But a detailed investigation into hacking demands technical skills that staff for the House and Senate Intelligence Committees appear to be lacking.

Research into public committee staff lists, LinkedIn, and conversations with several sources who have interacted with the committees shows a serious dearth of technical expertise among the staffers cleared to access classified materials that would be involved in the investigation. Essentially, committee staff are underwater when it comes to poking into the nitty gritty of cyber warfare — a longstanding problem made more relevant as attacks on U.S. government and politicians escalate.

Committees and their members customarily rely on staff to do the heavy lifting to prepare background research, evaluate evidence and information, and advise on policy and legal issues. Depending on the committee, staffers are typically well-versed in the law, international affairs, Washington policy debates, and more. But a technical matter like the election hacks benefits from knowledge of coding, information security, and attribution.

The bulk of staff on the intelligence committees — more than two dozen on each — are lawyers, policy wonks, and budget experts.  Many staffers worked in the legislative affairs offices of other senators and members of Congress, government budget offices, the Department of Justice, the military, private law firms, defense contractors, or Washington think tanks. While they’ve served for many years in their respective areas, those areas are rarely technical.

While some programs were created in recent years to remedy the desperate need for computer scientists and hackers on the Hill — like TechCongress, a tech policy fellowship in D.C. — the intelligence committees don’t normally accept fellows or detailees due to the sensitivity of the policy issues they discuss.

“Anecdotally, of the 15,000 staff in Congress, I’m aware of six that have technology-related educational backgrounds,” Travis Moore, the founder and director of TechCongress told The Intercept in response to a question about the staffing on the intelligence committees. “This is a problem. All policy is increasingly ‘tech’ policy.”

Spokespeople for the House and Senate Intelligence Committees declined comment on the expertise of their staff. The Senate Intelligence Committee does have new leadership in Democratic Sen. Mark Warner, who made his fortune investing in the cellular telecom industry and took a prominent role in the debate over encryption technology last Congress and who may emphasize technical issues in the coming debates over Russia.

But at the end of the day, there’s not much money to throw around, and adding a technical staffer might mean replacing another qualified legal or policy expert. “Congressional budgets have been slashed 35% and even officers that would like to hire for this expertise don’t have the resources to do so,” Moore said.

What technical knowledge the committees have historically added to their staffs is typically rooted in the legal sphere or the policy space rather than in the nuts and bolts of tech.

“Evidence of hacking, computer forensics, and attribution are highly technical fields,” Steven Bellovin, a computer science researcher and professor at Columbia University with experience advising the government on technology, wrote in an email.

“If you don’t have independent experts in those fields, you cannot independently evaluate the evidence — all you can do is look at their reports and see if all of the analysts agree,” Bellovin added.

There are staffers with some tech-related experience, like Bob Minehart of the House Intelligence Committee, who spent several decades in the intelligence community, including at the NSA doing “technical” work, according to Yahoo News. But even Minehart “may not have the right background for attribution” Bellovin said. Minehart, who has served in Congress for 12 years, works on the “Technical and Tactical” Subcommittee of the House Intelligence Committee, which polices the NSA, the National Reconnaissance Office, and the National Geospatial Intelligence agency on issues including offensive and defense cyber capabilities. Then there’s Brett Freedman, a counsel to the Senate Intelligence Committee, who spent time in the NSA and worked on the President’s Review Group on Intelligence and Communication technologies to advise President Barack Obama on how to maintain intelligence collection capabilities while protecting privacy and civil liberties. While often working on cyber policy issues, Freedman’s role appears strictly legal rather than technical. Neither Minehart or Freedman responded to a request for comment.

Other staffers were intelligence analysts for the government, served on the National Security Council, worked in the Pentagon, or were in the private sector working on defense at companies like Booz Allen Hamilton or BAE Systems.

Chris Soghoian, formerly the chief technologist of the American Civil Liberties Union and now a TechCongress fellow, has worked with several members on technical issues including Sen. Ron Wyden, D-Ore., who serves on the Senate Intelligence Committee — but never on the Russia investigation, confirmed by Hill staffers who have worked with him. Soghoian was not available for comment.

A major part of the investigation into Russian groups’ malicious cyber activities is actually linking their habits and traits, their trail of breadcrumbs, to the DNC hack itself. It’s challenging to solve whodunits in the cyber realm, because it’s possible to hide your tracks, and you can strike from halfway across the world without warning.

It is “continuity of knowledge” of past attacks and understanding of the “style of the attack and the tools and the software used” that helps companies make confident assessments about who’s behind what, Bellovin notes.

There’s a “typical tendency of governments to appoint lawyers to senior roles in leading all their cyber efforts,” according to Tony Cole, the chief technology officer of global government at cybersecurity firm FireEye. “The legal expertise is needed to ensure all applicable laws are followed, especially since this is a relatively gray area in the area around international law … [but] more operational cyber expertise at the most senior levels in government is needed badly,” he wrote in an email to The Intercept.

Security experts criticized the government’s rather pitiful report on the DNC hacks in December titled “Grizzly Steppe,” which listed malicious IP addresses as evidence of the attacks’ attribution to Russia — but noted that private sector reports painted a more revealing picture of the historical behavior of those groups than the report itself. Crowdstrike has been tracking purported Russian hacking groups — “Fancy Bear” and “The Dukes” — for years, since at least 2007.

“There have been personnel detailed to the committees in the past to try to provide greater technical expertise. But it’s always been woefully inadequate to the task,” Amy Zegart, the co-director of the Center for International Security and Cooperation, wrote in an email. Zegart penned a 2011 essay for the Hoover Institution titled “The Roots of Weak Congressional Intelligence Oversight” discussing the need for detailed knowledge and experience in the intelligence community to properly patrol its conduct.

Zegart helped launch a boot camp for congressional staffers to beef up on cyber issues at Stanford University in 2014, which they’ll be hosting again this summer — a program with a long waitlist. But it has not been sufficient, yet. “The fundamental challenge is you can’t oversee something effectively if you don’t understand it,” she concluded.

Top photo: Republican members of Congress attend a Joint Session of Congress at the U.S. Capitol in 2011 in Washington.

The post Congress May Lack Technical Expertise to Properly Investigate Russian Hacking appeared first on The Intercept.

In July, Simone Margaritelli, an Italian security researcher, boarded a Boeing 777 in Rome headed for Dubai, a city now billing itself as a tech startup hub.

He had a big job interview with a new, well-funded cybersecurity company called DarkMatter, whose self-described mission is to “safeguard the most complex organizations,” from government to the private sector, by preventing and fighting malicious cyberattacks and providing secure methods of communication — defensive cybersecurity, rather than offensive, which involves breaking into online systems and devices for espionage or destruction.

A friend of a friend had recommended Margaritelli, who was invited to spend five days in the United Arab Emirates at the company’s expense to learn more about the job. When he arrived in Dubai, the City of Gold, he found a full schedule of outings and a deluxe suite at the Jannah Marina Bay Suites hotel.

Margaritelli used to be a “blackhat” — a hacker looking to break into electronic systems. Now he works for a mobile security firm called Zimperium, where he still hunts for security flaws but does so to help people fix them. I “break stuff to make the world a safer place,” his website reads. He’s most well known for a portable tool he developed called Bettercap, used to perform a man-in-the-middle attack, where a hacker can eavesdrop or sometimes alter private communications between individuals.

When he arrived at the 29th floor of the Marina Plaza for his interview, the company representative described a plan to deploy electronic probes all over major cities in the UAE, which a team of hackers would then break into, guaranteeing access for DarkMatter and its customer — the Emirati government. The mission would be for the “exclusive” benefit of national security, Margaritelli was told. “Imagine that there’s a person of interest at the Dubai Mall, we’ve already set up all our probes all over the city, we press a button and BOOM! All the devices in the mall are infected and traceable,” Margaritelli wrote in a blog post recounting his experience.

Margaritelli declined to pursue the job offer. After his post, titled “How the United Arab Emirates Intelligence Tried to Hire Me to Spy on Its People,” began circulating, DarkMatter issued a single terse Twitter reply. The company said it preferred “talking reality & not fantasy.”

“No one from DarkMatter or its subsidiaries have ever interviewed Mr. Margaritelli,” Kevin Healy, director of communications for DarkMatter, wrote in an email to The Intercept. The man Margaritelli says interviewed him, Healy continued, was only an advisory consultant to DarkMatter — and that relationship has since ended (though several sources say he was employed by the company and had a DarkMatter email address).

“While we respect an author’s right to express a personal opinion, we do not view the content in question as credible, and therefore have no further comment,” Healy wrote.

DarkMatter denied outright Margaritelli’s assertions that it was recruiting hackers to research offensive security techniques. “Neither DarkMatter – nor any subsidiary, subset, research wing, or advisory department—engage in the activities described,” Healy wrote. “We conduct rigorous testing on all our products to ensure they do not include any vulnerabilities.”

Indeed, the idea of a UAE-based company recruiting an army of cyberwarriors from abroad to conduct mass surveillance aimed at the country’s own citizens may sound like something out of a bad Bond movie, but based on several months of interviews and research conducted by The Intercept, it appears DarkMatter has been doing precisely that.

Most of those who spoke with The Intercept asked to remain anonymous, citing nondisclosure agreements, fear of potential political persecution in the UAE, professional reprisals, and loss of current and future employment opportunities. Those quoted anonymously were speaking about events based on their direct experience with DarkMatter.

Margaritelli isn’t the only one who insists that DarkMatter isn’t being truthful about its operations and recruitment. More than five sources with knowledge of different parts of the company told The Intercept that sometime after its public debut last November, DarkMatter or a subsidiary began aggressively seeking skilled hackers, including some from the United States, to help it accomplish a wide range of offensive cybersecurity goals. Its work is aimed at exploiting hardware probes installed across major cities for surveillance, hunting down never-before-seen vulnerabilities in software, and building stealth malware implants to track, locate, and hack basically any person at any time in the UAE, several sources explained. As Margaritelli described it in an email to me, “Basically it’s big brother on steroids.”

D

Local tech blogs praised the company and celebrated its connection to the UAE government. They described DarkMatter as a savior to UAE businesses and institutions at constant threat of cyber intrusion, citing attacks against several banks in 2015 that temporarily crippled the country’s online banking infrastructure.

Soon, DarkMatter had hired a roster of top-level talent from major tech giants around the world, including Google, Samsung, Qualcomm, McAfee, and even a co-founder of the encrypted messaging service Wickr. The new star-studded squad traveled to conferences like San Francisco’s annual RSA summit, appearing on radio and TV shows along the way. They rolled out a secure voice and chat application, partnered up with Symantec to improve digital threat detection in the Middle East, and opened a research and development center in Canada, as well as offices in China.

But sometime last year, a segment of the company’s mandate grew from providing defense and forensics research to developing a powerful team capable of cyber offense, multiple sources tell The Intercept. According to one source, DarkMatter’s newfound interest in offensive operations coincided with revelations contained in leaked emails that the Italian company Hacking Team had sold surveillance equipment to a large number of repressive regimes. Out of Hacking Team’s ashes, DarkMatter rose.

While cybersecurity companies traditionally aim to ensure that the code in software and hardware is free of flaws — mistakes that malicious hackers can take advantage of — DarkMatter, according to sources familiar with the company’s activities, was trying to find and exploit these flaws in order to install malware. DarkMatter could take over a nearby surveillance camera or cellphone and basically do whatever it wanted with it — conduct surveillance, interfere with or change any electronic messages it emitted, or block the signals entirely.

It’s not clear that the company’s defensive employees have any idea; in fact, multiple sources suggested those projects are likely hidden from them. One source explained how company representatives tried to insist that the offensive research they were recruiting for would be conducted outside DarkMatter, with some sort of partner organization or offshoot. But several sources, Margaritelli included, said top leadership was directly involved in interviews and knew the truth.

DarkMatter’s spokesperson said the company is “privately held” and “does not receive any funding from the United Arab Emirates.”

There do, however, appear to be strong links between the company and the government. In press releases, the company identifies itself as “already a strategic partner to the UAE government,” and its offices are located on the 15th floor of the round Aldar Headquarters in Abu Dhabi, two floors away from the country’s intelligence agency, the National Electronic Security Authority. DarkMatter’s senior vice president of technology research used to hold the same position at NESA.

By the early months of 2016, DarkMatter’s recruitment push was already well underway. The company’s publicly identifiable employees came from across the U.S. national security establishment. According to public LinkedIn profiles, one current DarkMatter employee was a global network exploitation analyst for the U.S. Department of Defense who “strategized activities against particular networks” and supported “foreign intelligence collection.” Another was a counterintelligence “special agent” for the Pentagon, whose LinkedIn boasts an “active” top-secret security clearance with a polygraph screening. Another experienced cryptographer working for DarkMatter was a senior technical adviser to the NSA, where he was intricately involved in designing “U.S. voice and data systems.”

But the company hasn’t been upfront about all the jobs it’s recruiting top talent for, Margaritelli and multiple other sources suggest. DarkMatter’s recruiters reached out to the information security community, promising high-paying, exciting jobs that would be focused on cyberdefense, according to more than a dozen security researchers interviewed by The Intercept, some of whom shared recruitment materials. A number of cybersecurity experts claimed on Twitter to have been contacted by recruiters, including Charlie Miller, an Uber security researcher and former NSA analyst; Chris Valasek, a noted car hacker who has teamed up with Miller; and Fabio Assolini, a security researcher for Kaspersky Labs.

One recruiting email reviewed by The Intercept offered a carefree, tax-free life in Dubai, with housing, meals, health care, children’s education, and transportation all provided free of charge. The email said the job was with a newly formed “public/private partnership” that would be the “Cyber Security provider for all UAE Government.” Another email said DarkMatter’s plan was to hire 250 “geniuses” before the end of 2016. One security researcher said DarkMatter recruiters had contacted him on LinkedIn five or six separate times.

Some potential recruits didn’t respond, but others were excited; the job offered the chance to innovate the cybersecurity of an entire nation. The lucrative payday also attracted them; according to one source, who requested anonymity fearing professional reprisal, some offers were as high as half a million dollars a year — a number similar to other offers shared with The Intercept.

According to a source familiar with the company, an American citizen named Victor Kouznetsov who splits his time between the U.S. and the Middle East was a key recruiter for DarkMatter in the United States.

A man answering a cellphone identified in public records as belonging to Kouznetsov insisted that he must have been contacted in error; he did not work for DarkMatter and his name was not Victor. When asked why his voicemail message gave his name as “Victor,” he hung up. Reached by The Intercept via email, Kouznetsov declined to answer questions. “As you can imagine my NDA with DarkMatter prevents me from disclosing exactly what I do for the company, but I could say that none of it is recruiting researchers in offensive security,” he wrote.

One recruiting email said DarkMatter’s plan was to hire 250 “geniuses” before the end of 2016.

Several researchers whom DarkMatter approached, including Margaritelli, confirmed they were specifically told they would be working on offensive operations. In Margaritelli’s case, he was informed the company wanted to install a set of probes around Dubai, including base transceiver stations — equipment that allows for wireless communication between a device and a network — wireless access points, drones, surveillance cameras, and more.

The probes could be installed by DarkMatter surreptitiously or facilitated by telecoms tacitly agreeing to the surveillance setup, and the company could attach an offensive implant directly onto the probes capable of intercepting and modifying digital traffic on IP, 2G, 3G, and 4G networks. Anyone with a cellphone or using a device to connect to a wireless network connected to one of the probes would be vulnerable to hacking and tracking.

As Margaritelli explained it, the software DarkMatter originally designed to penetrate the probes “does not scale well enough” and therefore couldn’t handle the massive amounts of traffic it would be intercepting — forcing the need for a second team of hackers to do the job. The company wanted him to help solve the problem.

Margaritelli’s account is the most revealing, but several other sources discussed similar projects proposed by DarkMatter, including researching and developing exploits for zero-day vulnerabilities, as well as deploying and developing some of the same stealth malware implants Margaritelli was asked to work on. DarkMatter asked one researcher, who has discovered and reported bugs to Facebook, Google, and other major technology companies, to use his vulnerability research “to allow them to have access on trusted domains.” Basically, he would find a flaw in a website that would allow DarkMatter to manipulate it to help spread malware to targets without being detected. The researcher, who spoke anonymously, said he refused, even after getting an offer for more money, because, in contrast to DarkMatter’s proposal, “what I’m doing is ethical hacking.”

But what two sources and several security researchers The Intercept consulted were most concerned about was DarkMatter’s plan to become a certificate authority. A certificate authority is a trusted third party, typically a company or official agency, that issues digital certificates — basically, electronic “passports” that verify a user’s identity and that software is legitimate.

Web traffic and code from Microsoft, Facebook, Mozilla, and others is trustworthy because the company digitally signs off on it. But DarkMatter, as a certificate authority, could pretend to be someone else and issue its own digital certificate. There are mechanisms in place to prevent this type of attack, called certificate pinning, but many sites don’t use those precautions — and they still might not prevent DarkMatter from signing code, such as for a software update, as someone else. In theory, the company could sign an anti-virus update that looked like it came from Kaspersky Labs, when in reality it is sending malicious code.

DarkMatter, according to one source, would be able to use its authority to sign its own rootkits — software tools that allow undetected and unauthorized access to computer systems — in order to carry out man-in-the-middle attacks. “This is huge,” the source said.

DarkMatter has a business unit dedicated to public key infrastructure “or national root certificates of trust for countries regionally and internationally,” Healy confirmed. “While DarkMatter is not a central [public key infrastructure] authority for the UAE, we currently provide consulting and management services and intend to launch our own commercial Certification services soon.”

While DarkMatter denied any plans to use its capabilities for cyber offense, if the company continues to develop secure messaging platforms, or hardware including its own phones, it would have access to all the internal schematics of those products: bug reports, security standards, and more. DarkMatter’s hackers could secretly take advantage of that information while its defensive staff works to fix the flaw and push an update to consumer devices, a process that can take years.

When asked about the possibility of selling its own phones, Healy wrote that DarkMatter is, in fact, considering developing hardware.

R

But last summer, CyberPoint made headlines for teaming up with the Italian surveillance peddler Hacking Team, whose internal emails were leaked — revealing an extensive account of sales to repressive regimes. The leaked emails indicated that representatives from CyberPoint had worked with Hacking Team to facilitate the sale of what appeared to be surveillance equipment to the UAE government. Around the end of 2015, there was an internal struggle within CyberPoint over the UAE contract, five sources familiar with the company told The Intercept. Former CyberPoint employees spoke to The Intercept on the condition of anonymity out of fear of reprisal and concern for the safety of associates still living in the Emirates.

After the Hacking Team emails leaked in July, there were loud, angry meetings in CyberPoint offices — people deciding what to do now that their internal operations in the Middle East had been exposed to the world. As a result of those discussions, two things happened: A vast chunk of CyberPoint staff jumped ship to DarkMatter, which was already dangling massive yearly salaries and luxurious benefits. DarkMatter even helped some employees legally shift their state residency to South Dakota to get more lenient tax breaks while living overseas, according to one source. DarkMatter does not “comment on individual employment contracts,” Healy wrote to The Intercept. “In summary we abide by the law in our employment and operational activities in all the jurisdictions in which we operate.”

CyberPoint employees in the UAE who weren’t offered — or didn’t accept — jobs at DarkMatter weren’t promised contract extensions. CyberPoint sent out a notice in December, one former employee said, announcing two months’ notice on the contract. For some who left, it was a surprise, and they still aren’t totally sure what happened. Others suggested DarkMatter was only interested in the more technical staff. One source described the exodus of employees as more of a “hostile takeover” directed by the United Arab Emirates government — ending CyberPoint’s original UAE contract and offering positions within the country instead, to get engineers under its own roof.

DarkMatter confirmed that some CyberPoint employees joined the UAE company but said this was nothing extraordinary. “DarkMatter recruits talent from across the globe and currently has over 400 team members, some of whom joined us from CyberPoint. They now occupy a diverse set of duties and responsibilities across several departments,” Healy said.

According to Gumtow, CyberPoint’s CEO, the company has gone through “quite a few changes” since it pulled out of the UAE for good. He sent responses to questions submitted by The Intercept via LinkedIn messages. There are no longer any CyberPoint employees in the Emirates, and no part of the company was acquired or bought by DarkMatter or anyone else, he wrote. CyberPoint, Gumtow said, never contracted with DarkMatter.

Additionally, Gumtow clarified that CyberPoint isn’t in the business of developing “cyberweapons.” Instead, the company conducts “penetration tests and security assessments,” he wrote. “We use commercial and custom tools that are widely available all around the world.”

However, those same tools used for improving cyberdefense can be turned around to infect unsuspecting targets. Even if the intelligence community uses those tools lawfully to infect targeted systems during national security investigations, others can steal or adapt the code to hack unsuspecting journalists or activists. “The overlap between offense and defense is very large,” Nicholas Weaver, a security researcher at the International Computer Science Institute, wrote in an email to The Intercept. “Especially when it comes to network monitoring: The exact same tools can be used to monitor your network to detect attacks and monitor a network for bulk surveillance.”

CyberPoint International did “good work, maybe noble, in some cases,” one former employee said. But a small percentage of the work was “shady,” suggesting it involved offensive research against different online platforms.

Another source stated that research, development, and coding conducted within CyberPoint ended up being used for a targeted spyware attack on journalists and activists in the Emirates between 2012 and the present. The attack involved spyware sent through Twitter, spear-phishing emails, and a malicious URL shortening service. These types of attacks are familiar to Emirati human rights activist Ahmed Mansoor. He told The Intercept that he hasn’t encountered DarkMatter but was warned about the company recently by a friend, who told him, “They are doing the hacking for UAE security bodies.”

Stealth Falcon attacked some UAE targets after CyberPoint left the UAE, and some employees who worked on the spyware or had access to it joined DarkMatter, according to the source, who said that not every instance of the malware attack has yet been detected. “There’s a lot that hasn’t been discovered,” the source said.

DarkMatter, Healy said, is not aware of Stealth Falcon or the offensive tools used to access journalists’ information. “As we have explained previously, we do not own or develop any cybersecurity solutions for offensive purposes.”

At one point in time, CyberPoint was essentially capable of penetrating millions of devices regardless of brand, given its awareness of vulnerabilities — undiscovered or unpatched — in software around the world, one source explained. Those included vulnerabilities in Tor Browser, Firefox, Internet Explorer, and Microsoft Office.

The United Arab Emirates appears to be hoping to create its own cyber offense team, another source explained. Those capabilities could include cyber network attack teams and cyber network exploitation teams, for disruptive cyberattacks to disable adversaries’ online resources, as well as for espionage and spying — capabilities being developed in governments worldwide with varying levels of oversight and restriction.

According to Ryan Duff, a security researcher and former cyber operations tactician for U.S. Cyber Command, computer network exploitation and computer network attacks are distinguished based on the purpose of the intrusion: intelligence collection versus destruction. Exploitation “basically means gaining access to a machine for the purpose of collection. So you would have some type of software, malware, or implant installed on the machine” to monitor it, he said. Network attacks, on the other hand, also rely on gaining access but are aimed at destruction, such as “wiping a hard drive, destroying servers,” or using a botnet to launch a denial of service attack. These types of network attacks are linked to military action or covert missions.

Most evidence so far points toward espionage. DarkMatter may have hired members of CyberPoint, with knowledge of code capable of infecting users through Twitter and other online platforms, to help.

“It is my understanding that … there were some types of offensive activities that [CyberPoint International] couldn’t or wouldn’t do for the client and the client did not want to be told no so they sought to restructure in a way that a foreign company could not impede their efforts,” one former employee said.

One thing is clear: The new arrangement led dozens of employees to leave the UAE rather than join DarkMatter. Several who opted out of the relationship cited concerns about the UAE’s human rights record, including arbitrary detention and torture of activists and dissidents. One cited the issue with “free speech” as a particular sore point.

A

The world of cyber exports is a confusing one. Depending on what DarkMatter is actually doing, its sales might be regulated by multiple bodies of law. If the products involve cryptography technology, there may be some arms export restrictions — while hacking tools and zero-days are not typically regulated that way, said Eva Galperin, a global policy analyst for the Electric Frontier Foundation and technology adviser for the Freedom of the Press Foundation. “If you want to sell surveillance malware from the UAE, nothing stops you,” she said during a phone interview.

The United States, however, has attempted to regulate those types of “cyberweapons,” and many U.S. officials wanted to tighten regulations in response to instances like Hacking Team’s sale of surveillance tools to repressive regimes. Critics of those proposed regulations pointed out that such technologies could be used for legitimate purposes, like testing products for cybersecurity or penetration testing.

“If you want to sell surveillance malware from the UAE, nothing stops you.”

It’s unclear, however, where DarkMatter’s work may fall in terms of export law. If the work involving U.S.-origin technology or technical expertise involved cryptography, a license would be required from the U.S. State Department. According to Colby Goodman, director of the Security Assistance Monitor and an expert in International Traffic in Arms Regulations, any American employees working on regulated products would need some sort of export license, even if they moved overseas and started working for a foreign company. “If you were a UAE citizen, and I was telling you about something that was ITAR controlled,” he explained, “that would be exporting it, unless I had a license.”

“It’s a similar concept with classified information,” he continued. Just because you leave the country doesn’t mean you forget the classified information — and if you give it away, that’s a violation.

The State Department declined to comment on whether an export license had been issued to cover DarkMatter or its employees, including those formerly from CyberPoint. The Commerce Department, which regulates some security equipment sales, did not respond to a request for comment.

DarkMatter, for its part, said it has obtained proper licenses, though it did not provide details.

“DarkMatter has provided its customers with technologies worth hundreds of millions of dollars, through its global security and technology vendors,” Healy, the spokesperson, said. “A number of these contracts extend to highly sensitive security systems that DarkMatter has applied for and — following the standard screening process — been granted export control licenses from jurisdictions including the U.S. and various European countries.”

A

DarkMatter has started showing up in U.S. cybersecurity circles in recent months — including at BlackHat USA, the massive annual security and hacking conference in Vegas, where it handed out swag to attendees, including pens and notebooks adorned with a DarkMatter insignia. A representative at the booth said the company was still busy recruiting.

In his July blog post describing his UAE interview, Margaritelli wrote that he hoped his account would “serve to warn those who, like me, might find themselves dragged into shady affairs, partially or completely unaware, as well as anyone pursuing job offers that entail moving to the UAE. Know that you would be giving up your privacy, and more importantly, your freedom of speech for money.”

“You can’t blame the bag man for the job you gave them.”

Not everyone I spoke with agreed with his view. French security researcher Matt Suiche, whose cybersecurity startup Comae Technologies is also based in the UAE, said that “every country does surveillance” and hiring foreign workers in the UAE was not unusual; the UAE was simply trying to establish its own technology base. “It’s like the UAE Mars mission,” he said.

Some of the former CyberPoint employees in the UAE said they didn’t mind the surveillance work, treating it as an inevitable and natural path for a young modern nation facing legitimate threats. “I was impartial to the work I did,” one former employee told me. For the UAE, the source said, using surveillance to track its own citizens has become normalized. He described himself as a “realist” though admitted he tried to minimize his “exposure to certain things” the company did.

“You can’t blame the bag man for the job you gave them,” he said.

In the lobby of a Vegas hotel during BlackHat, I spoke with Margaritelli about his frustrations with DarkMatter — a Platinum sponsor at the event. He has all the trappings of a hacker from movies, including lip and nose piercings, rectangular glasses, and cigarettes. He avoids cellphones but finds other ways to communicate. He went to school for physics and engineering but never finished his degree. He has a very specific memory for numbers, network domains, addresses, and people. Though he says his English isn’t very good, he can rapidly translate Italian text into colloquial English.

Margaritelli told me he started off wary of DarkMatter. He was familiar with the UAE government’s reputation of locking up and disappearing dissidents and purchasing surveillance equipment from other countries. Plus, his interviewer — a former employee of another controversial surveillance company, Verint — seemed a little too interested in Bettercap, Margaritelli’s well-known hacking tool.

While some researchers may argue that what DarkMatter is doing is simply par for the course in cybersecurity, Margaritelli said that the scale of the endeavor is unprecedented, creating a zombie hoard of infected devices, primed for hacking and surveillance. “In a near future, every single electronic device in the UAE will unwillingly be part of their state botnet,” he said.

Later, in an email, Margaritelli wrote that he works with all sorts of hacking technologies, but he remains shocked by DarkMatter’s ambitions to surveil an entire nation. “What they want to do,” he wrote, “it’s fucking insane.”

The post Spies for Hire appeared first on The Intercept.