A special investigation by Reuters has unveiled a secret Emirati spy ring that used Americans with backgrounds in the U.S. National Security Agency (NSA) to monitor dissidents, journalists, and human rights activists. Codenamed Project Raven, the hidden arm of the United Arab Emirates’ (UAE) National Electronic Security Authority (NESA) hacked into the devices of prominent figures opposed to the Emirati regime, foreign governments, and even American citizens.
This revelation comes amid what the report calls an “ongoing cyber arms race,” in which rival Middle Eastern states are trying to gain cyber supremacy over each other by sweeping up hacking tools and foreign intelligence contractors. In the past, many U.S. allies in the region have sought help from American cybersecurity companies, according to a 2012 report by the Washington Post.
The arms race has pitted U.S. allies like Saudi Arabia, the UAE, and Kuwait against the likes of Qatar and Iran. While the U.S. government does not provide direct cyber assistance to its Middle Eastern allies, it has authorized some private firms to train foreign intelligence agencies through special “export licenses” signed off by the U.S. Departments of State and Commerce.
Created in 2009, Project Raven was supposed to be a program in which American contractors would hone the skills of Emirati intelligence officers until they were skilled enough to run the operation on their own. Project Raven initially focused primarily on Emirati dissidents online but later expanded its mission to target international journalists and American citizens. Under U.S. law, it is illegal for Americans contracting for foreign intelligence agencies to collect data on domestic citizens.
Lori Stroud, an ex-NSA spy and former Project Raven operative, told her story to Reuters along with eight former operatives who spoke anonymously. Stroud began her career at Project Raven through the U.S.-based cyber-security firm CyberPoint doing contract work for the UAE.
Although CyberPoint claims to be a “purely defensive” company, a report from The Intercept reveals that the firm sold the UAE cyberweapons to track dissidents and pro-democracy activists in the country. This happened with the authorization of the U.S. State Department, as the special export license granted to CyberPoint to train UAE personnel acknowledged that the firm would help surveil targets. The license, however, forbade the targeting of American citizens.
From there, Stroud was sent to the UAE to assist in the monitoring and hacking of critics of the regime. According to her, this ranged from scrutinizing anybody from a “16-year-old kid on Twitter” to activists like Ahmed Mansoor, a prominent critic of the government. Mansoor, code-named Egret by Raven operatives, was arrested and tried in an Emirati court in 2017 on evidence gathered by Project Raven. He was sentenced to ten years in prison for “damaging the country’s unity,” and is currently in solitary confinement.
According to an additional report by Reuters, Project Raven also used an advanced hacking tool dubbed “Karma” that exploited a flaw in Apple’s iMessage system to hack into the iPhones of those deemed to be a threat to the UAE government. Among the most significant targets of the Karma hack were Qatar’s Emir Sheikh Tamim bin Hamad al-Thani and Yemeni activist Tawakkol Karman.
In 2015, the UAE government moved operations from the U.S.-based CyberPoint to an Emirati firm called DarkMatter. This raised flags with the FBI, which is currently investigating whether American contractors had knowingly spied on U.S. citizens and if classified intelligence-gathering techniques were shared. According to the Associated Press, DarkMatter denies that it was involved with offensive hacking operations like Project Raven.
It was around this time that Stroud discovered Project Raven’s secret surveillance of Americans, which was restricted knowledge only accessible to Emirati-Raven operatives. According to an additional Reuters report, the UAE government denies that it hacked American citizens, saying that it does not target countries with which it has good relations.
Project Raven raises important questions about the conduct of former intelligence officers abroad. Bobby Chesney, a national security lawyer at Lawfare, contends that U.S. law regarding Americans serving in foreign intelligence agencies is not strong enough and should be tightened to help minimize American involvement in “undesirable foreign intelligence activity.”
The Project Raven story also presents the issue of whether the U.S. should provide authoritarian regimes with tools that can be used to repress their own people, even if they are allies.
In the case of Project Raven, the U.S. gave its approval to CyberPoint to assist the Emirati government in surveilling its citizens with the caveat that it could not spy on Americans. While it was not an explicit license to suppress dissent, it can make the U.S. government look as if it is turning a blind eye, which goes against longstanding American values like promoting free speech.
According to the Reuters report, a State Department spokesperson said that agreements like the one given to CyberPoint do not authorize human rights abuses. Whether or not the U.S. government condones these abuses, giving repressive governments the tools to do so undermines American foreign credibility as a champion of democracy, human rights, and personal freedom.