Scrolling through my social media feeds in the third week of September 2021 I came across a story about Project Raven. Three people Marc Baier, Ryan Adams, and Daniel Gericke who are either former intelligence operators or Military from the United States were levied heavy fines by the Department of Justice and are forbidden to ever seek out a security clearance for life. This was a deal to avoid prosecution for their crimes. What were their crimes? They participated in the most unethical hacking I have ever heard about. Working for a company in the United Arab Emirates, known as DarkMatter Group, they were an elite red team working on behalf of the Emirati government to spy on its own citizens, Emeriti enemies, and even the networks of the United States. But why is this the most unethical hacking in my opinion? Because of their hacking, human rights activists were tortured and imprisoned. Hacking does not exist in a vacuum. It is not just a challenge to test one’s limits of their technical acumen. It has real effects on real people, and Project Raven led to real human suffering.
Set the Wayback machine for the first years of the second decade of the 21st century. Cyber Warfare was becoming the new battlefield for the 21st century, and countries all over the world were getting started in an arms race for not only defensive capabilities but offensive as well. Governments were using corporate contractors, often filled with former feds. Edward Snowden perhaps being the most well-known of these types of contractors, before his whistleblowing he worked for one such contractor, Booz Allen that gave him access to all the secrets he was about to spill. Remember that name, it will come up again. These contractors did not just work for the American Government but provided malware and attack vectors to other governments equipping countries with cyberweapons sold to anyone that had the coin by those that could obtain a license to export technology and train foreign governments in cyber defense and policy. In September of 2012, one such company, Cyberpoint, obtained a license to train the government of the United Arab Emirates in Cyberdefense — blue team sort of stuff, however, the UAE had other designs.
Cyberpoint did not stick to blue team type defense such as firewalls, intrusion detection systems, or other defensive strategies, but what is known, thanks to whistleblower Lori Stroud (who actually recruited Edward Snowden into Booz Allen’s team contracted to the NSA, giving Snowden access to even more classified material – the perceived disgrace from this turn of events was the reason she left the NSA and went to work for Project Raven) this was the “unclassified cover story” for Project Raven to hide their red team style offensive exploits and penetration for the Emirati government. It was perhaps the UAE’s desire to have more control and do things in-house that in 2016 the Emirati company DarkMatter took over the contracting for Project Raven, and the Cyberpoint contractors, if they wanted to keep their lucrative jobs in tax-free Dubai moved to DarkMatter. At the time, it was felt that DarkMatter had poached the United States talent working for Cyberpoint.
DarkMatter for all intents and purposes appeared to be an Emirati company, but in fact, they were part of the Emirati government, specifically The National Electronic Security Authority (NESA), the Emirati equivalent of the United States’ NSA. These were state actors pretending to be a cybersecurity firm, and they were recruiting. They went to Cybersecurity conferences such as RSA in San Francisco and Blackhat in Las Vegas looking for elite hackers to fill their roster by promising six-figure salaries, housing, and a tax-free lifestyle in Dubai. Maybe if you were at Blackhat you came home with some DarkMatter swag. Many hackers took up DarkMatter on
their offer, getting a major payday, but what was the cost?
To put it bluntly, the UAE wanted hackers to build and implement a surveillance state that could be described as “1984 on steroids”. Blanketing the country with probes that could hijack cellular signals, do man-in-the-middle attacks, and inject malware they would be able to intercept all cell phone communication in Abu Dhabi and Dubai, and with the press of a button pwn all the
phones in a specific area like a shopping mall on the mere suspicion of a single suspected terrorist or dissident that may be there. One may argue that every government participates in some form of a surveillance state, including the United States. The difference is even though DarkMatter told its hackers that they were fighting the very real threat of terrorism, they also were spying on what the UAE considers dissidents. It should be pointed out here that the UAE does not have freedom of speech. There are no first amendment protections in the UAE and no exceptions for Americans working in their spy program. The watchers are definitely being
watched. Criticism of the government is a punishable offense. Speaking for human rights protections could very well get you disappeared, tortured, secretly tried, and imprisoned. The hacking taking place under the aegis of Project Raven in fact did lead to these outcomes.
The tool that got the most press in early 2019 when Reuters broke the story is called Karma. It used an exploit in iMessage for iPhones that just by sending a text message that didn’t have to be read or otherwise interacted with, the cyberweapon compromised the phone giving Project Raven hackers access to the device. It sounds a lot like the tool known as Pegasus that is also in the news lately and Apple recently pushed patches to fix it. However, in my research, I have not been able to determine if Karma and Pegasus are indeed the same tools, but the similarity of the exploit is uncanny. iMessage is such a desirable vector for exploits as it is guaranteed to be on every Apple device out there. And because of Apple’s closed system, Apple users cannot opt out of this application.
Hackers love freedom, often expressing this in free speech and free software. Many hackers believe in the sovereignty of their own lives and their choices. However, if we are going to exercise this freedom, we must temper it with the responsibility for the consequences of our actions. No matter how isolated or sandboxed you think your hacking is, none of us is an island. Our choices ripple out and affect those that we may not even realize or have the vision to see. People exist within our sphere of influence and beyond the horizon of what we can see. We must not remain ignorant of the impact of our hacking. What does our own freedom mean if we are taking away the freedom of others? Can we really say we are advocates of liberty if we do not work to ensure liberty for all instead of selfishly looking inward and thinking we got ours, and screw everyone else?
Hackers exist in a community of like-minded individuals with a diversity of opinions, skills, and goals. We form collectives to work together to achieve our goals, be it an open-source project, presenting at a conference, or writing for this website. We may see hackers as an in-group and those outside our community as “other”, but in truth, we are all connected, every single one of us. Human beings create technology in order to be connected and interconnected with other human beings, especially in the realm of communication. From things like smoke signals, drumming across distances, running between cities with messages, postal systems, the
telegraph, the telephone, radio, and television, and finally the internet, humanity has increased our connection with one another to facilitate the sharing of information and understanding of one another.
But there is also a dark side. Human beings have used technology more and more to divide. To foment terrorism, spread misinformation, and facilitate fascism. The hackers of Project Raven were some of those individuals, under the aegis of the Emirati government, to squelch free speech, which is the lowest form of fascism, and facilitate torture of human rights activists which
is well into the realm of authoritarianism. Technology can facilitate freedom and technology can also enable tyranny. Even though some technology is utilized for good or ill, technology is not ethics neutral. There are some applications that are always unethical, immoral, and I will say it, evil.
Some of the dark side hackers for DarkMatter were ex-feds, while giving lip service to the founding principles of the United States, they were more than willing for a big payday to set these aside both in their work for the United States and Emirati Governments. We know Lori Stroud, the Project Raven whistleblower was just fine with the NSA spying on everyone as Edward Snowden revealed, while participating in it, but only drew the line when the Emirati equivalent, NESA spied on fellow Americans using Project Raven. She was already accustomed to facilitating the compromising of devices of journalists, human rights activists, and foreign governments around the world, and the torture of Emirati dissidents in exchange for six tax-free figures. Stroud knew she was a spy but thought she was a “good” intelligence officer. Fine to do to brown folks in the Middle East, to people who were “other”, but when it was to Americans, her perceived in-group she suddenly found scruples for what she was doing. Her hacking had a real human cost. But at least she eventually contacted the FBI about Project Raven and Reuters did the initial investigative journalism that brought it all to light. Marc Baier, Ryan Adams, and Daniel Gericke cut a deal to pay a fine for breaking US hacking laws and prohibitions for selling military technology to avoid prosecution this does not undo the damage they have done. They used their technical acumen, access to high technology, and their ability as hackers to cause real harm — real human suffering because of their hacking.
It is a common story. Though I am merely a competent hacker, and not a superstar, puttering around more as a hobbyist and technological idealist than an InfoSec worker (the closest being Sysadmin jobs in Amsterdam and California back in the ’90s), I have often been approached to do something unethical when people find out I am a hacker, and I am sure many readers of this
website have as well. What we decide to do matters. It would behoove us not to just hack code, but to have a moral code of what we are willing to do and not to do. If we are going to cause harm, who are we causing harm to? Sometimes Justice demands direct action, but if we are not careful, some company can wave a fat wad of cash under our noses, and we compromise our values and through our skills become an agent of injustice. Or maybe we do something “just to see if it can be done”. We have all been there, hackers are curious creatures, but we must not allow our curiosity to bring actual harm or suffering to other human beings unjustly. We must build an awareness of the influence hacking can have on individuals and organizations. We can use hacking for righteous causes, or like the hackers of Project Raven, for great evil. The choice is yours. Choose wisely.