Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

2/1/2019
07:00 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

UAE's Cyberwar on Civilians Employed Former US Intelligence Operatives

A recent expose about a surveillance program in the United Arab Emirates raises uncomfortable questions about cyberwarfare and US intelligence officers.

On Wednesday morning, Reuters's UK bureau reported on former NSA agents and other former US intelligence operatives turning mercenary for the UAE -- on a cyber black-ops mission dubbed Project Raven.

According to the report, Raven's secret purpose was to hack the devices and accounts of nation-state enemies. But we're not talking about hacking superpowers or rival Middle Eastern countries; we're talking about individuals -- including not only government officials and terrorists, but also human-rights activists, journalists and run-of-the-mill critics of the UAE.

"Some days it was hard to swallow, like [when you target] a 16-year-old kid on Twitter," said Lori Stroud, an American who had worked for the NSA before becoming a Raven operative.

Targeting individuals Virtually any private individual or organization in the world was fair game for Raven's crosshairs -- as is increasingly the case for cyberwar globally. Sometimes it's to throttle dissent. Sometimes it's to seek revenge. Often it's to find nuggets of valuable political intelligence or intellectual property -- tidbits more easily cyber-extracted from less-aware private targets than from highly guarded government agencies or military mega-contractors.

Frequently, nation-state hackers directly go after the personal devices of individuals in targeted strikes. In particular, Reuters reports, beginning in 2016, Raven operatives used Karma, an exploit of Apple's iMessage system, to hack into hundreds of iPhones at a time. This allowed them to target iPhones by phone number or email address and then siphon out emails, text messages, photos, location data and passwords.

Third-party compromises
More and more, however, these operations take a scorched-earth approach by hacking a third-party organization that has the individual's data -- such as the individual's employer or a company with whom they've done business.

For example, US intelligence reportedly indicates that, since at least 2014, China has been building and maintaining a database of the identities, habits and other personal information of individuals across both the public sector and the private sector who have security clearances. News reports have linked these efforts to a series of breaches dating back to 2014, including those against Anthem and Marriott, respectively. (See: China Suspected of Massive Marriott Data Breach Report.)

In 2015, hackers -- traced back to China -- breached the University of Virginia's systems, specifically targeting two employees conducting work involving China. Similarly, in 2016 and 2017, Harvard University -- which has had faculty members advising the US government and other governments -- was "explicitly" the target of state-sponsored attacks.

"They're not even interested in Social Security numbers and IDs and things like that," said Rainer Fuchs, the then just-retired CIO of Harvard Medical School, speaking at the 2017 Bio-IT World Conference. "They're interested in using us as a jump-off point to other places they can penetrate."

Threats from within? The upshot is that civilian companies and individuals are practically compelled to be on cyberwar defense against foreign nation-states -- making security education and threat sharing exponentially more important. More ominously, however, civilians may face this kind of cyber terror threat from actors within or once within their own government (Edward Snowden's NSA leaksaside).

Raven, for its part, repeatedly caught Americans in its net of targets. Raven's American operatives were contractually forbidden from targeting American citizens or companies. Nonetheless, Stroud described seeing on Raven's systems information about Americans that had previously been flagged for deletion, active target requests on Americans, and a specific designation for American targets. When she repeatedly raised concerns, Stroud was forced out of her job.

Per the report, while a 2014 agreement between the US State Department and the security company staffing the Raven operation prohibited the Raven operatives (American and Emirati alike) from using Raven "to Exploit US Persons", State Department approval was also contingent upon the NSA granting specific approval before Raven operatives could even deliver a presentation about a proposed hack.

But as Reuters describes it, it is unclear if these actions were blessed by the US government -- even if only through willful ignorance. American Raven operatives were allegedly told that their work on Raven was being done with the NSA's blessing. American operatives further told Reuters that they would do pretty much everything except "press the button" -- leaving the actual attacks to their Emirati counterparts, for "plausible deniability". The American operatives additionally described being directed to develop drive-by malware that would infect a device visiting a given target website -- regardless of whether or not the website traffic originated from the US.

The FBI has been investigating Stroud and her American cohorts since at least 2016 to determine if they shared classified US surveillance methods, targeted American systems, or otherwise broke US law.

The saga raises uncomfortable questions as to what extent former US intelligence officers have gone turncoat -- and to what extent the federal government may have allowed cyber attacks against Americans to happen. In what's known as a trickle-down effect, what goes around comes around in cyberwarfare; the expertise that a people's government uses to defend them tends to gradually become turned against them.

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.