Get Task & Purpose in your inbox
Ex-NSA Mercenaries Developed A Cyberweapon To Hack Enemies Of The UAE
WASHINGTON (Reuters) - A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world's superpowers and into the hands of smaller nations.
The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens.
Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for theUAE's intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven't been previously reported. Raven's activities are detailed in a separate story published by Reuters today.
The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn't work on Android devices and doesn't intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets' iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.
It isn't clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc's iPhone software had made Karma far less effective.
Lori Stroud, a former Raven operative who also previously worked at the U.S. National Security Agency, told Reuters of the excitement when Karma was introduced in 2016. "It was like, 'We have this great new exploit that we just bought. Get us a huge list of targets that have iPhones now,'" she said. "It was like Christmas."
The disclosure of Karma and the Raven unit comes amid an escalating cyber arms race, with rivals such as Qatar, Saudi Arabia and the UAE competing for the most sophisticated hacking tools and personnel.
Tools like Karma, which can exploit hundreds of iPhones simultaneously, capturing their location data, photos and messages, are particularly sought-after, veterans of cyberwarfare say. Only about 10 nations, such as Russia, China and the United States and its closest allies, are thought to be capable of developing such weapons, said Michael Daniel, a former White House cyber security czar under President Obama.
Karma and similar tools make personal devices like iPhones the "juiciest of targets," said Patrick Wardle, a former National Security Agency researcher and Apple security expert.
A spokeswoman for UAE's Ministry of Foreign Affairs declined to comment.
Apple Inc declined to comment.
A flaw in Apple's iMessage system
The former Raven insiders said Karma allowed the operatives to gather evidence on scores of targets — from activists critical of the government to regional rivals, including Qatar, and the UAE's ideological opponent, the Islamic political Muslim Brotherhood movement.
It also granted them access to compromising and at times sexually explicit photos of targets. The material was described to Reuters in detail but reporters didn't inspect it. Reuters saw no evidence that the UAE leaked damaging materials discovered through Karma.
Raven was largely staffed by U.S. intelligence community veterans, who were paid through an Emirati cyber security firm named DarkMatter, according to documents reviewed by Reuters. The company did not respond to numerous emails and phone calls requesting comment. The NSA declined to comment on Project Raven.
The UAE government purchased Karma from a vendor outside the country, the operatives said. Reuters could not determine the tool's creator.
The operatives knew how to use Karma, feeding it new targets daily, in a system requiring almost no input after an operative set its target. But the users did not fully understand the technical details of how the tool managed to exploit Apple vulnerabilities. People familiar with the art of cyber espionage said this isn't unusual in a major signals intelligence agency, where operators are kept in the dark about most of what the engineers know of a weapon's inner workings.
Three former operatives said they understood Karma to rely, at least in part, on a flaw in Apple's messaging system, iMessage. They said the flaw allowed for the implantation of malware on the phone through iMessage, even if the phone's owner didn't use the iMessage program, enabling the hackers to establish a connection with the device.
To initiate the compromise, Karma needed only to send the target a text message — the hack then required no action on the part of the recipient. The operatives could not determine how the vulnerability worked.
A person with direct knowledge of the deal confirmed Karma's sale to the Emiratis from an outside vendor, details of its capabilities and its reliance on an iMessage vulnerability.
The Raven team successfully hacked into the accounts of hundreds of prominent Middle East political figures and activists across the region and, in some cases, Europe, according to former Raven operatives and program documents.
Targeting the 'Iron Women' of Yemen
In 2017, for instance, the operatives used Karma to hack an iPhone used by Qatar's Emir Sheikh Tamim bin Hamad al-Thani, as well as the devices of Turkey's former Deputy Prime Minister Mehmet Şimşek, and Oman's head of foreign affairs, Yusuf bin Alawi bin Abdullah. It isn't clear what material was taken from their devices.
Şimşek, who stepped down from his position in July, told Reuters the cyber intrusion on his phone was "appalling and very disturbing." The Washington embassies of Qatar, Oman and Turkey did not respond to multiple emails and calls requesting comment about the targeting of political figures in their countries.
Raven also hacked Tawakkol Karman, a human rights activist known as the Iron Woman of Yemen. Informed by Reuters she had been targeted, she said she believes she was chosen because of her leadership in Yemen's Arab Spring protests, which erupted around the region in 2011 and led to the ousting of Egyptian President Hosni Mubarak.
For years she had received repeated notifications from social media accounts, warning that she had been hacked, she told Reuters. But the fact that Americans helped the Emirati government monitor her was shocking, she said.
Americans are "expected to support the protection of human rights defenders and provide them with all protection and security means and tools," she said, "not to be a tool in the hands of tyrannies to spy on the activists and to enable them to oppress their peoples."
WATCH NEXT: The Cyber Shield
Editor's Note: This article by Hope Hodge Seck originally appeared on Military.com, a leading source of news for the military and veteran community.
In the wake of a heartwarming viral video that was featured everywhere from Good Morning America to the Daily Mail comes a disheartening revelation: The 84-year-old self-described Army nurse cranking out push-ups in her crisp Vietnam-era uniform might not be who she said she was.
Maggie DeSanti, allegedly a retired Army lieutenant colonel who rappeled out of helicopters in Vietnam, was captured in a video challenging a TSA agent to a push-up competition ahead of a flight to Washington, D.C., with the Arizona chapter of the organization Honor Flight on Oct. 16. The video soon was everywhere, and many who shared it, including Honor Flight, hailed DeSanti's toughness and spirit.
‘Nice girls don't join the military': New commander of Air Force refueling squadron proves her critics wrong
The summer before sixth grade, Cindy Dawson went to an air show with her father and was enamored by the flight maneuvers the pilots performed.
"I just thought that would be the coolest thing that anybody could ever do," she said, especially having already heard stories about her grandfather flying bombers during World War II with the Army Air Corps.
So by the first day of school, she had already decided what she wanted to be when she grew up.
We salute the 93-year-old WWII veteran who refuses to retire, and opened up a 'boozy bakery' instead
Peach schnapps, sex on the beach, and piña colada may be familiar drinks to anyone who's spent an afternoon (or a whole day) getting plastered on an ocean-side boardwalk, but they're also specialty desserts at Ray's Boozy Cupcakes, Etc, a bakery in Voorhees, New Jersey run by a 93-year-old World War II veteran named Ray Boutwell.
A former senior Coast Guard official has been accused of shoplifting from a Philadelphia sex shop.
Rear Adm. Francis "Stash" Pelkowski (Ret.) was accused of stealing a tester item from Kink Shoppe on Oct. 8, according to an Instagram post by the store that appeared online two days later. In the post, which included apparent security camera footage of the incident, a man can be seen looking at products on a counter before picking up an item and placing it in his pocket before turning and walking away.
The Instagram post identified the man as Pelkowski, and said it wished him "all the best in his retirement, a sincere thank you for your service, and extreme and utter disappointment in his personal morals."
SAN DIEGO —The Marines say changes in the way they train recruits and their notoriously hard-nosed drill instructors have led to fewer incidents of drill instructor misconduct, officials told the Union-Tribune.
Their statement about training followed an Oct. 5 Washington Post report revealing that more than 20 Marines at the San Diego boot camp have been disciplined for misconduct since 2017, including cases of physical attacks and racist and homophobic slurs. The story also was published in the Union-Tribune.