In an exclusive report, Reuters has documented the work of 'Project Raven' — an operation run by the government of the United Arab Emirates, in which former US intelligence agency staff have spied on other governments, human rights activists and even US citizens.
The article primarily focuses on former NSA intelligence analyst Lori Stroud, the only Project operative willing to be named — eight others spoke on the condition of anonymity.
Stroud spent a decade at the NSA, first as military service member 2003 — 2009, then agency contractor for tech giant Booz Allen Hamilton 2009 — 2014. Her specialism was hunting for vulnerabilities in foreign government computer systems — such as China's — and assessing what data could and should be stolen.
A mere two months later, Snowden infamously fled the US and passed on thousands of pages of top secret program files to journalists. Stroud and her team were unofficially blamed for enabling the massive security breach, and they became persona non grata at the agency.
In the wake of the scandal, Marc Baier, a former colleague of Stroud's at NSA Hawaii, offered her the opportunity to work for CyberPoint, a US contractor. She was told the job involved counterterrorism work in cooperation with the Emiratis, but little else — although she was assured the project was approved by the NSA, and accepted the offer in May 2014.
A fortnight later, Stroud was in Abu Dhabi, one of over a dozen former US intelligence veterans working under the auspices of Project Raven — their primary task surveillance of citizens critical of the UAE's ruling monarchy. They would use techniques invented and perfected by the US intelligence community, including a resource called 'Karma', which was employed to hack into hundreds of dissidents' phones and computers. The team also investigated targets' friends, relatives and associates, placing them under close surveillance too.
"Some days it was hard to swallow, like [when you target] a 16-year-old kid on Twitter. But it's an intelligence mission, you are an intelligence operative. I never made it personal," she told Reuters.
Raven's targets eventually evolved to militants in Yemen, and foreign governments including Iran, Qatar and Turkey, all bitter enemies of UAE. On top of employing their existing knowledge of intelligence tactics, the American operatives also developed new software to carry out infiltration and monitoring tasks. An Emirati operative would usually "press the button" on an attack however, in order to give the former US spy agency staff "plausible deniability".
Moreover, using fake identities and Bitcoin, the Project anonymously rented servers around the world, allowing them to launch attacks from a network of machines that couldn't be traced back to its true origin.
Fake identities also played a role in the targeting of several individuals, including UK journalist and activist Rori Donaghy, who'd authored articles critical of the UAE's human rights record. The Emiratis were acutely aware spying on Donaghy could harm diplomatic relations with its Western allies, and stressed the need for extreme caution, suggesting Project operatives "ingratiate [themselves] to the target by espousing similar beliefs".
Posing as a single human rights activist, staff emailed Donaghy asking for his help to "bring hope to those who are long suffering", managing to convince him to download software that would make messages "difficult to trace." In reality, the malware allowed the Emiratis to continuously monitor Donaghy's email account and Internet browsing. The surveillance against Donaghy remained a top priority for the Emirates until 2015, when he learned his email had been hacked.
Along the way, staff were told the NSA approved of and was regularly briefed on Raven's activities — but in 2016, the Emiratis moved responsibility for Project Raven to UAE cybersecurity firm DarkMatter, but the former US spies remained. It would not be long before their mission began to involve the targeting of fellow Americans for surveillance, activity which not only raised serious ethical questions for all involved, but made their activities illegal in their home country.
While Stroud praises the lack of "bull****" red tape" and "limitations" in her work for Project Raven, she also alleges she helped create an policy detailing how data on Americans accidentally harvested by the team's activities should be deleted, she said after its supposed implementation she kept on finding such information in the organization's data stores.
At the same time, the Emiratis began hiding an increasing number of sections of Project Raven hidden from the view of the Americans on the team.
In 2016, FBI agents began questioning American Project Raven employees who'd reentered the US, in particular whether they'd spied on US citizens and shared sensitive information with the Emiratis — Stroud was among them, having been approached at Virginia's Dulles airport as she was preparing to head back to the UAE after a trip home. She says she refused to tell them "jack".
However, one morning in spring 2017 Stroud noticed a passport page of an American was in the Project system, and emailed supervisors to complain. She was told the data had been collected by mistake and would be deleted — but her concerns not allayed, she began searching a targeting request list usually limited to Emirati staff, which she was able to access because of her role as lead analyst.
When Stroud kept raising questions, she was put on leave, her phones and passport confiscated. She was allowed to return to her homeland after two months, whereupon she contacted the FBI agents who confronted her at the airport. The Bureau is now investigating Project Raven's activities — but Stroud's contributions are limited in specifics, as she claims to not remember the names of the Americans she came across in the files.