(Reuters) – Two weeks after leaving his position as intelligence analyst for the US Security Agency in 2014, Lori Stroud was in the Middle East as a hacker for an Arab monarchy.
She had joined Project Raven, a secret law that included more than a dozen former US intelligence officials recruited to help the United Arab Emirates participate in oversight of other governments, military and human rights activists critical of the monarchy.
Ms. Stroud and her team, working from a remodeled mansion in Abu Dhabi, known internally as the "Villa," would use methods learned from a decade in the US intelligence community to help the UAE hack into their enemies and computers.
Miss. Stroud had been recruited by a Maryland cybersecurity contractor to help Emirates launch hacking business, and for three years, she enjoyed working. But in 201
"I work for a foreign intelligence agency that targets American people," she told Reuters. "I'm officially the bad type of spy."
The story of Project Raven reveals how former US government hackers have been using state-of-the-art cyber-espionage tools on behalf of a foreign intelligence agency who spies on human rights activists, journalists, and political rivals.
Interviews with nine former Raven operators, along with a review of thousands of pages of project documents and emails, show that surveillance techniques taught by the NSA were central to the UAE's efforts to monitor opponents. The sources interviewed by Reuters were not emirate citizens.
The workers used an arsenal of cyber tools, including a spying platform called Karma, where Raven operators say they hacked into iPhones by hundreds of activists, political leaders, and suspected terrorists. Details of the karma hack are described in a separate Reuter article today.
A spokesman from the NSA refused to comment on the Raven. An Apple spokesman refused to comment. A spokesman for the UAE Foreign Ministry refused to comment. The UAE Embassy in Washington and a spokesman for its National Media Council did not respond to the request for comment.
The UAE has said it is facing a real threat to violent extremist groups and is cooperating with the United States on the fight against terrorism. Former Raven operators say the project helped NESA break up an ISIS network within the Emirates. When an ISIS-inspired militant killed a teacher in Abu Dhabi in 2014, the operators said Raven spat the UAE effort to judge whether other attacks were imminent.
Various reports have highlighted the ongoing cyber weapon race in the Middle East, which the emirates and other nations are trying to sweep up hacking weapons and personnel faster than their rivals. The Reuters survey is the first to reveal the existence of Project Raven, which provides a rare account of state hacking operations commonly held in secrecy and denials.
The Raven story also provides a new insight into the role of former US cyber spies overseas hacking business. Within the US intelligence community, one sees as a treason that one leaves to act as an operator for another country. "There is a moral obligation if you are a former intelligence officer from becoming a mercenary for a foreign government," said Bob Anderson, who served as director of the Federal Bureau of Investigation until 2015.
Although this activity increases ethical dilemmas , US national security lawyers say the laws that govern US intelligence officials can do overseas are shady. While it is illegal to share classified information, there is no specific law that prevents entrepreneurs from sharing more generally spycraft know-how, such as how to target a virus-laden e-mail message.
However, the rules are clear on hacking in the US network or stealing Americans communication. "It would be very illegal," said Rhea Siers, former deputy assistant assistant director of politics.
The hacking of Americans was a tightly kept secret even within the Raven, with the operations being led by Emiratis instead. Ms Stroud's account of the Americans' direction was confirmed by four other former operators and by e-mails reviewed by Reuters.
The FBI is now investigating whether the Ravens US staff leaked classified US surveillance techniques and whether they were illegally targeting US data networks, according to former Raven employees interviewed by federal law enforcement agents. Miss Stroud said she was working with that study. No fees have been submitted and it is possible that no one will arise from the investigation. An FBI spokeswoman refused to comment.
Lila briefing, black briefing
Ms. Stroud is the only former Raven operator willing to be named in this story; Eight others who described their experiences would do so only on the condition of anonymity. She spent a decade at the NSA, first as a military officer from 2003 to 2009 and later as an entrepreneur in the agency of the giant engineering consultant Booz Allen Hamilton Inc. from 2009 to 2014. Her specialty hunted for vulnerabilities in the computer system of foreign governments, such as China. and analyze which data should be stolen.
In 2013, her world changed. Stroud says she had a fateful recommendation to take a Dell technician already working in the building on her team. That entrepreneur was Edward Snowden.
"He's the former CIA, he's local, he's already cleared," Stroud said, 37, "He's perfect!" Booz and NSA would later approve Mr. Snowden's transfer, giving him even greater access to classified material.
Two months after joining Stroud's group, Mr. Snowden in the United States and passed thousands of pages of top secret program files to journalists, describing the agency's massive data collection program. Stroud said her Booz team was lethargic so that they would inadvertently allow the biggest security breach in the agency's history.
"Our brand was destroyed," she said of her team.
In the wake of scandal, Marc Baier, a former colleague of the NSA Hawaii, offered her the chance to work for a contractor in Abu Dhabi called CyberPoint International LLC. In May 2014, Ms. Stroud on the opportunity and left Booz Allen.
CyberPoint, a small cyber security company headquartered in Baltimore, was founded by a contractor named Karl Gumtow in 2009. Its customers have included the US Department of Defense, and its UAE business has received media attention.
In an interview, Gumtow said his company was not involved in any undue actions.
Ms. Stroud had already made the transition from the state employee to entrepreneur Booz Allen, who mainly performs the same NSA job at higher salary. Taking a job with CyberPoint would fulfill a lifelong dream of distributing to the Middle East and making it a lucrative salary. Many analysts, such as Mrs Stroud, paid more than $ 200,000 a year and some managers received wages and salaries over $ 400,000.
She understood that her new job would mean a counter-terrorism mission in collaboration with the Emirate, a near US ally in the fight against ISIS, but a little else. Mr. Baier and other Raven executives assured her that the project was approved by the NSA, she said. With Baiers impressive CV, including the time in an elite NSA hacking unit called tailor-made Access Operations, the mortgage was convincing. Baier did not answer several phone calls, text messages, email messages and social media messages.
In the very secretive, compartmentalized world of intelligence, it is not uncommon for recruiters to retain the mission and client from potential employment until they sign documents that are not disclosed and go through a merger process.
When Ms. Stroud for the first time entered Villa for the first time in May 2014, Raven Management gave two separate briefings, back-to-back
In the first, known internally as "Lila briefing", she said that she was told that Raven would pursue a purely defensive mission, protecting the UAE government from hackers and other threats. Shortly after the conversation, she concluded that she was told that she had just received a cover story.
She then got the "Black briefing", a copy that was reviewed by Reuters. The raven is "the offensive, operational division of NESA and will never be recognized by the public," the black note says. NESA, or the National Electronic Security Authority, was the UAE version of the NSA.
Ms. Stroud would be part of Raven's analysis and goal development store, the task to help the government profile its enemies online, hack them and collect data. These goals were provided by the client, NESA, now called the Signal Intelligence Agency.
The language and confidentiality of the briefings reflected near her experience at the NSA, Stroud said, giving her a level of comfort.
The information shaded by Raven was to feed a security device that has drawn international criticism. The Emirates, a rich federation of seven Arab sheikhdoms with a population of 9 million, is an ally of Saudi Arabia and Iran's rival.
Like the two regional forces, the UAE has been accused of suppressing freedom of speech, imprisoned dissidents and other abuse of groups such as Human Rights Watch. The UAE says it is working closely with Washington to combat extremism "beyond the battlefield" and promotes efforts to counteract the "root causes" of radical violence.
The Ravens goal would eventually include militants in Yemen, foreign opponents such as Iran, Qatar and Turkey, and individuals who criticized the monarchy, Ms Stroud said, and eight other former Raven operations. Their accounts were confirmed by hundreds of Raven program documents reviewed by Reuters.
According to regulations of the UAE government, former operators said the Raven would oversee social media and direct the people the security forces felt had insulted the government.
"Some days it was difficult to swallow, as [when you target] a 16-year-old child on Twitter," she said. "But it's an intelligence mission, you're an intelligence operation. I've never done it personally."
The Americans identified vulnerabilities in selected goals, developed or procured software to implement the intrusion, and helped monitor them, former Raven employees said. . But an Emirati operation would usually press the button on an attack. This arrangement was intended to give the Americans "credible denial" of the nature of the work, the former Raven members.
Targeting Gyro and Egret
Ms. Stroud discovered that the program was aimed not only at terrorists and foreign authorities, but also at dissidents and human rights activists. The Emirates categorized them as national security targets.
Following the Arab Spring Protests and the extermination of Egyptian President Hosni Mubarak in 2011, the emirate security forces saw human rights advocates as a major threat to "national stability", records and interviews.
One of the program's main goals in 2012 was Rori Donaghy, according to previous Raven operations and program documents. Donaghy, then 25, was a British journalist and activist who wrote articles critical to the country's human rights record. In 2012, he wrote an opinion article for the Guardian who criticized the UAE government's activist breakdown and warned that, if it continued, "those in power are facing an uncertain future".
Prior to 2012, the former operators said the emerging UAE intelligence -Gathering function was largely due to the fact that the Emir agents entered the home for goals while away and physically placed spyware on computers. But when the Americans built up the Raven, the remote hacking of the Donaghy entrepreneurs offered an exciting profit that they could present to the customer.
Due to sensitivity over human rights violations and press freedom in the West, the operation against a journalist activist was a gamble. "The potential risk for the UAE government and diplomatic relations with Western power is great if the operation can be traced back to the UAE," says the 2012 program document.
To get close to Donaghy, a Raven operator should try to "congratulate on the goal by adopting similar beliefs", they wrote the cyber mercenaries. Donaghy would be "unable to resist a conviction of this type," they believed.
Positive as a single human rights activist, Raven operators emailed Donaghy and asked their help to "bring hope to those who suffer long, said the email.
The operationally convinced Donaghy to download software he claimed would make messages "Difficult to track. In reality, malware allows the Emirates to continuously monitor Donaghy's email account and Internet browsing. The monitoring against Donaghy, which was coded by Gyro, continued under Ms Stroud and was a top priority for the United States for years," Stroud said. 19659002] Mr. Donaghy eventually became aware that his email had been hacked in. In 2015, he contacted a security researcher at Citizen Lab, a Canadian human rights and digital privacy group, who discovered that hackers were trying to break their computer for years.  Achieved by telephone in London, Mr. Donaghy, now a graduate student who exercises Arabic studies, expressed surprise, he was considered a top national security target for five years. Donaghy confirmed that he was targeting the techniques described in the documents.
"I'm glad my partner is here when I talk on the phone because she wouldn't believe it," he said. Told the hackers were US mercenaries working for the UAE, a British citizen Donaghy, expressed surprise and disgust. "It feels like a betrayal of the alliance we have," he said.
Ms. Stroud said her background as an intelligence operation made her comfortable with human rights as long as they were not Americans. "We work on behalf of this country's government, and they have specific intelligence goals that are different from the United States, and understandably so," Stroud said. "You live with it."
The foremost Emirati activist Ahmed Mansoor, with the codename Egret, was another target, said former Raven operations. This year, Mr. Mansoor publicly criticized the war in Yemen, the treatment of migrant workers and the detention of political opponents.
In September 2013, Raven presented senior NESA officials with materials taken from Herroor's computer and boasting the successful collection of evidence against him. It contained screenshots of emails where Mr Mansoor discussed a forthcoming demonstration in front of the UAE Federal Supreme Court with family members of detained dissidents.
Raven told UAE security forces Mr Mansoor had photographed a prisoner he was imprisoned for prison policy, "and then tried to destroy the evidence on his computer," a Powerpoint presentation reviewed by Reuters said.
Citizen Lab published research in 2016 and shows that Mansoor and Donaghy were targeted at hackers – with researchers speculating that the UAE government was the most likely offender. Concrete evidence of who was responsible, details of the use of US operations and first hand accounts from the hacking team are reported here for the first time.
Mr. Mansoor was sentenced in a secret trial in 2017 to hurt the country's unity and was sentenced to 10 years in prison. He is now being held in solitary confinement, his health is diminishing, a person familiar with the matter said.
Mr. Mansoor's wife Nadia has lived in social isolation in Abu Dhabi. Neighbors avoid her from fear as security forces are watching.
They are correct. In June 2017, Raven had dropped into his mobile device and gave her the code name Purple Egret, program document reviewed by the Reuters show.
To do so, Raven utilized a powerful new hacking tool called Karma, which allowed operators to break into iPhones by users around the world.
Karma got Raven to get email, location, text messages and photos from iPhones simply by uploading lists of numbers to a preconfigured system, five former project employees said. Reuters had no contact with Mr Mansoor's wife.
Karma was particularly potent because it did not require a goal to click on any link to download malware. The operators understood the hacking tool to rely on an unprotected vulnerability in Apple's iMessage text messaging program.
During 2016 and 2017, it would be used against hundreds of targets in the Middle East and Europe, including the documents of the Qatar, Yemen, Iran and Turkey governments. Raven used Karma to hack an iPhone used by the Emirates in Qatar, Sheikh Tamim bin Hamad al-Thani, as well as related-line phones and his brother. Qatar's embassy in Washington did not respond to requests for comment.
What Washington knew
Earlier Raven operations believed they were on the right side of the law because they said regulators told them the mission was blessed by the US government.
Although the NSA was not involved in the day-to-day business, the Agency approved and regularly informed the Raven's business, they said Mr Baier told them.
CyberPoint founder Mr. Gumtow said his company was not involved in hacking.
"We didn't do offensive operations. Period," Gumtow said in a telephone interview. "If someone did something rogue, it is painful for me to believe that they would do it under our banner."
Instead, he said that the company trained the emirates to defend itself through a program with the country's Interior Ministry. 19659002] A review of internal Raven documents shows that Gumtow's description of the program as the Advisory Home Office on cyber defense matches an "unclassified cover story". Raven operators were instructed to provide when asked about the project. Raven employees learned that they were working for the information technology and interoperability office, the program document said.
Providing sensitive defense technology or services to a foreign government generally requires special licenses from US government and trade departments. Both authorities refused to comment on whether they issued such licenses to CyberPoint for their operations in the UAE. They added that human rights considerations are included in such approvals.
But a government department agreement for 2014 with CyberPoint showed that Washington understood that entrepreneurs helped launch Cyber Surveillance Operations for the UAE. The approval document explains that CyberPoint's contract is to work with NESA in the "UAE's sovereignty" through "gathering information from communications systems inside and outside the UAE" and "monitoring analysis."
Part of the State Departmental Approval States CyberPoint must obtain specific approval from the NSA before submitting any "Network Utilization or Attacks" presentations. Reuters identified dozens of such presentations. Raven told NESA about attacks on Donaghy, Mr. Mansoor and others. It is unclear whether the NSA approved the Ravens business against specific goals.
The agreement clearly prohibited CyberPoint employees from targeting US citizens or businesses. As part of the agreement, CyberPoint promised that its own staff and also the Emirati staff supporting the program "will not be used to exploit US people, ie US citizens, resident aliens or US companies." "Sharing classified US information, controlled military technology, or US government intelligence was also prohibited.
Mr. Gumtow refused to discuss the specifics of the agreement." To the best of our ability and as far as we know, we did all that was required in the case of American rules and regulations, "he said." And we gave a mechanism for people to come to me if they thought something was done was wrong. "
An NSA spokesman refused to comment on Project Raven.
The State Department spokesman refused to comment on the agreement but said that such licenses do not allow people to engage in human rights violations.
At the end of 2015, some Raven operations considered their mission to be harder.
For example, in instead of being claimed to hack to individual users of an Islamic Internet forum, as before, American Contractors should create computer viruses that would infect every person who visits a flagged website. Such wholesale fundraising ventures risk sweeping into US citizens' communications and stepping over a line that operators knew well from their NSA days.
U.S. The law usually prohibits the NSA, CIA and other US intelligence agencies from overseeing US citizens.
In collaboration with managers, Stroud helped to create a policy for what to do when Raven swept up personal data belonging to the Americans. The former NSA employees were instructed to mark the material for deletion. Other Raven operators would also be notified so that US victims could be removed from future collection.
As time went on, Stroud repeatedly noted US data flagged for removal in the ravine's NESA-controlled data store.  Still, she found the job uplifted. "It was unbelievable as there were no limitations to the NSA. It was not so uneven bureaucracy," she said. "I feel we did very good work against terrorism."
DarkMatter and Departures
When the Raven was created in 2009, Abu Dhabi had little cyber skills, the original idea being that the Americans would develop and run the program for five to ten years until the Emirates intelligence officials were adequately trained to take over, documents show. The raven between a dozen and 20 members, which was for the majority of the staff.
At the end of 2015, the power dynamics of the Villa moved when the UAE became more uncomfortable with a core National security program controlled by foreigners, former staff said. they wanted Project Raven to run through a domestic company called DarkMatter.  Ravens American creator got two options: Join DarkMatter or go home.
At least eight operators left Raven during this transition period. Some said they left after being worried about the vague explanations that Raven bosses gave as they pushed for potential surveillance against other Americans.
In 2014, DarkMatter was founded by Faisal Al Bannai, who also created Axiom, one of the largest sales centers of mobile devices in the region. DarkMatter markets itself as an innovative developer of defensive cyber technology. A 2016 Intercept article reported they assisted UAE security forces in surveillance efforts and tried to recruit foreign cyber experts.
Emirates companies with more than 650 employees publicly acknowledge their close business relationship with the UAE government, but deny involvement in government-backed hacking efforts.
Project Ravens real purpose was kept secret from most of DarkMatter's chiefs, previous operations said.
DarkMatter did not respond to the request for comment. Mr Al Bannai and the company's current CEO, Karim Sabbagh, did not respond to interview requests. A spokesman for the UAE Foreign Ministry refused to comment.
Under DarkMatter, Project Raven continued to work in Abu Dhabi from the Villa, but the pressure escalated to make the program more aggressive.
For a long time, senior NESA officers were given greater control over the day-to-day operations, former Raven operators said, often leaving American bosses out of the loop. By mid-2016, the emirates had begun to make an increasing number of sections of the Raven hidden from the Americans who still handle daily operations.
By 2016, FBI agents began approaching DarkMatter employees who returned to the US to ask about Project Raven, said three previous operations.
The FBI wanted to know: Had they been asked to spy on Americans? Classified information about US intelligence technology and technology ending up in the hands of the Emirates?
Two agents approached Ms Stroud in 2016 at Virginia Dulles Airport when she returned to the UAE after a trip home. Mrs Stroud, afraid she might be supervised by the UAE herself, said she was brushing off the FBI investigators. "I'm not saying to guys," she told me.
Ms. Stroud had been promoted and gained even more access to internal amber databases the year before. A leading analyst, her job was to investigate the accounts of potential rogue targets and learn which vulnerabilities could be used to penetrate their e-mail or messaging systems.
The goals were listed in different categories, by country. Yemeni goals were in the "brown category", for example. Iran was gray.
One morning in the spring of 2017, after completing her own list of goals, Mrs Stroud said she started working on a backlog of other missions for an NESA officer. She noticed that a passport side of an American was in the system. When Ms. Stroud emailed managers to complain, she learned that the data had been accidentally collected and would be deleted, according to an email reviewed by Reuters.
Concerned, Stroud began searching for a painting inquiry list that was usually limited to Raven's Emirati staff, whom she could still access due to her role as leading analyst. She saw security forces seeking surveillance against two other Americans.
When she questioned the obvious direction of the Americans, she received a punishment from an Emirati colleague to access the target list, the emails. The target requests she showed would be treated by "certain people". You are not one of them, "wrote the author of the author.
The next day, Mrs Stroud said she came across three American names on the hidden target queue.
They are named in a category she had not seen before: the" white category "- for Americans. This time, she said the professions were listed: journalist.
" I was sick in the stomach, "she said." It had hit me at the macro level and realized there was a whole category for American people on this program. "
Once again, she said she was the head of Baier, trying to lower the problem and asking her to release the question," she said, but he also indicated that any goal of Americans would be made by the Ravens Emirates staff. , Ms Stroud and two other people acquainted with the discussion.
Ms. Stroud's story of the incidents was confirmed by four other former employees and emails reviewed by Reuters.
When Stroud continued to post questions, she said she was handed over by her superiors, her phones and passports were taken and she was escorted from the building. Miss Stroud said everything happened so fast that she couldn't get the names of the three American journalists or other Americans she came across in the files. "I felt like one of the national security goals," she said. "I'm stuck in the country, I'm being monitored, I can't leave."
After two months, Stroud returned to America. Soon after, she fished out the business card of the FBI agents who had confronted her at the airport.
"I don't think the Americans should do that to other Americans," she told Reuters. "I'm a spy; I understand it. I'm an intelligence officer, but I'm not bad."