Spies for Hire
In July, Simone Margaritelli, an Italian security researcher, boarded a Boeing 777 in Rome headed for Dubai, a city now billing itself as a tech startup hub.
He had a big job interview with a new, well-funded cybersecurity company called DarkMatter, whose self-described mission is to “safeguard the most complex organizations,” from government to the private sector, by preventing and fighting malicious cyberattacks and providing secure methods of communication — defensive cybersecurity, rather than offensive, which involves breaking into online systems and devices for espionage or destruction.
A friend of a friend had recommended Margaritelli, who was invited to spend five days in the United Arab Emirates at the company’s expense to learn more about the job. When he arrived in Dubai, the City of Gold, he found a full schedule of outings and a deluxe suite at the Jannah Marina Bay Suites hotel.
Margaritelli used to be a “blackhat” — a hacker looking to break into electronic systems. Now he works for a mobile security firm called Zimperium, where he still hunts for security flaws but does so to help people fix them. I “break stuff to make the world a safer place,” his website reads. He’s most well known for a portable tool he developed called Bettercap, used to perform a man-in-the-middle attack, where a hacker can eavesdrop or sometimes alter private communications between individuals.
When he arrived at the 29th floor of the Marina Plaza for his interview, the company representative described a plan to deploy electronic probes all over major cities in the UAE, which a team of hackers would then break into, guaranteeing access for DarkMatter and its customer — the Emirati government. The mission would be for the “exclusive” benefit of national security, Margaritelli was told. “Imagine that there’s a person of interest at the Dubai Mall, we’ve already set up all our probes all over the city, we press a button and BOOM! All the devices in the mall are infected and traceable,” Margaritelli wrote in a blog post recounting his experience.
Margaritelli declined to pursue the job offer. After his post, titled “How the United Arab Emirates Intelligence Tried to Hire Me to Spy on Its People,” began circulating, DarkMatter issued a single terse Twitter reply. The company said it preferred “talking reality & not fantasy.”
“No one from DarkMatter or its subsidiaries have ever interviewed Mr. Margaritelli,” Kevin Healy, director of communications for DarkMatter, wrote in an email to The Intercept. The man Margaritelli says interviewed him, Healy continued, was only an advisory consultant to DarkMatter — and that relationship has since ended (though several sources say he was employed by the company and had a DarkMatter email address).
“While we respect an author’s right to express a personal opinion, we do not view the content in question as credible, and therefore have no further comment,” Healy wrote.
DarkMatter denied outright Margaritelli’s assertions that it was recruiting hackers to research offensive security techniques. “Neither DarkMatter – nor any subsidiary, subset, research wing, or advisory department—engage in the activities described,” Healy wrote. “We conduct rigorous testing on all our products to ensure they do not include any vulnerabilities.”
Indeed, the idea of a UAE-based company recruiting an army of cyberwarriors from abroad to conduct mass surveillance aimed at the country’s own citizens may sound like something out of a bad Bond movie, but based on several months of interviews and research conducted by The Intercept, it appears DarkMatter has been doing precisely that.
Most of those who spoke with The Intercept asked to remain anonymous, citing nondisclosure agreements, fear of potential political persecution in the UAE, professional reprisals, and loss of current and future employment opportunities. Those quoted anonymously were speaking about events based on their direct experience with DarkMatter.
Margaritelli isn’t the only one who insists that DarkMatter isn’t being truthful about its operations and recruitment. More than five sources with knowledge of different parts of the company told The Intercept that sometime after its public debut last November, DarkMatter or a subsidiary began aggressively seeking skilled hackers, including some from the United States, to help it accomplish a wide range of offensive cybersecurity goals. Its work is aimed at exploiting hardware probes installed across major cities for surveillance, hunting down never-before-seen vulnerabilities in software, and building stealth malware implants to track, locate, and hack basically any person at any time in the UAE, several sources explained. As Margaritelli described it in an email to me, “Basically it’s big brother on steroids.”
DarkMatter made its public debut when the CEO, Faisal Al Bannai, gave a keynote speech surrounded by government officials, engineers, and businesspeople at the 2nd Annual Arab Future Cities Summit in Dubai. DarkMatter launched its portfolio of cybersecurity products as a “digital defense and intelligence service” for the nation. Al Bannai’s speech and DarkMatter marketing materials were peppered with buzzwords like cyber network defense and secure communications. Following its launch, the company routinely boasted, online and during conferences and radio interviews, about its would-be world-changing defensive cybersecurity missions, including developing its own encryption platforms and potentially secure phones in house, defending national and corporate networks, bug-sweeping and countersurveillance, and more, all under a single umbrella.
Local tech blogs praised the company and celebrated its connection to the UAE government. They described DarkMatter as a savior to UAE businesses and institutions at constant threat of cyber intrusion, citing attacks against several banks in 2015 that temporarily crippled the country’s online banking infrastructure.
Soon, DarkMatter had hired a roster of top-level talent from major tech giants around the world, including Google, Samsung, Qualcomm, McAfee, and even a co-founder of the encrypted messaging service Wickr. The new star-studded squad traveled to conferences like San Francisco’s annual RSA summit, appearing on radio and TV shows along the way. They rolled out a secure voice and chat application, partnered up with Symantec to improve digital threat detection in the Middle East, and opened a research and development center in Canada, as well as offices in China.
But sometime last year, a segment of the company’s mandate grew from providing defense and forensics research to developing a powerful team capable of cyber offense, multiple sources tell The Intercept. According to one source, DarkMatter’s newfound interest in offensive operations coincided with revelations contained in leaked emails that the Italian company Hacking Team had sold surveillance equipment to a large number of repressive regimes. Out of Hacking Team’s ashes, DarkMatter rose.
While cybersecurity companies traditionally aim to ensure that the code in software and hardware is free of flaws — mistakes that malicious hackers can take advantage of — DarkMatter, according to sources familiar with the company’s activities, was trying to find and exploit these flaws in order to install malware. DarkMatter could take over a nearby surveillance camera or cellphone and basically do whatever it wanted with it — conduct surveillance, interfere with or change any electronic messages it emitted, or block the signals entirely.
It’s not clear that the company’s defensive employees have any idea; in fact, multiple sources suggested those projects are likely hidden from them. One source explained how company representatives tried to insist that the offensive research they were recruiting for would be conducted outside DarkMatter, with some sort of partner organization or offshoot. But several sources, Margaritelli included, said top leadership was directly involved in interviews and knew the truth.
DarkMatter’s spokesperson said the company is “privately held” and “does not receive any funding from the United Arab Emirates.”
There do, however, appear to be strong links between the company and the government. In press releases, the company identifies itself as “already a strategic partner to the UAE government,” and its offices are located on the 15th floor of the round Aldar Headquarters in Abu Dhabi, two floors away from the country’s intelligence agency, the National Electronic Security Authority. DarkMatter’s senior vice president of technology research used to hold the same position at NESA.
By the early months of 2016, DarkMatter’s recruitment push was already well underway. The company’s publicly identifiable employees came from across the U.S. national security establishment. According to public LinkedIn profiles, one current DarkMatter employee was a global network exploitation analyst for the U.S. Department of Defense who “strategized activities against particular networks” and supported “foreign intelligence collection.” Another was a counterintelligence “special agent” for the Pentagon, whose LinkedIn boasts an “active” top-secret security clearance with a polygraph screening. Another experienced cryptographer working for DarkMatter was a senior technical adviser to the NSA, where he was intricately involved in designing “U.S. voice and data systems.”
But the company hasn’t been upfront about all the jobs it’s recruiting top talent for, Margaritelli and multiple other sources suggest. DarkMatter’s recruiters reached out to the information security community, promising high-paying, exciting jobs that would be focused on cyberdefense, according to more than a dozen security researchers interviewed by The Intercept, some of whom shared recruitment materials. A number of cybersecurity experts claimed on Twitter to have been contacted by recruiters, including Charlie Miller, an Uber security researcher and former NSA analyst; Chris Valasek, a noted car hacker who has teamed up with Miller; and Fabio Assolini, a security researcher for Kaspersky Labs.
One recruiting email reviewed by The Intercept offered a carefree, tax-free life in Dubai, with housing, meals, health care, children’s education, and transportation all provided free of charge. The email said the job was with a newly formed “public/private partnership” that would be the “Cyber Security provider for all UAE Government.” Another email said DarkMatter’s plan was to hire 250 “geniuses” before the end of 2016. One security researcher said DarkMatter recruiters had contacted him on LinkedIn five or six separate times.
Some potential recruits didn’t respond, but others were excited; the job offered the chance to innovate the cybersecurity of an entire nation. The lucrative payday also attracted them; according to one source, who requested anonymity fearing professional reprisal, some offers were as high as half a million dollars a year — a number similar to other offers shared with The Intercept.
According to a source familiar with the company, an American citizen named Victor Kouznetsov who splits his time between the U.S. and the Middle East was a key recruiter for DarkMatter in the United States.
A man answering a cellphone identified in public records as belonging to Kouznetsov insisted that he must have been contacted in error; he did not work for DarkMatter and his name was not Victor. When asked why his voicemail message gave his name as “Victor,” he hung up. Reached by The Intercept via email, Kouznetsov declined to answer questions. “As you can imagine my NDA with DarkMatter prevents me from disclosing exactly what I do for the company, but I could say that none of it is recruiting researchers in offensive security,” he wrote.
One recruiting email said DarkMatter’s plan was to hire 250 “geniuses” before the end of 2016.
Several researchers whom DarkMatter approached, including Margaritelli, confirmed they were specifically told they would be working on offensive operations. In Margaritelli’s case, he was informed the company wanted to install a set of probes around Dubai, including base transceiver stations — equipment that allows for wireless communication between a device and a network — wireless access points, drones, surveillance cameras, and more.
The probes could be installed by DarkMatter surreptitiously or facilitated by telecoms tacitly agreeing to the surveillance setup, and the company could attach an offensive implant directly onto the probes capable of intercepting and modifying digital traffic on IP, 2G, 3G, and 4G networks. Anyone with a cellphone or using a device to connect to a wireless network connected to one of the probes would be vulnerable to hacking and tracking.
As Margaritelli explained it, the software DarkMatter originally designed to penetrate the probes “does not scale well enough” and therefore couldn’t handle the massive amounts of traffic it would be intercepting — forcing the need for a second team of hackers to do the job. The company wanted him to help solve the problem.
Margaritelli’s account is the most revealing, but several other sources discussed similar projects proposed by DarkMatter, including researching and developing exploits for zero-day vulnerabilities, as well as deploying and developing some of the same stealth malware implants Margaritelli was asked to work on. DarkMatter asked one researcher, who has discovered and reported bugs to Facebook, Google, and other major technology companies, to use his vulnerability research “to allow them to have access on trusted domains.” Basically, he would find a flaw in a website that would allow DarkMatter to manipulate it to help spread malware to targets without being detected. The researcher, who spoke anonymously, said he refused, even after getting an offer for more money, because, in contrast to DarkMatter’s proposal, “what I’m doing is ethical hacking.”
But what two sources and several security researchers The Intercept consulted were most concerned about was DarkMatter’s plan to become a certificate authority. A certificate authority is a trusted third party, typically a company or official agency, that issues digital certificates — basically, electronic “passports” that verify a user’s identity and that software is legitimate.
Web traffic and code from Microsoft, Facebook, Mozilla, and others is trustworthy because the company digitally signs off on it. But DarkMatter, as a certificate authority, could pretend to be someone else and issue its own digital certificate. There are mechanisms in place to prevent this type of attack, called certificate pinning, but many sites don’t use those precautions — and they still might not prevent DarkMatter from signing code, such as for a software update, as someone else. In theory, the company could sign an anti-virus update that looked like it came from Kaspersky Labs, when in reality it is sending malicious code.
DarkMatter, according to one source, would be able to use its authority to sign its own rootkits — software tools that allow undetected and unauthorized access to computer systems — in order to carry out man-in-the-middle attacks. “This is huge,” the source said.
DarkMatter has a business unit dedicated to public key infrastructure “or national root certificates of trust for countries regionally and internationally,” Healy confirmed. “While DarkMatter is not a central [public key infrastructure] authority for the UAE, we currently provide consulting and management services and intend to launch our own commercial Certification services soon.”
While DarkMatter denied any plans to use its capabilities for cyber offense, if the company continues to develop secure messaging platforms, or hardware including its own phones, it would have access to all the internal schematics of those products: bug reports, security standards, and more. DarkMatter’s hackers could secretly take advantage of that information while its defensive staff works to fix the flaw and push an update to consumer devices, a process that can take years.
When asked about the possibility of selling its own phones, Healy wrote that DarkMatter is, in fact, considering developing hardware.
Recruiting wasn’t the only way DarkMatter snapped up top offensive talent. Last winter, the company poached a large number of employees from an American company, a Baltimore startup called CyberPoint International, formally on contract with the Ministry of the Interior of the United Arab Emirates. CyberPoint, founded by CEO Karl Gumtow and his wife, Vicki, in 2009, billed itself as a defensive operation — protecting financial information, intellectual property, business records, and other forms of communications. It won multiple contracts with different parts of the U.S. government, including $6 million from the Pentagon’s Defense Advanced Research Projects Agency, and Gumtow was nominated last year for the Maryland region Entrepreneur of the Year award. News articles also listed CyberPoint as one of the companies that sent employees to the United Arab Emirates to train its intelligence agency, NESA, essentially the equivalent of the United States NSA.
But last summer, CyberPoint made headlines for teaming up with the Italian surveillance peddler Hacking Team, whose internal emails were leaked — revealing an extensive account of sales to repressive regimes. The leaked emails indicated that representatives from CyberPoint had worked with Hacking Team to facilitate the sale of what appeared to be surveillance equipment to the UAE government. Around the end of 2015, there was an internal struggle within CyberPoint over the UAE contract, five sources familiar with the company told The Intercept. Former CyberPoint employees spoke to The Intercept on the condition of anonymity out of fear of reprisal and concern for the safety of associates still living in the Emirates.
After the Hacking Team emails leaked in July, there were loud, angry meetings in CyberPoint offices — people deciding what to do now that their internal operations in the Middle East had been exposed to the world. As a result of those discussions, two things happened: A vast chunk of CyberPoint staff jumped ship to DarkMatter, which was already dangling massive yearly salaries and luxurious benefits. DarkMatter even helped some employees legally shift their state residency to South Dakota to get more lenient tax breaks while living overseas, according to one source. DarkMatter does not “comment on individual employment contracts,” Healy wrote to The Intercept. “In summary we abide by the law in our employment and operational activities in all the jurisdictions in which we operate.”
CyberPoint employees in the UAE who weren’t offered — or didn’t accept — jobs at DarkMatter weren’t promised contract extensions. CyberPoint sent out a notice in December, one former employee said, announcing two months’ notice on the contract. For some who left, it was a surprise, and they still aren’t totally sure what happened. Others suggested DarkMatter was only interested in the more technical staff. One source described the exodus of employees as more of a “hostile takeover” directed by the United Arab Emirates government — ending CyberPoint’s original UAE contract and offering positions within the country instead, to get engineers under its own roof.
DarkMatter confirmed that some CyberPoint employees joined the UAE company but said this was nothing extraordinary. “DarkMatter recruits talent from across the globe and currently has over 400 team members, some of whom joined us from CyberPoint. They now occupy a diverse set of duties and responsibilities across several departments,” Healy said.
According to Gumtow, CyberPoint’s CEO, the company has gone through “quite a few changes” since it pulled out of the UAE for good. He sent responses to questions submitted by The Intercept via LinkedIn messages. There are no longer any CyberPoint employees in the Emirates, and no part of the company was acquired or bought by DarkMatter or anyone else, he wrote. CyberPoint, Gumtow said, never contracted with DarkMatter.
Additionally, Gumtow clarified that CyberPoint isn’t in the business of developing “cyberweapons.” Instead, the company conducts “penetration tests and security assessments,” he wrote. “We use commercial and custom tools that are widely available all around the world.”
However, those same tools used for improving cyberdefense can be turned around to infect unsuspecting targets. Even if the intelligence community uses those tools lawfully to infect targeted systems during national security investigations, others can steal or adapt the code to hack unsuspecting journalists or activists. “The overlap between offense and defense is very large,” Nicholas Weaver, a security researcher at the International Computer Science Institute, wrote in an email to The Intercept. “Especially when it comes to network monitoring: The exact same tools can be used to monitor your network to detect attacks and monitor a network for bulk surveillance.”
CyberPoint International did “good work, maybe noble, in some cases,” one former employee said. But a small percentage of the work was “shady,” suggesting it involved offensive research against different online platforms.
Another source stated that research, development, and coding conducted within CyberPoint ended up being used for a targeted spyware attack on journalists and activists in the Emirates between 2012 and the present. The attack involved spyware sent through Twitter, spear-phishing emails, and a malicious URL shortening service. These types of attacks are familiar to Emirati human rights activist Ahmed Mansoor. He told The Intercept that he hasn’t encountered DarkMatter but was warned about the company recently by a friend, who told him, “They are doing the hacking for UAE security bodies.”
Security researchers nicknamed the hacking group behind the attack “Stealth Falcon.” The researchers noted that “circumstantial evidence suggests a link between Stealth Falcon and the UAE government,” based on “digital artifacts.”
Stealth Falcon attacked some UAE targets after CyberPoint left the UAE, and some employees who worked on the spyware or had access to it joined DarkMatter, according to the source, who said that not every instance of the malware attack has yet been detected. “There’s a lot that hasn’t been discovered,” the source said.
DarkMatter, Healy said, is not aware of Stealth Falcon or the offensive tools used to access journalists’ information. “As we have explained previously, we do not own or develop any cybersecurity solutions for offensive purposes.”
At one point in time, CyberPoint was essentially capable of penetrating millions of devices regardless of brand, given its awareness of vulnerabilities — undiscovered or unpatched — in software around the world, one source explained. Those included vulnerabilities in Tor Browser, Firefox, Internet Explorer, and Microsoft Office.
The United Arab Emirates appears to be hoping to create its own cyber offense team, another source explained. Those capabilities could include cyber network attack teams and cyber network exploitation teams, for disruptive cyberattacks to disable adversaries’ online resources, as well as for espionage and spying — capabilities being developed in governments worldwide with varying levels of oversight and restriction.
According to Ryan Duff, a security researcher and former cyber operations tactician for U.S. Cyber Command, computer network exploitation and computer network attacks are distinguished based on the purpose of the intrusion: intelligence collection versus destruction. Exploitation “basically means gaining access to a machine for the purpose of collection. So you would have some type of software, malware, or implant installed on the machine” to monitor it, he said. Network attacks, on the other hand, also rely on gaining access but are aimed at destruction, such as “wiping a hard drive, destroying servers,” or using a botnet to launch a denial of service attack. These types of network attacks are linked to military action or covert missions.
Most evidence so far points toward espionage. DarkMatter may have hired members of CyberPoint, with knowledge of code capable of infecting users through Twitter and other online platforms, to help.
“It is my understanding that … there were some types of offensive activities that [CyberPoint International] couldn’t or wouldn’t do for the client and the client did not want to be told no so they sought to restructure in a way that a foreign company could not impede their efforts,” one former employee said.
One thing is clear: The new arrangement led dozens of employees to leave the UAE rather than join DarkMatter. Several who opted out of the relationship cited concerns about the UAE’s human rights record, including arbitrary detention and torture of activists and dissidents. One cited the issue with “free speech” as a particular sore point.
A bigger question, perhaps, is whether DarkMatter’s use of American-developed hacking tools is even legal, since it may be covered by U.S. export regulations. According to the Washington Post, the State Department at one point granted CyberPoint permission to advise the UAE on cybersecurity. But two people who spoke with The Intercept questioned whether DarkMatter, which appears to have subsumed CyberPoint’s earlier work in the UAE, would be covered by that license.
The world of cyber exports is a confusing one. Depending on what DarkMatter is actually doing, its sales might be regulated by multiple bodies of law. If the products involve cryptography technology, there may be some arms export restrictions — while hacking tools and zero-days are not typically regulated that way, said Eva Galperin, a global policy analyst for the Electric Frontier Foundation and technology adviser for the Freedom of the Press Foundation. “If you want to sell surveillance malware from the UAE, nothing stops you,” she said during a phone interview.
The United States, however, has attempted to regulate those types of “cyberweapons,” and many U.S. officials wanted to tighten regulations in response to instances like Hacking Team’s sale of surveillance tools to repressive regimes. Critics of those proposed regulations pointed out that such technologies could be used for legitimate purposes, like testing products for cybersecurity or penetration testing.
“If you want to sell surveillance malware from the UAE, nothing stops you.”
It’s unclear, however, where DarkMatter’s work may fall in terms of export law. If the work involving U.S.-origin technology or technical expertise involved cryptography, a license would be required from the U.S. State Department. According to Colby Goodman, director of the Security Assistance Monitor and an expert in International Traffic in Arms Regulations, any American employees working on regulated products would need some sort of export license, even if they moved overseas and started working for a foreign company. “If you were a UAE citizen, and I was telling you about something that was ITAR controlled,” he explained, “that would be exporting it, unless I had a license.”
“It’s a similar concept with classified information,” he continued. Just because you leave the country doesn’t mean you forget the classified information — and if you give it away, that’s a violation.
The State Department declined to comment on whether an export license had been issued to cover DarkMatter or its employees, including those formerly from CyberPoint. The Commerce Department, which regulates some security equipment sales, did not respond to a request for comment.
DarkMatter, for its part, said it has obtained proper licenses, though it did not provide details.
“DarkMatter has provided its customers with technologies worth hundreds of millions of dollars, through its global security and technology vendors,” Healy, the spokesperson, said. “A number of these contracts extend to highly sensitive security systems that DarkMatter has applied for and — following the standard screening process — been granted export control licenses from jurisdictions including the U.S. and various European countries.”
At a crowded Las Vegas convention hall in August, representatives from DarkMatter were camped out in several large canopied stations, a short stroll from a vendor making hand-rolled cigars, several open bars, and a booth raffling off a robot dinosaur.
DarkMatter has started showing up in U.S. cybersecurity circles in recent months — including at BlackHat USA, the massive annual security and hacking conference in Vegas, where it handed out swag to attendees, including pens and notebooks adorned with a DarkMatter insignia. A representative at the booth said the company was still busy recruiting.
In his July blog post describing his UAE interview, Margaritelli wrote that he hoped his account would “serve to warn those who, like me, might find themselves dragged into shady affairs, partially or completely unaware, as well as anyone pursuing job offers that entail moving to the UAE. Know that you would be giving up your privacy, and more importantly, your freedom of speech for money.”
“You can’t blame the bag man for the job you gave them.”
Not everyone I spoke with agreed with his view. French security researcher Matt Suiche, whose cybersecurity startup Comae Technologies is also based in the UAE, said that “every country does surveillance” and hiring foreign workers in the UAE was not unusual; the UAE was simply trying to establish its own technology base. “It’s like the UAE Mars mission,” he said.
Some of the former CyberPoint employees in the UAE said they didn’t mind the surveillance work, treating it as an inevitable and natural path for a young modern nation facing legitimate threats. “I was impartial to the work I did,” one former employee told me. For the UAE, the source said, using surveillance to track its own citizens has become normalized. He described himself as a “realist” though admitted he tried to minimize his “exposure to certain things” the company did.
“You can’t blame the bag man for the job you gave them,” he said.
In the lobby of a Vegas hotel during BlackHat, I spoke with Margaritelli about his frustrations with DarkMatter — a Platinum sponsor at the event. He has all the trappings of a hacker from movies, including lip and nose piercings, rectangular glasses, and cigarettes. He avoids cellphones but finds other ways to communicate. He went to school for physics and engineering but never finished his degree. He has a very specific memory for numbers, network domains, addresses, and people. Though he says his English isn’t very good, he can rapidly translate Italian text into colloquial English.
Margaritelli told me he started off wary of DarkMatter. He was familiar with the UAE government’s reputation of locking up and disappearing dissidents and purchasing surveillance equipment from other countries. Plus, his interviewer — a former employee of another controversial surveillance company, Verint — seemed a little too interested in Bettercap, Margaritelli’s well-known hacking tool.
While some researchers may argue that what DarkMatter is doing is simply par for the course in cybersecurity, Margaritelli said that the scale of the endeavor is unprecedented, creating a zombie hoard of infected devices, primed for hacking and surveillance. “In a near future, every single electronic device in the UAE will unwillingly be part of their state botnet,” he said.
Later, in an email, Margaritelli wrote that he works with all sorts of hacking technologies, but he remains shocked by DarkMatter’s ambitions to surveil an entire nation. “What they want to do,” he wrote, “it’s fucking insane.”