UAE used cyber super-weapon to spy on iPhones of foes
Exclusive: UAE used cyber super-weapon to spy on iPhones
of foes
January 30, 2019
By Joel Schectman and Christopher Bing
WASHINGTON (Reuters) - A team of former U.S. government
intelligence operatives working for the United Arab Emirates hacked into the iPhones
of activists, diplomats and rival foreign leaders with the help of a
sophisticated spying tool called Karma, in a campaign that shows how potent
cyber-weapons are proliferating beyond the world’s superpowers and into the
hands of smaller nations.
The cyber tool allowed the small Gulf country to monitor
hundreds of targets beginning in 2016, from the Emir of Qatar and a senior
Turkish official to a Nobel Peace laureate human-rights activist in Yemen,
according to five former operatives and program documents reviewed by Reuters.
The sources interviewed by Reuters were not Emirati citizens.
Karma was used by an offensive cyber operations unit in
Abu Dhabi comprised of Emirati security officials and former American
intelligence operatives working as contractors for the UAE’s intelligence
services. The existence of Karma and of the hacking unit, code named Project
Raven, haven’t been previously reported. Raven’s activities are detailed in a
separate story published by Reuters today.
The ex-Raven operatives described Karma as a tool that
could remotely grant access to iPhones simply by uploading phone numbers or
email accounts into an automated targeting system. The tool has limits — it
doesn’t work on Android devices and doesn’t intercept phone calls. But it was
unusually potent because, unlike many exploits, Karma did not require a target
to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos,
emails, text messages and location information from targets’ iPhones. The
technique also helped the hackers harvest saved passwords, which could be used
for other intrusions.
It isn’t clear whether the Karma hack remains in use. The
former operatives said that by the end of 2017, security updates to Apple Inc's
iPhone software had made Karma far less effective.
Lori Stroud, a former Raven operative who also previously
worked at the U.S. National Security Agency, told Reuters of the excitement
when Karma was introduced in 2016. “It was like, ‘We have this great new
exploit that we just bought. Get us a huge list of targets that have iPhones
now,’” she said. “It was like Christmas.”
The disclosure of Karma and the Raven unit comes amid an
escalating cyber arms race, with rivals such as Qatar, Saudi Arabia and the UAE
competing for the most sophisticated hacking tools and personnel.
Tools like Karma, which can exploit hundreds of iPhones
simultaneously, capturing their location data, photos and messages, are
particularly sought-after, veterans of cyberwarfare say. Only about 10 nations,
such as Russia, China and the United States and its closest allies, are thought
to be capable of developing such weapons, said Michael Daniel, a former White
House cyber security czar under President Obama.
Karma and similar tools make personal devices like
iPhones the “juiciest of targets,” said Patrick Wardle, a former National
Security Agency researcher and Apple security expert.
A spokeswoman for UAE’s Ministry of Foreign Affairs
declined to comment.
Apple Inc declined to comment.
A FLAW IN APPLE'S IMESSAGE SYSTEM
The former Raven insiders said Karma allowed the
operatives to gather evidence on scores of targets — from activists critical of
the government to regional rivals, including Qatar, and the UAE’s ideological
opponent, the Islamic political Muslim Brotherhood movement.
It also granted them access to compromising and at times
sexually explicit photos of targets. The material was described to Reuters in
detail but reporters didn’t inspect it. Reuters saw no evidence that the UAE
leaked damaging materials discovered through Karma.
Raven was largely staffed by U.S. intelligence community
veterans, who were paid through an Emirati cyber security firm named
DarkMatter, according to documents reviewed by Reuters. The company did not
respond to numerous emails and phone calls requesting comment. The NSA declined
to comment on Project Raven.
The UAE government purchased Karma from a vendor outside
the country, the operatives said. Reuters could not determine the tool’s
creator.
The operatives knew how to use Karma, feeding it new
targets daily, in a system requiring almost no input after an operative set its
target. But the users did not fully understand the technical details of how the
tool managed to exploit Apple vulnerabilities. People familiar with the art of
cyber espionage said this isn’t unusual in a major signals intelligence agency,
where operators are kept in the dark about most of what the engineers know of a
weapon’s inner workings.
Three former operatives said they understood Karma to
rely, at least in part, on a flaw in Apple’s messaging system, iMessage. They
said the flaw allowed for the implantation of malware on the phone through
iMessage, even if the phone’s owner didn’t use the iMessage program, enabling
the hackers to establish a connection with the device.
To initiate the compromise, Karma needed only to send the
target a text message — the hack then required no action on the part of the
recipient. The operatives could not determine how the vulnerability worked.
A person with direct knowledge of the deal confirmed
Karma’s sale to the Emiratis from an outside vendor, details of its
capabilities and its reliance on an iMessage vulnerability.
The Raven team successfully hacked into the accounts of
hundreds of prominent Middle East political figures and activists across the
region and, in some cases, Europe, according to former Raven operatives and
program documents.
TARGETING THE 'IRON WOMAN' OF YEMEN
In 2017, for instance, the operatives used Karma to hack
an iPhone used by Qatar’s Emir Sheikh Tamim bin Hamad al-Thani, as well as the
devices of Turkey’s former Deputy Prime Minister Mehmet ÅžimÅŸek, and Oman’s head
of foreign affairs, Yusuf bin Alawi bin Abdullah. It isn’t clear what material
was taken from their devices.
ÅžimÅŸek, who stepped down from his position in July, told
Reuters the cyber intrusion on his phone was “appalling and very disturbing.”
The Washington embassies of Qatar, Oman and Turkey did not respond to multiple
emails and calls requesting comment about the targeting of political figures in
their countries.
Raven also hacked Tawakkol Karman, a human rights
activist known as the Iron Woman of Yemen. Informed by Reuters she had been
targeted, she said she believes she was chosen because of her leadership in
Yemen’s Arab Spring protests, which erupted around the region in 2011 and led
to the ousting of Egyptian President Hosni Mubarak.
For years she had received repeated notifications from
social media accounts, warning that she had been hacked, she told Reuters. But
the fact that Americans helped the Emirati government monitor her was shocking,
she said.
Americans are “expected to support the protection of
human rights defenders and provide them with all protection and security means
and tools,” she said, “not to be a tool in the hands of tyrannies to spy on the
activists and to enable them to oppress their peoples.”
(By Joel Schectman and Christopher Bing in Washington.
Editing by Ronnie Greene, Jonathan Weber and Michael Williams)
Comments
Post a Comment