Originally published in Vol. 39:2 of 2600 The Hacker Quarterly and on Anonymous Worldwide
Scrolling through my social media feeds in the third week of September 2021 I come across a story about Project Raven. Three people Marc Baier, Ryan Adams, and Daniel Gericke who are either former intelligence operators or Military from the United States were levied heavy fines by the Department of Justice and are forbidden to ever seek out a security clearance for life. This was a deal to avoid prosecution for their crimes. What were their crimes? They participated in the most unethical hacking I have ever heard about. Working for a company in the United Arab Emirates, known as Darkmatter Group, they were an elite red team working on behalf of the Emiatiriti Government to spy on its own citizens, Emeriti enemies, and even United States networks. But why is this the most unethical hacking in my opinion? Because of their hacking, human rights activists were tortured and imprisoned. Hacking does not exist in a vacuum. It is not just a challenge to test one’s limits of their technical acumen. It has real effects on real people, and Project Raven led to real human suffering.
Set the Wayback machine for the early second decade of the 21st century.. Cyber Warfare was becoming the new battlefield for the 21st century, and countries all over the world were getting started in an arms race for not only defensive capabilities but offensive as well. Governments were using corporate contractors, often filled with former feds. Edward Snowden perhaps being the most well-known of these types of contractors, before his whistleblowing he worked for one such contractor, Booz Allen that gave him access to all the secrets he was about to spill. Remember that name, it will come up again. These contractors did not just work for the American Government but provided malware and attack vectors to other governments equipping countries with cyberweapons sold to anyone that had the coin by those that could obtain a license to export technology and train foreign governments in cyber defense and policy. In September of 2012, one such company, Cyberpoint, obtained such a license to train the government of the United Arab Emirates in Cyberdefense — blue team sort of stuff, however, the UAE had other designs.
Cyberpoint did stick to blue team type defense such as firewalls, intrusion detection systems or other defensive strategies, but what is known thanks to whistleblower Lori Stroud (who actually recruited Edward Snowden into Booz Allen’s team contracted the NSA, giving Snowden access to even more classified material — this is the reason she left the NSA and went to work for Project Raven) this was the “unclassified cover story” for Project Raven to hide their red team style offensive exploits and penetration for the UAE government. It was perhaps the UAE’s desire to have more control and do things in-house that in 2016 the Emirati company DarkMatter took over the contracting for Project Raven, and the Cyberpoint contractors, if they wanted to keep their lucrative jobs in tax-free Dubai, moved to DarkMatter.
DarkMatter for all intents and purposes appeared to be an Emirati company, but in fact, they were part of the Emirati government. These were state actors pretending to be a cybersecurity company, and they were recruiting. They went to Cybersecurity conferences such as RSA in San Francisco and Blackhat in Las Vegas looking for elite hackers to fill their roster promising six-figure salaries, housing, and tax-free lifestyle in Dubai. Many hackers took up BlackMatter on their offer, getting a major payday, but what was the cost?
To put it bluntly, the UAE wanted hackers to build and implement a surveillance state that could be described as “1984 on steroids”. Blanketing the country with probes that would intercept all cell phone communication in Abu Dhabi and Dubai,and with the press of a button pwn all the phones in a specific area like a shopping mall for the suspicion of a single suspected terrorist that may be there. One may argue that every government participates in some form of a surveillance state, including the United States. The difference is even though, BlackMatter told its hackers that they were fighting the very real threat of terrorism, they also were spying on what the UAE considers dissidents. It should be pointed out here that the UAE does not have freedom of speech. Criticism of the government is a punishable offense. Speaking for human rights protections could very well get you disappeared, tortured, secretly tried, and imprisoned. The hacking taking place under the aegis of Project Raven in fact did lead to these outcomes.
The tool that got the most press is called Karma. It used an exploit in iMessage for iPhones that just by sending a text message that didn’t have to be read or otherwise interacted with, the device compromised the phone giving Project Raven hackers access to the device. It sounds a lot like the tool known as Pegasus that is also in the news lately and Apple recently pushed patches to fix, but in my research, I have not been able to determine if Karma and Pegasus are indeed the same tools but the similarity of the exploit is uncanny. iMessage is such a desirable vector for exploits as it is guaranteed to be on every Apple device out there. And because of Apple’s closed system, Apple users cannot opt out of this application.
Hackers love freedom, often expressing this in free speech and free software. Many hackers believe in the sovereignty of their own lives and their choices. However, if we are going to exercise this freedom, we must temper it with the responsibility for the consequences of our actions. No matter how isolated or sandboxed you think your hacking is, none of us is an island. Our choices ripple out and affect those that we may not even realize or have the vision to see. People exist within our sphere of influence and beyond the horizon of what we can see. We must not remain ignorant of the impact of our hacking. What does our own freedom mean if we are taking away the freedom of others? Can we really say we are advocates of liberty if we do not work to ensure liberty for all instead of selfishly looking inward and thinking we got ours and screw everyone else?
Hackers exist in a community of like-minded individuals with a diversity of opinions, skills, and goals. We form collectives to work together to achieve our goals, be it an open-source project, presenting at a conference, or writing for this magazine. We may see hackers as an in-group and those outside our community as “other”, but in truth, we are all connected, every single one of us. Human beings create technology in order to be connected and interconnected with other human beings, especially in the realm of communication. From things like smoke signals, drumming across distances, running between cities with messages, postal systems, the telegraph, the telephone, radio and television, and finally the internet, humanity has increased our connection with one another to facilitate the sharing of information and understanding of one another.
But there is also a dark side. Human beings have used technology more and more to divide. To foment terrorism, spread misinformation, and facilitate fascism. The hackers of Project Raven were some of those individuals, under the aegis of the Emirati government, to squelch free speech which is the lowest form of fascism, and facilitate torture of human rights activists which is well into the realm of authoritarianism. Technology can facilitate freedom and technology can also enable tyranny. Even though some technology can be used for good or ill, technology is not ethics-neutral. There are some applications that are always unethical, immoral, and I will say it, evil.
Some of the darkside hackers for DarkMatter were ex-feds, while giving lip-service to the founding principles of the United States, they were more than willing for a big payday to set these behind both in their work for the United States and Emirati Governments. We know Lori Stroud, the whistleblower was just fine with the NSA spying on everyone as Edward Snowden revealed, while participating in it, but only drew the line when the Emirati equivalent, The National Electronic Security Authority (NESA) spied on fellow Americans using Project Raven. She was already used to facilitate the compromising of devices for journalists, human rights activists, and foreign governments around the world, and the torture of Emirati dissidents in exchange for six tax-free figures still knew she was a spy but thought she was a “good” intelligence officer. Fine to do to brown folks in the Middle East, to people who were “other” but when it was to Americans, her perceived in-group she suddenly found scruples for what she was doing. Her hacking had a real human cost. But at least she eventually contacted the FBI about Project Raven, and Reuters did the initial investigative journalism that brought it all to light. Marc Baier, Ryan Adams, and Daniel Gericke cut a deal to pay a fine for breaking US hacking laws and prohibitions for selling military technology to avoid prosecution this does not undo the damage they have done. They used their technical acumen, access to high technology, and their ability as hackers to cause real harm — real human suffering as a result of their hacking.
It is a common story. Though I am merely a competent hacker, and not a superstar, puttering around more as a hobbyist and technological idealist than an InfoSec worker (the closest being Sysadmin jobs in Amsterdam and California), I have often been approached to do something unethical when people find out I am a hacker, and I am sure many readers of this magazine have as well. What we decide to do matters. It would behoove us not to just hack code, but to have a code of what we are willing to do and not to do. If we are going to cause harm, who are we causing harm to? Sometimes Justice demands direct action, but if we are not careful, some company can wave a fat wad of cash under our noses, and we compromise our values and through our skills become an agent of injustice. Or maybe we do something “just to see if it can be done”. We have all been there, hackers are curious creatures, but we must not allow our curiosity to bring actual harm or suffering to other human beings unjustly. We must build an awareness of the influence hacking can have on individuals and organizations. We can use hacking for righteous causes, or like the hackers of Project Raven, for great evil. The choice is yours. Choose wisely.