01:01:00.010 friends jealous if you have one of these and you’ll also look really good in one of the 01:01:00.010 --> 01:01:01.260 shirts from there. 01:01:01.260 --> 01:01:04.829 This show is created by me, the Pewlett Hackard, Jack Rhysider. 01:01:04.829 --> 01:01:10.289 Editing help this episode was by the .matrix Damienne and the theme music is by the helmet-wearer, 01:01:10.289 --> 01:01:11.670 Breakmaster Cylinder. 01:01:11.670 --> 01:01:15.770 Even though my name is probably put on a list somewhere within DarkMatter, whenever I say 01:01:15.770 --> 01:01:20.980 it, this is Darknet Diaries.