Project Raven – Cyber mercenaries and cyberwars
18 September, 2021, 3:45 pm
Earlier this week three American former NSA and US military cybersecurity experts were indicted for violations of US laws involving computer fraud and improper exporting of technology.
They agreed to a deferred prosecution agreement in which they would pay a fine over three years of a total of $US1.68 million (F$3.50m), support FBI and Justice Department investigations, sever ties to any United Arab Emirates (UAE) intelligence and law enforcement agencies, immediately relinquish their security clearances from the US and any foreign entity and be under a lifetime ban on future security clearances from the US.
In a storyline right out of a James Bond movie, we learn about Project Raven – a clandestine program to help the UAE authorities spy on other governments, militants, and human rights activists.
Its team included former US intelligence agents, who applied their training to hack phones and computers belonging to designated targets.
The operation was based in a converted mansion in Abu Dhabi nicknamed “the Villa”.
Seriously that’s the name, this is all documented and was investigated by Reuters news agency and came out in January 2019.
From around 2014 to 2016, CyberPoint Inc. supplied US-trained contractors to Project Raven.
However, reportedly dissatisfied with relying upon a US-based contractor, the UAE replaced CyberPoint with DarkMatter as its contractor, and DarkMatter induced several key CyberPoint staff to move to DarkMatter.
Project Raven reportedly expanded its surveillance to include the targeting of Americans, potentially implicating its American staff in unlawful behavior.
In 2016, Project Raven bought a tool called Karma – which I wrote about a couple of weeks ago without being specific. Karma was able to remotely exploit Apple iPhones anywhere in the world, without requiring any interaction on the part of the iPhone’s owner – i.e. clickless hacking.
It apparently achieved this by exploiting a zero-day vulnerability in the device’s iMessage app.
Project Raven operatives were able to view passwords, emails, text messages, photos and location data from the compromised iPhones.
As you can imagine the list of targets is quite extensive and now includes US citizens, which is partly why those three Americans got indicted by US authorities.
After the UAE contracts shifted from the US parent firm CyberPoint to its UAE subsidiary DarkMatter, apparently permission was not granted for cyberweapons like Karma to be used by the UAE firm.
DarkMatter works very closely with the government of the UAE and is a competitor of the Israeli firm NSO Group – recently in the news as well. From January 2016 to November 2019, the three indicted Americans significantly improved the operations that DarkMatter provided to the government of the UAE.
This story is still unfolding however I believe it is highly unlikely we’ll ever hear the whole truth – perhaps some watered down version with everything swept under the carpet.
Any 21st century war will include cyber operations.
However, military systems are still vulnerable.
We need to face that reality by halting the purchase of insecure weapons and support systems and by incorporating the realities of offensive cyberattacks into military planning.
Let me clarify – just in this century (last 20 years), militaries have established cyber commands and developed cyberwar doctrine.
However, much of the current discussion is about offense.
Increasing our offensive capabilities without being able to secure them is like having all the best guns in the world, and then storing them in an unlocked, unguarded armory.
They just won’t be stolen; they’ll be subverted.
During that same period, we’ve seen increasingly brazen cyberattacks by everyone from hacktivists, cybercriminals to nation states. Everything is now a computer, and those computers are vulnerable.
Cars, medical devices, nuclear power plants, and fuel pipelines have all been targets.
Military computers, whether they’re embedded inside weapons systems or on desktops managing the logistics of those weapons systems, are similarly vulnerable.
We could see effects as stodgy as making a tank impossible to start up, or sophisticated as retargeting a missile midair.
Military software is unlikely to be any more secure than commercial software.
Although sensitive military systems in the US rely on domestically manufactured chips as part of the Trusted Foundry program, many military systems contain the same foreign chips and code that commercial systems do: just like everyone around the world uses the same mobile phones, networking equipment, and computer operating systems.
For example, the issue last year over Chinese-made Huawei 5G networking equipment that might be used by China to install “back doors” that would allow the equipment to be controlled. We all know how that went and this is still ongoing but it is a simple example.
This is just one of many risks to our normal civilian computer components supply chains. And since military software is vulnerable to the same cyberattacks as commercial software, military supply chains have many of the same risks.
Militaries around the world are now exploiting these vulnerabilities in weapons systems to carry out operations.
When Israel in 2007 bombed a Syrian nuclear reactor, the raid was preceded by what is believed to have been a cyber attack on Syrian air defenses that resulted in blank radar screens showing no threat as bombers zoomed overhead.
In 2018, a 29-country NATO exercise, Trident Juncture that included cyberweapons was disrupted by Russian GPS jamming.
NATO does try to test cyberweapons outside such exercises, but has limited scope in doing so. In fact the NATO secretarygeneral, said that “NATO computer systems are facing almost daily cyberattacks.”
The war of the future will not only be about massive explosions, but will also be about disabling the systems that make the military function. It’s not (solely) that bases will get blown up; it’s that some bases will lose power, data, and communications.
It’s not that self-driving trucks or personnel carriers will suddenly go mad and begin rolling over friendly soldiers; it’s that they’ll casually roll off roads or into water where they sit, rusting, and in need of repair.
It’s not that targeting systems on ICBMs will be retargeted to the Whitehouse; it’s that many of them could simply turn off and not turn back on again.
So, how do we prepare for this next war?
First, militaries need to introduce a little anarchy into their planning. Let’s have wargames where essential systems malfunction or are subverted—not all of the time, but randomly.
To help combat siloed military thinking, include some civilians as well.
Allow their ideas into the room when predicting potential enemy action. And militaries need to have well-developed backup plans for when systems are subverted.
NATO isn’t yet allowing civilians not employed by NATO or associated military contractors access to their training cyber ranges where vulnerabilities could be discovered and remediated before battlefield deployment.
Last year, a researcher was listening to a NATO briefing after the end of the 2020 Cyber Coalition exercises, and asked how she and other information security researchers could volunteer to test cyber ranges used to train its cyber incident response force.
She was told that including civilians would be a “welcome thought experiment in the tabletop exercises,” but including them in reality wasn’t considered.
There is a rich opportunity for improvement here, providing transparency into where improvements could be made.
Second, it’s time to take cybersecurity seriously in military procurement, from weapons systems to logistics and communications contracts.
DOD requires that its contractors and suppliers follow the Cybersecurity Maturity Model Certification process; it should abide by the same standards. Making those standards both more rigorous and mandatory would be an obvious second step.
Gone are the days when we can pretend that our technologies will work in the face of a military cyberattack. Everything in cyberspace operates in milliseconds or faster.
Securing systems will make everything more expensive—maybe a lot more expensive. But the alternative is no longer viable.
The future of war is cyberwar. If your weapons and systems aren’t secure, don’t even bother bringing them onto the battlefield.
An appropriate Latin adage I read recently – “Sic vis pacem para bellum – if you want peace, prepare for war” As always, God bless and stay safe and masked in both digital and physical worlds this weekend.
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not
necessarily shared by this newspaper. Mr Tuisawau can be contacted on firstname.lastname@example.org