Reuters: UAE’s Project Dread
(This investigation was published by Reuters on December 10, 2019, by: Joel Schectman and Christopher Bing)
In the years after 9/11, former U.S. counterterrorism czar Richard Clarke warned Congress that the country needed more expansive spying powers to prevent another catastrophe. Five years after leaving government, he shopped the same idea to an enthusiastic partner: an Arab monarchy with deep pockets.
In 2008, Clarke went to work as a consultant guiding the United Arab Emirates as it created a cyber surveillance capability that would utilize top American intelligence contractors to help monitor threats against the tiny nation.
The secret unit Clarke helped create had an ominous acronym: DREAD, short for Development Research Exploitation and Analysis Department. In the years that followed, the UAE unit expanded its hunt far beyond suspected extremists to include a Saudi women’s rights activist, diplomats at the United Nations and personnel at FIFA, the world soccer body. By 2012, the program would be known among its American operatives by a codename: Project Raven.
Reuters reports this year revealed how a group of former National Security Agency operatives and other elite American intelligence veterans helped the UAE spy on a wide range of targets through the previously undisclosed program — from terrorists to human rights activists, journalists and dissidents.
Now, an examination of the origins of ‘Development, Research, Exploitation, and Analysis Department’ (DREAD), reported here for the first time, shows how a pair of former senior White House leaders, working with ex-NSA spies and Beltway contractors, played pivotal roles in building a program whose actions are now under scrutiny by federal authorities.
To chart the UAE spying mission’s evolution, Reuters examined more than 10,000 DREAD program documents and interviewed more than a dozen contractors, intelligence operatives and former government insiders with direct knowledge of the program. The documents Reuters reviewed span nearly a decade of the DREAD program, starting in 2008, and include internal memos describing the project’s logistics, operational plans and targets.
Clarke was the first in a string of former White House and U.S. defense executives who arrived in the UAE after 9/11 to build the spying unit. Utilizing his close relationship to the country’s rulers, forged through decades of experience as a senior U.S. decision-maker, Clarke won numerous security consulting contracts in the UAE. One of them was to help build the secret spying unit in an unused airport facility in Abu Dhabi.
|Dread||How a Counterterrorism Mission Lost Its Path|
|Drawn to the UAE with the promise of combating terrorism, dozens of American intelligence contractors cycled in and out of a secret hacking unit over the course of a decade. As time went on, the mission became less focused on preventing violent attacks than on targeting the country’s political enemies.|
|Dread Contractors||1- Clarke’s Good Harbor 2- Gumtow’s CyberPoint 3- UAE’s DarkMatter|
|2008||Richard Clarke and his firm Good Harbor recommend the creation of a new cyber surveillance agency in the UAE, which the country asks for them to help build. The secret program is codenamed DREAD but will later be known as Project Raven.|
|2009||Construction of DREAD’s first headquarters is completed. Good Harbor utilizes a U.S. defense contractor, named Society of Research Administrators International (SRA International), and by year’s end the subcontractors are assisting in hacking operations.|
|2010||Good Harbor gives up control of DREAD to Karl Gumtow, a former SRA vice president. Gumtow’s new Maryland-based company, CyberPoint, staffs DREAD with more former NSA hackers.|
|2011||The Arab Spring causes the UAE government to ramp up digital espionage against protesters and others critical of the monarchy. DREAD targets included activists such as Ahmed Mansoor, a prominent human rights defender.|
|2012||DREAD operatives are ordered to make British activist Rori Donaghy a top priority hacking target after UAE security officials were angered by his critical blog posts.|
|2013||DREAD develops a tool, codenamed Mercury Crush, that exploits flaws in Microsoft Word and Adobe Flash in order to implant surveillance software within a website visited by activists.|
|2014||DREAD targets hundreds of Qatari government officials. The program is increasingly tasked with hacking into entire rival foreign governments in the Middle East such as Iran and Qatar.|
|2016||DREAD’s American staffers are given a choice: go home or join Emirati firm DarkMatter, which is taking over control. Some stay despite warnings from colleagues. FBI agents approach former CyberPoint staff to learn what’s happening.|
|2017||The unit wields a new, elite hacking tool to remotely break into iPhones of media figures and rival foreign leaders, including the Emir of Qatar.|
Source: Reuters reporting
In an interview in Washington, Clarke said that after recommending that the UAE create a cyber surveillance agency, his company, Good Harbor Consulting, was hired to help the country build it. The idea, Clarke said, was to create a unit capable of tracking terrorists. He said the plan was approved by the U.S. State Department and the National Security Agency, and that Good Harbor followed U.S. law.
“The incentive was to help in the fight against Al Qaeda. The UAE is a very good counterterrorism partner. You need to remember the timing back then, post 9-11,” Clarke said. “The NSA wanted it to happen.”
The NSA did not answer written questions about its knowledge of DREAD or its relationship to any of the contractors. The State Department said it carefully vets foreign defense service agreements for human rights issues. UAE spokespeople at its Washington embassy and Ministry of Foreign Affairs did not respond to requests for comment.
Clarke’s work in creating DREAD launched a decade of deepening involvement in the UAE hacking unit by Beltway insiders and U.S. intelligence veterans. The Americans helped the UAE broaden the mission from a narrow focus on active extremist threats to a vast surveillance operation targeting thousands of people around the world perceived as foes by the Emirati government.
One of Clarke’s former Good Harbor partners, Paul Kurtz, said Reuters’ earlier reports showed that the program expanded into dangerous terrain and that the proliferation of cyber skills merits greater U.S. oversight. “I have felt revulsion reading what ultimately happened,” said Kurtz, a former senior director for national security at the White House.
At least five former White House veterans worked for Clarke in the UAE, either on DREAD or other projects. Clarke’s Good Harbor ceded control of DREAD in 2010 to other American contractors, just as the operation began successfully hacking targets.
A succession of U.S. contractors helped keep DREAD’s contingent of Americans on the UAE’s payroll, an engagement that was permitted through secret State Department agreements, Reuters found.
The program’s evolution illustrates how Washington’s contractor culture benefits from a system of legal and regulatory loopholes that allows ex-spies and government insiders to transfer their skills to foreign countries, even ones reputed to have poor human rights track records.
American operatives for DREAD were able to sidestep the few guardrails against foreign espionage work that existed, including restrictions on the hacking of U.S. computer systems.
Despite prohibitions against targeting U.S. servers, for instance, by 2012 DREAD operatives had targeted Google, Hotmail and Yahoo email accounts. Eventually, the expanding surveillance dragnet even swept up other American citizens, as Reuters reported earlier this year.
In an interview, Mike Rogers, former chairman of the U.S. House Intelligence Committee, said he has watched with growing concern as more and more former American intelligence officials cash in by working for foreign countries.
“These skill sets do not belong to you,” he said of ex-U.S. agents, but to the U.S. government that trained them. Just as Washington wouldn’t let its spies work in the pay of foreign nations while employed at the NSA, he said, “Why on God’s green earth would we encourage you to do that after you leave the government?”
An NSA spokesman said former employees are mandated for life not to reveal classified information.
From The White House to the Gulf
For years before the creation of DREAD, Clarke grappled with the need for domestic surveillance in the United States, as well as its potential dangers.
Clarke, a counterterrorism czar to Bill Clinton and George W. Bush, is perhaps best known for offering an unequivocal public apology for Washington’s inability to prevent the 9/11 attacks.
“Your government failed you. Those entrusted with protecting you failed you. And I failed you,” Clarke said in 2004, one year after leaving government, testifying before a U.S. commission established to investigate intelligence failures leading to the 9/11 attacks.
To prevent future attacks, Clarke urged America to create a domestic spying service, while saying such a unit must avoid civil liberties violations. “We’d have to explain to the American people in a very compelling way why they needed a domestic intelligence service, because I think most Americans would be fearful of a secret police,” he said.
Clarke’s testimony to the 9/11 Commission helped lead to the creation in 2005 of a domestic intelligence service within the Federal Bureau of Investigation — described as “a service within a service” — staffed by federal agents, language analysts and surveillance specialists.
Two years earlier, Clarke had joined his former deputy Roger Cressey at the newly launched Good Harbor Consulting, a security advisory group. Clarke brought one of the most famous names in U.S. national security.
He also brought a decades-long relationship with a potential client of immense wealth: Sheikh Mohammed bin Zayed al-Nahyan, known as MbZ, the son of the UAE’s most powerful ruler. In the months preceding the 1991 U.S.-led war on Iraq, Clarke, then a senior American diplomat, had been sent to the Gulf to seek assistance from regional allies. MbZ stepped up as the U.S. prepared to go to war.
MbZ helped Clarke obtain permission from the Emirati government for bombing runs in UAE airspace, and he funneled billions toward the American war effort. In 1991, when Congress questioned whether Washington should allow a $682 million arms sale to UAE, Clarke bristled.
“They transferred $4 billion to the U.S. Treasury to support the war effort,” he told the House Subcommittee On Arms Control. “Is that the kind of nation that we should snub by denying them 20 attack helicopters? I don’t think so.” The UAE got the choppers.
In the years after Clarke joined Good Harbor in 2003, MbZ, the de facto ruler of the UAE, granted the company the rare opportunity to help build the country’s homeland security strategy from the ground up. Clarke’s Good Harbor soon won a series of security contracts to help the UAE secure its infrastructure, including work to protect the Gulf state’s seaports, nuclear projects, airports, embassies and petrochemical facilities, according to two people with direct knowledge of the contracts.
Along with helping stand up an emergency response department and maritime security unit, Clarke believed the UAE required an NSA-like agency with the ability to spy on terrorists. Clarke said he placed Good Harbor partner Paul Kurtz, himself a former White House veteran, in charge of the contract.
“At the highest level, it was cyber defense and how you protect your own networks,” Kurtz said in a phone interview with Reuters. The UAE wanted to know, he said, “How do I understand more about what terrorists may be doing?”
Asked whether he was concerned the UAE could use the capability to crack down on activists or dissidents, Clarke stressed that “the overarching concern was getting Al Qaeda.” He said he had limited visibility into the program at the time and that Kurtz was responsible for the day-to-day management of the contract to build the program.
Kurtz said his personal involvement was limited to high level consulting, with his knowledge of daily activities “next to none.” For technical expertise on hacking, he said, Good Harbor relied on subcontractors from the American defense company SRA International, managed by an executive named Karl Gumtow.
SRA, then a 7,000-employee operation based in Fairfax, Virginia, was chosen because of its experience with NSA contracts, Clarke said.
Utilizing eight contractors from SRA, Good Harbor started building DREAD in 2008 inside a building that resembled a small airplane hangar on the edge of the Al Bateen airport in Abu Dhabi. The program began as an arm of MbZ’s royal court, and was initially managed by the prince’s son, Khalid.
The contractors built the project from scratch. They trained potential Emirati staff in hacking techniques and created covert computer networks and anonymous Internet accounts the UAE could use for surveillance operations.
In 2009, the group set out to build a spy tool codenamed “the Thread,” software that would enable the Emiratis to steal files from Windows computers and transmit them to servers controlled by the Court of the Crown Prince, DREAD program documents show.
Beyond offering guidance and support, Good Harbor and SRA did not envision an active role in hacking operations.
The program was intended to leave the UAE equipped with the cyber capabilities to pursue terrorism threats on its own. But within months, the Americans could see they needed to take the lead from their less experienced Emirati colleagues, said three former DREAD operatives.
Some UAE trainees appeared disinterested and ill-equipped. One trainer, a former SRA contractor and ex-NSA cryptographer named Keith Tuttle, concluded one student had “lost interest” and another “continues to struggle with technology,” a program report card reviewed by Reuters shows.
That left the Americans with little choice but to get more involved, two former DREAD operatives told Reuters, eventually doing everything aside from hitting the final button on a computer intrusion. Tuttle, citing advice from his attorneys, declined to comment.
A spokesman for General Dynamics, the owner of SRA International after multiple business acquisitions, said the original contract with Good Harbor ended in 2010. He declined further comment.
The hacking requests from UAE security forces to the new unit accelerated after Christmas 2009, just one year after Good Harbor started on DREAD. UAE leaders received intelligence warnings that a violent extremist attack could be imminent. A panicked request came to the nascent hacker team: Help us spy on outbound Internet traffic coming from a suspected extremist’s home computer network located in the northern part of the country.
DREAD’s SRA handlers were still months from finishing the Windows hacking software, Thread. Suddenly, U.S. operatives were cobbling together makeshift spy tools based on computer security testing software found for free online, according to two people with direct knowledge of the incident.
Yet they succeeded within weeks, hacking the suspected extremist in a mission seen by the Emiratis as a key success that may have prevented an attack. The incident marked a crucial moment in the relationship. With that success came more targeting requests and a deeper role for the Americans, said two people with direct knowledge.
By the end of 2010, Good Harbor stepped back from DREAD, leaving control in the hands of SRA vice president Gumtow, program documents show. He had just started his own Maryland company, CyberPoint. “Our focus was to help them defend their country,” Gumtow said in a phone interview.
With Good Harbor’s departure, Kurtz joined CyberPoint, although he said his involvement in DREAD ended by 2011.
40 Americans and $34 Million
Within two years, Gumtow expanded the number of Americans on the program from around a dozen to as many as 40. More than a dozen were poached from the halls of the NSA or its contractor list. DREAD’s annual budget reached an estimated $34 million, project documents show.
Some American recruits had concerns about working for a foreign spy service. But the program’s connection to respected national security figures such as Clarke, Kurtz and Gumtow led them to conclude the effort was above board, four former operatives said.
Jonathan Cole, a former U.S. intelligence operative who joined DREAD in 2014, said he believed the UAE mission had Washington’s blessing due to the involvement of CyberPoint’s Maryland-based staff in other classified programs for the U.S. government. “I made some assumptions,” Cole said.
In 2011, the program moved to the first of a series of secret converted mansions, known as the Villa, and among its American contractors was given the codename Project Raven.
Gumtow told Reuters his U.S. contractors were hired only to train Emirati hackers, and were prohibited from assisting in operations themselves. U.S. law generally prohibits Americans from hacking computer systems anywhere, but specifically prohibits targeting of other American people, companies or servers.
Although Gumtow managed the DREAD contract for five years from Baltimore, he said he never learned of such activities occurring among his staff. He said his visibility was limited, as he visited his UAE staff five or six times a year.
“I did not get involved in day-to-day program activities,” Gumtow said. “If we had a rogue person, then there’s nothing I can do.”
Still, the American team soon occupied almost every key position in the program. American operatives helped locate target accounts, discover their vulnerabilities and cue up cyberattacks. To stay within the bounds of the law, the Americans did not press the button on the ultimate attack, but would often literally stand over the shoulders of the Emiratis who did, 10 former operatives told Reuters.
After the 2011 Arab Spring demonstrations shook the region, Emirati security experts feared their country was next. DREAD’s targets began to shift from counterterrorism to a separate category the UAE termed “national security targets” — assisting in a broad crackdown against dissidents and others seen as a political threat. The operations came to include the previously unreported hacks of a German human rights group, the United Nations’ offices in New York and FIFA executives.
Between 2012 and 2015, individual teams were tasked with hacking into entire rival governments, as the program’s focus shifted from counterterrorism to espionage against geopolitical foes, documents show.
|Hacking FIFA||Qatar became the first Middle Eastern nation to win the right to host a World Cup in December 2010. Four years later, an NSA veteran helped the UAE target the computers of Qatari and FIFA officials in the hope of uncovering damaging information about how the bid was won. Here are the targets. FIFA said it was “not aware” of the hacking incident. A Qatari spokesman did not answer questions about the case.|
|Qatari football officials||1- Sheikh Mohammed bin Hamad bin Khalifa Al Thani, Brother of the Emir of Qatar; Managing director, Qatar 2022 World Cup organizing body 2- Hassan Al Thawadi, Secretary general, Qatar 2022 World Cup organizing body 3- Khaled al-Kubaisi, Chief of Special Projects, Qatar 2022 World Cup organizing body 4- Phaedra Almajid, Former communications director, Qatar 2022 World Cup Bid 5- Sakis Batsilas, Planning Executive Director, Qatar 2022 World Cup organizing body 6- Mohamed Bin Hammam, Former executive committee member, FIFA 7- Ahmad Nimeh, Former senior advisor, Qatar 2022 World Cup Bid|
|Other FIFA executives||1- Amos Adamu, Former executive committee member, FIFA 2- Jacques Anouma, Former executive committee member, FIFA 3- Issa Hayatou, Former president, FIFA 4- Nicolas Leoz, Former president, South American Football Confederation (He died in August 2019) 5- Jack Warner, Former vice president, FIFA|
Source: Reuters reporting
One target was UAE archrival Qatar, which in 2010 gained global attention by winning the right to hold soccer’s 2022 World Cup. In 2014, DREAD operatives targeted directors at FIFA, the Swiss-based body that runs international soccer, and people involved in Qatar’s World Cup organizing body.
The ploy was designed to steal damaging information about Qatar’s World Cup bid, which could be leaked to embarrass the UAE’s Gulf rival. Allegations that FIFA officials were bribed by Qatar in exchange for granting its World Cup bid surfaced in media reports in 2014.
The FIFA hacking operation, codenamed Brutal Challenge, was planned by an ex-NSA analyst named Chris Smith, according to DREAD operation planning memos reviewed by Reuters. The hackers sent boobytrapped Facebook messages and emails containing a malicious link to a website called “worldcupgirls.” Clicking on the link deployed spyware into the target’s computer.
It is not clear whether the mission succeeded. But the targets included Hassan Al Thawadi, secretary general of Qatar’s FIFA organizing body, and Jack Warner, a former FIFA executive who the U.S. later indicted on money laundering charges.
|The World Cup Girls Phishing Scam|
|The hackers used a simple method to go after their victims. By hiding malware within messages that looked like ordinary spam, DREAD operatives believed the World Cup-themed phishing scheme was “low risk” because it would be difficult to trace back to their servers. Yet if the target clicked on a malicious link inside the message, their computer would be infected by spyware.|
|Luring targets||DREAD hackers send Facebook messages and emails containing photos of attractive female soccer fans, inviting targets to visit a website called “worldcupgirls.”|
|Malicious link||Embedded in the messages and emails is a malicious link that directs targets to a fake, identical version of a site by that name. The web address is only slightly different and easy to mistake.|
|Spyware deployed||The fake version of the website deploys spyware into the target’s computer, allowing hackers free access through the user’s files.|
Source: Reuters reporting
Qatar’s Supreme Committee for Delivery and Legacy, a governmental body in charge of helping organize the 2022 footballing tournament, had no comment. A spokesman for Qatar’s government said the country saw its successful bid to host the World Cup as “a chance for the world to see our region in a new light.”
In a statement, a spokeswoman said FIFA was “not aware” of any hacking incidents related to Qatar’s World Cup bid. A second spokesperson said a FIFA internal investigation did not find that Qatar paid bribes to win the right to host the tournament.
Warner, who is facing extradition to the United States from Trinidad and Tobago, could not be reached for comment. He has repeatedly proclaimed he is innocent of the charges. Smith did not respond to messages sent through email and social media.
Foreign License, Scant Oversight
To conduct its UAE business, CyberPoint obtained a State Department foreign defense services license in 2010 and 2014.
The agreements, reviewed by Reuters, are written in broad language. Hacking operations are described as “collecting information from communications systems inside and outside the UAE.” The agreements placed no restrictions against targeting human rights activists, journalists or U.S. allies.
A State Department spokesman said that before granting such a license, the agency carefully weighs human rights concerns. The authorization doesn’t grant the right to violate human rights, he said. But he declined to comment on the agreements between the agency and CyberPoint.
The DREAD agreements did prohibit the program from assisting in hacking operations against Americans or American-owned email servers. Doing so “could subject you to criminal liability under U.S. law, even if the activities were conducted overseas,” warned a CyberPoint legal counsel in a 2011 memo.
This restriction was often sidestepped, project documents show. CyberPoint employees assisted in the hacking of hundreds of Google, Yahoo, Hotmail and Facebook accounts, sharing screenshots from the intrusions in presentations with senior Emirati intelligence officers. For example, DREAD accessed Google and Yahoo accounts to steal its targets’ Internet browser history, with the hackers highlighting their porn preferences in reports to managers, documents show.
In 2012, the program targeted the Hotmail and Gmail accounts of five staffers of the Konrad Adenauer Foundation, a German pro-democracy group that at the time was pushing for greater press and speech freedoms in the UAE. DREAD intercepted messages from one foundation manager’s hacked Gmail account. “Assume all comm channels have been” compromised, the manager’s message to an employee read.
Behind the scenes, the German ambassador to the UAE was called to meet with officials from the Emirates’ Ministry of Foreign Affairs, who said the German non-profit must leave the country, said a person with direct knowledge. In March 2012, the group was ordered out. The foundation declined comment.
American operatives also helped target the Gmail and Facebook accounts of Ahmed Ghaith al-Suwaidi, an Emirati economist and member of the Muslim Brotherhood, in 2011. In January 2012, DREAD hackers reported Al-Suwaidi had emailed signed documents putting his wife in charge of his assets in case anything happened to him, DREAD operation documents show.
Two months later, al-Suwaidi was arrested and detained in a secret prison, where he said he was tortured and forced to sign a confession, said Amnesty International. In 2013, as part of a trial of 94 activists accused of fomenting a coup, he was convicted and sentenced to 10 years in prison. Mohamed Al Zaabi, a friend and fellow activist, said al-Suwaidi had never advocated for a coup and had simply pushed for political reform.
Gumtow said that, to the best of his knowledge, CyberPoint was careful to stay within the bounds of the license and U.S. law.
Over time, conflict emerged between the Emiratis and Americans over the selection of targets, which Americans believed sometimes crossed the line into hacking U.S.-related entities. The locals began restricting the Americans’ access to surveillance databases, marking some “For Emirati Eyes Only.” Near the end of 2015, the UAE cancelled its CyberPoint contract and hired a UAE cybersecurity firm, DarkMatter.
Gumtow warned his employees that if they remained in the program, they would no longer be authorized under the State Department agreement and would be essentially going rogue. More than a dozen stayed.
While DarkMatter took over DREAD, the program was a tightly held secret, with even some company executives unaware of its existence, said six people with direct knowledge of the matter.
Under DarkMatter, DREAD targeted the United Nations’ offices in New York in a bid to compromise the email accounts of foreign diplomats from countries seen as UAE rivals, said a former operative. A UN spokesman confirmed the organization’s cybersecurity team identified attacks from a hacking group associated with the UAE.
In some cases, DREAD’s surveillance operations preceded the torture of targets.
In 2017, operatives hacked the emails of Saudi women’s rights activist Loujain al-Hathloul, after she tried to defy a ban against women driving in Saudi Arabia, a former DREAD operative said. Three years earlier, al-Hathloul, who was studying in the UAE, had been arrested by the Saudis after trying to drive across the border into Saudi Arabia and jailed for 73 days.
DREAD operatives monitoring al-Hathloul gave her the codename Purple Sword.
In 2018, just weeks before a royal decree allowed Saudi women to drive legally for the first time, UAE security forces arrested al-Hathloul again in Abu Dhabi and placed her in a private jet back to her home country. Once there, Saudi security forces jailed her on charges of sedition, torturing her in a secret facility outside Jeddah, her brother Walid al-Hathloul told Reuters. She was later moved to a prison near Riyadh where she remains, her brother said.
“It’s very disappointing to see Americans taking advantage of skills they learned in the U.S. to help this regime,” he said. “They are basically like mercenaries.”
Saudi Arabia and the UAE are close allies. A Saudi embassy spokesman did not respond to requests for comment.
In a brief emailed statement, DarkMatter said it was unaware of Reuters’ findings or any improper actions by the company.
A federal grand jury in Washington has been investigating whether American staff violated U.S. hacking laws in the UAE mission. The Federal Bureau of Investigation and the Justice Department declined to comment.
Congress is also asking questions, citing the earlier Reuters reports while pressing the State Department to explain DREAD and pushing for more transparency in foreign license agreements. Foreign governments “have apparently exploited the advanced training and expertise of individuals who developed their technical skills while in U.S. national service,” members wrote in May to the Director of National Intelligence and Secretary of State.
Rogers, the former House intelligence committee chairman, said it’s time for Washington to impose tougher restrictions on foreign intelligence contracting. “Outright eliminating those opportunities, I think, should absolutely be on the table,” he said.
Kurtz, who helped launch the program 10 years ago, agreed the U.S. government needs to reconsider how it controls the transfer of cyber capabilities overseas. “It can be a very slippery slope,” he said.