Black Hat: This is how a naive NSA staffer helped build an offensive UAE security branch

If that job offer looks too good to be true, something else may be afoot.

BLACK HAT USA: What began as an incredible job offer for a naive, young security analyst turned into an explosive case of former US experts unwittingly helping a foreign service create an offensive security branch.

Known as Project Raven, a team of over a dozen former US intelligence operatives was poached with promises of job roles that seemed too good to be true -- only for them to participate in activities on behalf of the United Arab Emirates (UAE) that were, at the least, dubious. 

Project Raven, as previously reported by the New York Times and Reuters, involved the clandestine surveillance of other governments, militant groups, human rights activists, journalists, and other parties of interest to -- or, critical of -- the monarchy. 

One of these operatives was David Evenden, a former offensive intelligence analyst, member of the Navy, and now founder of StandardUser LLC who once worked for the US National Security Agency (NSA). 

At Black Hat USA in Las Vegas, Evenden described his time working for the UAE, a story that has also previously been covered extensively in the Darknet Diaries podcast. 

After working for the NSA for roughly three years, in 2014, a recruiter from CyberPoint, reported to have been vetted by the US government, approached Evenden with a new career opportunity. 

He was told he would be involved in security work in Abu Dhabi and would be helping to tackle terrorist activity and reduce the workload on government agencies in his homeland, as part of a wider defense agreement with the United States. 

"It was all above board and we all felt confident in what we were doing," Evenden said. 

As noted in "This is how they tell me the world ends," penned by Nicole Perlroth, the overarching contract was known as Project DREAD -- or Development Research Exploitation and Analysis Department. 

Perlroth writes that Project DREAD relied "heavily" on subcontractors including CyberPoint as well as the "dozens of talented former NSA hackers like Evenden."

The security specialist explained that upon arrival, two back-to-back briefings were set up. The "cover" story, in a purple folder, was that he would be working on defensive measures. However, in the following meeting, a black folder was issued. 

The black folder revealed that Evenden would be working with NISSA, the UAE's NSA counterpart, in offensive security, surveillance, and collecting data on targets of interest -- and this was never to be acknowledged to the general public.  

If this wasn't a red flag, the use of a converted villa for operations -- as well as the promise of a tax-free lifestyle and a lucrative salary -- should have tipped Evenden off to something not being quite right. 

For the first few months, reconnaissance was performed to combat terrorism, such as pulling data from the Twitter API, keyword analytics, and computational deltas of social media chatter.

However, while originally told he would be working on behalf of the US and allies, the operative said in Darknet Diaries that it wasn't long before CyberPoint was hacking "real and perceived" Emirati enemies on behalf of its clients, rather than terrorist operatives. ISIS was one of the first groups in scope, but this eventually turned to everyone from civil rights activists to journalists and individuals criticizing the UAE on Twitter. 

"We then began to get questions about following the money," the security expert said, adding that the group was then asked to gain access to Qatar to see if there was any cash being funneled to support the Muslim Brotherhood -- and when told that they would need to hack the country's systems, permission was granted. 

Intel submissions then started to deviate -- such as requests made for the Qatari royal family's flight plans. 

It was the moment that emails belonging to Michelle Obama landed on his PC, in 2015, that changed the game. The emails related to the former First Lady's team and a trip to the Middle East to promote the "Let Girls Learn" initiative.  

"This was the moment I said, "We shouldn't be doing this. This is not normal," Evenden told Perlroth.

In late 2015, a local entity, DarkMatter, took over the Project Raven operation. The group was allowed to perform offensive operations against foreign organizations, and operatives were told to join or go home. 

"People who are loyal to the United States are not going to do that, so we jumped ship and moved home," Evenden said. 

Another member of the team was Lori Stroud, a cybersecurity specialist who had previously worked for the NSA. A request from DarkMatter reportedly came in to target a US journalist, and once Stroud voiced her concerns, she was promptly removed from the project. Speaking to Reuters, Stroud said that at that moment, she became "the bad kind of spy."

The red flags Evenden missed can be taken as a lesson to other security professionals considering a move abroad, and he has some advice to give -- in the hope that others do not make the same mistakes. 

"Vet your leadership -- that's one of the main things I learned out of this," Evenden commented. "If you get those hairs standing up on your arms, you need to step back [and] make sure you have an exit strategy -- whether or not an organization provides you with one, you need one, too."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0