Exclusive: UAE used cyber super-weapon to spy on iPhones
of foes
Send a link to a friend
 [January 30, 2019]
By Joel Schectman and Christopher Bing
WASHINGTON (Reuters) - A team of former
U.S. government intelligence operatives working for the United Arab
Emirates hacked into the iPhones of activists, diplomats and rival
foreign leaders with the help of a sophisticated spying tool called
Karma, in a campaign that shows how potent cyber-weapons are
proliferating beyond the world’s superpowers and into the hands of
smaller nations.
The cyber tool allowed the small Gulf country to monitor hundreds of
targets beginning in 2016, from the Emir of Qatar and a senior Turkish
official to a Nobel Peace laureate human-rights activist in Yemen,
according to five former operatives and program documents reviewed by
Reuters. The sources interviewed by Reuters were not Emirati citizens.
Karma was used by an offensive cyber operations unit in Abu Dhabi
comprised of Emirati security officials and former American intelligence
operatives working as contractors for the UAE’s intelligence services.
The existence of Karma and of the hacking unit, code named Project
Raven, haven’t been previously reported. Raven’s activities are detailed
in a separate story published by Reuters today.
The ex-Raven operatives described Karma as a tool that could remotely
grant access to iPhones simply by uploading phone numbers or email
accounts into an automated targeting system. The tool has limits — it
doesn’t work on Android devices and doesn’t intercept phone calls. But
it was unusually potent because, unlike many exploits, Karma did not
require a target to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos, emails, text messages
and location information from targets’ iPhones. The technique also
helped the hackers harvest saved passwords, which could be used for
other intrusions.
It isn’t clear whether the Karma hack remains in use. The former
operatives said that by the end of 2017, security updates to Apple Inc's
iPhone software had made Karma far less effective.
Lori Stroud, a former Raven operative who also previously worked at the
U.S. National Security Agency, told Reuters of the excitement when Karma
was introduced in 2016. “It was like, ‘We have this great new exploit
that we just bought. Get us a huge list of targets that have iPhones
now,’” she said. “It was like Christmas.”
The disclosure of Karma and the Raven unit comes amid an escalating
cyber arms race, with rivals such as Qatar, Saudi Arabia and the UAE
competing for the most sophisticated hacking tools and personnel.
Tools like Karma, which can exploit hundreds of iPhones simultaneously,
capturing their location data, photos and messages, are particularly
sought-after, veterans of cyberwarfare say. Only about 10 nations, such
as Russia, China and the United States and its closest allies, are
thought to be capable of developing such weapons, said Michael Daniel, a
former White House cyber security czar under President Obama.
Karma and similar tools make personal devices like iPhones the “juiciest
of targets,” said Patrick Wardle, a former National Security Agency
researcher and Apple security expert.
A spokeswoman for UAE’s Ministry of Foreign Affairs declined to comment.
Apple Inc declined to comment.
A FLAW IN APPLE'S IMESSAGE SYSTEM
The former Raven insiders said Karma allowed the operatives to gather
evidence on scores of targets — from activists critical of the
government to regional rivals, including Qatar, and the UAE’s
ideological opponent, the Islamic political Muslim Brotherhood movement.
It also granted them access to compromising and at times sexually
explicit photos of targets. The material was described to Reuters in
detail but reporters didn’t inspect it. Reuters saw no evidence that the
UAE leaked damaging materials discovered through Karma.
[to top of second column] |
Emir of Qatar Sheikh Tamim bin Hamad bin Khalifa Al-Thani meets with
Lebanon's President Michel Aoun as he arrives to attend the Arab
Economic and Social Development summit meeting in Beirut, Lebanon
January 20, 2019. REUTERS/Mohamed Azakir/File Photo
Raven was largely staffed by U.S. intelligence community veterans, who were paid
through an Emirati cyber security firm named DarkMatter, according to documents
reviewed by Reuters. The company did not respond to numerous emails and phone
calls requesting comment. The NSA declined to comment on Project Raven.
The UAE government purchased Karma from a vendor outside the country, the
operatives said. Reuters could not determine the tool’s creator.
The operatives knew how to use Karma, feeding it new targets daily, in a system
requiring almost no input after an operative set its target. But the users did
not fully understand the technical details of how the tool managed to exploit
Apple vulnerabilities. People familiar with the art of cyber espionage said this
isn’t unusual in a major signals intelligence agency, where operators are kept
in the dark about most of what the engineers know of a weapon’s inner workings.
Three former operatives said they understood Karma to rely, at least in part, on
a flaw in Apple’s messaging system, iMessage. They said the flaw allowed for the
implantation of malware on the phone through iMessage, even if the phone’s owner
didn’t use the iMessage program, enabling the hackers to establish a connection
with the device.
To initiate the compromise, Karma needed only to send the target a text message
— the hack then required no action on the part of the recipient. The operatives
could not determine how the vulnerability worked.
A person with direct knowledge of the deal confirmed Karma’s sale to the
Emiratis from an outside vendor, details of its capabilities and its reliance on
an iMessage vulnerability.
The Raven team successfully hacked into the accounts of hundreds of prominent
Middle East political figures and activists across the region and, in some
cases, Europe, according to former Raven operatives and program documents.
TARGETING THE 'IRON WOMAN' OF YEMEN
In 2017, for instance, the operatives used Karma to hack an iPhone used by
Qatar’s Emir Sheikh Tamim bin Hamad al-Thani, as well as the devices of Turkey’s
former Deputy Prime Minister Mehmet Şimşek, and Oman’s head of foreign affairs,
Yusuf bin Alawi bin Abdullah. It isn’t clear what material was taken from their
devices.
Şimşek, who stepped down from his position in July, told Reuters the cyber
intrusion on his phone was “appalling and very disturbing.” The Washington
embassies of Qatar, Oman and Turkey did not respond to multiple emails and calls
requesting comment about the targeting of political figures in their countries.
Raven also hacked Tawakkol Karman, a human rights activist known as the Iron
Woman of Yemen. Informed by Reuters she had been targeted, she said she believes
she was chosen because of her leadership in Yemen’s Arab Spring protests, which
erupted around the region in 2011 and led to the ousting of Egyptian President
Hosni Mubarak.
For years she had received repeated notifications from social media accounts,
warning that she had been hacked, she told Reuters. But the fact that Americans
helped the Emirati government monitor her was shocking, she said.
Americans are “expected to support the protection of human rights defenders and
provide them with all protection and security means and tools,” she said, “not
to be a tool in the hands of tyrannies to spy on the activists and to enable
them to oppress their peoples.”
(By Joel Schectman and Christopher Bing in Washington. Editing by Ronnie Greene,
Jonathan Weber and Michael Williams)
[© 2019 Thomson Reuters. All rights
reserved.] Copyright 2019 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
