Discover more from Zero Day
Former NSA Hacker Describes Being Recruited for UAE Spy Program
David Evenden was hired in 2014 to work in Abu Dhabi on a defensive cybersecurity project, only to discover it was actually an offensive spy operation for a United Arab Emirates intelligence service.
Last week the Justice Department revealed that it had charged three former US intelligence personnel with helping the United Arab Emirates procure zero-day exploits and hacking expertise for a surveillance program that was used against US targets. Marc Baier, Ryan Adams and Daniel Gericke, senior managers in the UAE-based company DarkMatter, are accused of violating US export control laws in providing the UAE dictatorship with regulated technology and services without a requisite license and with violating a US computer hacking law. As part of a deferred prosecution agreement with the government, the three will have to forfeit $750,000, $600,000, and $335,000, respectively.
Former NSA operator and analyst David Evenden worked with the three men in the UAE and was among the first US intelligence workers recruited for the job — though he didn’t know it was a surveillance program when he and his wife said yes to moving to Abu Dhabi.
In June 2014, Evenden was finishing his military service and intelligence work for the NSA, when a recruiter contacted him about working for a US-based company called CyberPoint. The company had a consulting contract with the UAE, and Evenden was led to believe the work for the UAE would be entirely defensive in nature, aimed at helping the UAE secure its infrastructure against attacks from adversarial nations and terrorists.
Once in Abu Dhabi, Evenden realized he had been deceived and that he and colleagues had actually been recruited to perform offensive hacking operations and surveillance on behalf of the UAE’s National Electronic Security Authority, or NESA (the UAE’s equivalent of the NSA).
The deception didn’t initially concern Evenden, however, because the work was primarily focused on conducting surveillance against would-be terrorist targets. But when his team was asked to help spy on the government of Qatar as well as the movements of the royal family and others with no discernible terrorist connection, they began pushing back. The UAE subsequently cancelled its contract with CyberPoint and moved the surveillance project — known as Project Raven — to a UAE-based company called DarkMatter that would be more amenable to the spying requests. While a number of Evenden’s US colleagues jumped to DarkMatter to continue the work at considerably higher salaries — in some cases more than $200,000 for analysts and close to half a million dollars for managers — Evenden quit and returned to the U.S.
A lot of what DarkMatter was doing in the UAE has already been described in detail in stories published by reporter Jenna McLaughlin in The Intercept and Foreign Policy in 2016 and 2017, and in 2019 by Reuters' journalists Chris Bing and Joel Schectman, who obtained extensive internal documents about Project Raven and an on-the-record interview with Lori Stroud, another American who worked in the program. Stroud and the documents revealed just how much she and other former US intelligence workers were involved in spying for the UAE. Evenden spoke about his UAE work for an episode of the DarkNet Diaries podcast in 2019, and in her recent book, NY Times journalist Nicole Perlroth revealed that some of the communications Evenden and his team intercepted from Qatar were emails between Qatar’s Sheikha Moza bint Nasser and First Lady Michelle Obama about the latter's visit to Qatar.
Here Evenden describes how he was approached by a headhunter in June 2014 to work for CyberPoint and the red flags that he ignored — including concerns about his manager, Marc Baier, who was charged by the Justice Department. The interview has been edited and organized for length and clarity.
What’s your take on the charges against Marc brought by the Justice Department?
I actually feel like … what they’re doing ultimately is, in my opinion, a terrible precedence. Because you just made [hacking] foreign infrastructure from a foreign location open-season for US citizens. The only thing that they’re charging them with is attacking US infrastructure [not helping the UAE spy on other countries]…. [L]et’s just say I’m an American and I want to target something overseas. What’s going to happen to me? Nothing. Almost nothing. We just proved that….
How were you first approached to go to the UAE?
[I]t was a full headhunter….He worked for a third-party recruiting company that was looking for somebody to fulfill billets overseas by CyberPoint.
You had just left the NSA at that time?
I was still there…. [W]e had decided to leave the military but I had accepted another position with a different contracting firm to stay there on campus with the NSA… My EoS (End of Service for the military) was August 3. So…from June 2 [we] started the entire interview process [with the headhunter], and we leave for Abu Dhabi on August 7.
I can’t believe we did that. Then August or September, we find out we’re pregnant [with our first child].
Evenden and his wife initially lived in a hotel before moving into “a crazy huge villa.” He says about half a dozen other Americans were hired around the same time, which grew to about 35 by the time he quit.
You’ve said there were no red flags. How did the recruiter convince you to re-locate to Abu Dhabi?
There were no red flags because I was so naive. But… there’s a ton of red flags [in retrospect]…. [For example] when you’re in the interview process and you’re talking about defending [the UAE] and … doing tracking of terrorist activity,… but then you’re [being asked] very specific questions about integrated enterprise Windows environments and [how you might hack them]. Guess who doesn’t have those type of networks? Terrorist organizations. So why [is the recruiter] asking these kinds of questions…?
So had I been really cognizant of where or what I was stepping into, I probably would have known during even the interview process that something is a little bit amiss here.
I can see why you might have thought everything was legit since CyberPoint did have approved contracts with other governments.
Right. We had an official signed export control license from the State Department. We had ITAR [International Traffic in Arms Regulations] authorities, we had permissions. We had the whole deal to help protect [the UAE]. We did not have authorities to help perform offensive operations.
So you believed the entire mission for CyberPoint in the UAE was defensive.
But when you were interviewed for the job, the interviewer asked you about offensive operations.
Exactly. And had I been not naive, that would have been much more clear.
Did the contract between the UAE and CyberPoint include offensive operations?
[T]he CyberPoint contract with the UAE, as pertains [to what] the State Department… authorized, it was defensive. [W]ere we supposed to be performing offensive operations? The answer is no. Was it happening anyways as to whether or not we were assisting or performing these actions on our own? Yes.
Your personal contract was also for defensive work only?
The way that the CyberPoint contracts were written and what the missions were, were not really clear. I think they were written that way on purpose, though.
But you thought you were going to help the UAE set up a defensive network.
Once he arrived in Abu Dhabi and met with Marc Baier, who had previously worked for the NSA in Hawaii, he says there were more red flags.
I actually, just because of our conversations [with Marc] and the way everything was being handled when I first [arrived], I reached out to somebody that I knew that knew Marc previously in the service and just kind of asked, ‘Something seems weird here with this person. What’s going on?’
What did Marc say or do that made you think you should ask someone about him?
It’s hard to answer questions based on intuition… His personality, … if you ever met him, you would just know immediately like something’s wrong here…. It’s weird that…my spidey sense went off and it was actually so incredibly accurate. I probably should have just listened [to it].
Did you think he was deceptive?
One hundred percent. I mean you can’t have a conversation with him and not think he’s being deceptive. I mean at least at that point…. We weren’t allowed to have copies of — or spend a lot of time reading — the documents from the State Department. No one was allowed to have a copy of that.
The licensing documents?
Exactly. So in my mind, it’s like why? Unless what we’re doing here is not approved, why else would I not be allowed to have a copy of that?
Did he seem troubled by what they were doing?
I think that he knew what was coming down the road, and he knew what the next five to ten years looks like.
Part of me felt like he was just continually incredibly depressed about the process, but doing his best. Let’s just say you start a process…and you’re this naive person that wants to help the world and make the world a better place. And now fifteen years later you’re…using [people] for something completely different than what they think they’re doing. Ultimately I feel like he had a conscience….
That seems to contradict what the FBI says. The FBI says they were warned as early as 2017 that their activity violated US regulation, and Marc and the others shrugged it off.
I think at that point yes. But what I’m talking about is 2014… when he was still a CyberPoint employee.
So he was feeling some guilt about not being straight with you guys?
One hundred percent.
Why didn’t you leave as soon as you sensed in August that something was off?
They didn’t really make it easy to just turn around and leave. I think that had it been a lot easier … it’s possible we might have. Purchasing plane tickets, breaking a contract, moving household goods,… the contract says if you don’t do this, you’re going to have to pay for all of this. So it’s like, No I don’t have like $30,000 sitting around just to pay this back. So it’s like I might as well just push through and make it work.
Were there other red flags once you started the work?
[T]here’s just so many things throughout the process that just became very clear something is just different here…. [T]he way that information was delivered to us altered — as a request from the UAE government back down to us … filtered through Marc and Ryan. [It] ended up being presented in a way that did meet or align with our authorities, or rather seemed to… Ryan Adams was good at taking stuff and making it sound like it actually did support our missions or what we thought our mission was.
Evenden says they never did defensive work. Initially, they were tasked with doing open-source intelligence research and analysis aimed at terrorist groups and individuals — identifying ISIS and al Qaeda movements across borders to help prevent attacks. But it gradually turned into something more. For example, they were asked to see if they could penetrate computers in Qatar to see if the country was funneling money to terrorist organizations. But when they found they could access many government ministry offices and other sensitive networks in Qatar, their UAE overlords wanted more than just terrorist intelligence; they wanted to track the flights that members of the royal family were taking, and they wanted to know if Qatar was bribing officials of FIFA (the Federation Internationale de Football Association) to get the 2022 World Cup hosted in Qatar. CyberPoint’s CEO Karl Gumtow has long insisted that his employees only did defensive work for the UAE and that if anyone engaged in offensive operations, this was rogue activity.
We would [also] regularly purchase new laptops and install them with malware, and [then they would] give them away as gifts — completely re-package them.
Who were they giving the laptops to?
Other leaders. Leaders who were coming to visit [UAE] sheiks…. We reported [to people] two or three steps down from the sheik … but the only real people who knew who those people were, were Ryan and Marc.
So Ryan and Marc would task you with outfitting a laptop with spyware and they would pass it to the sheik’s staff, who would give them to foreign dignitaries?
Yeah. “Thanks for coming. Just as a sign of our appreciation, here’s a bunch of stuff.” One of those things happened to be a laptop. We do know that they were turned on sometimes. What happened after that we don’t aways know the answers to.
You know they were turned on because they were beaconing out? But then you didn’t see any other communication after that?
Some situations there were, some situations there weren’t.
Did you feel safe in Abu Dhabi?
I would say from a local crime perspective yes. [Did] I feel safe from the country that I’m helping?… I think that I continually felt on edge the whole time I was there. It’s just the nature of where you’re at. [Y]ou’re with your family in a country that’s not very far from very active terrorist activity for one. But from the country itself,… they effectively are watching the people helping and supporting the contract almost continuously.
So you were under surveillance. At home?
I don’t think at home no, but definitely if you do something different — if you fly to an adjacent country, if you have friends from out of town, if you’re traveling across borders a lot. Yes there is definitely always people with their eye on you. Also, watching that [surveillance] happening to people who are…targets of our shop and knowing what that looked like — what they’re willing to do, and what they can get away with in the UAE is frightening. There’s no checks and balances.
Were there enough expats there that you felt comfortable being there?
Ultimately that’s what creates this facade of international comfort is that the country is 90 percent expats. We went to church, we were part of a small group — in fact some of the people we were friends with there we see regularly still. We developed really strong relationships… So it does kind of give you this almost a false sense of security because you’re incorporated with so many other expats.
When did it become clear that things were changing in your work?
It wasn’t until maybe the first quarter of 2015 that we really truly stepped into expanding, or at least participating in expanding, offensive operations as it pertains to regional countries… the targeting of foreign countries. It didn’t happen that quickly. It probably went from January to October before some serious suspicions started to get raised. [Though] I would imagine some of the other people probably had similar questions and that they were being asked and raised before I even thought about them.
You guys weren't talking about it among yourselves?
We were some. But we were just pushing it off: “I’m assuming it's approved, so it’s probably fine”… until you get other [requests] like flight patterns [of the Qatar royal family], journalist activity, … then you begin to ask questions like why do you guys want this? And… as soon as those questions came about, that’s when this shift began to happen [the transfer of the contract from CyberPoint to DarkMatter.]
[W]e realized holistically that our shop is actually…. an offensive shop and part of NESA. So there wasn’t even a pretense that you were doing defense. Everything we were doing is offensive.
Were you talking with Lori Stroud during this time and did she share the same concerns before she took the offer to jump to DarkMatter?
I think Lori was significantly more naive than I was. In fact when we left, I told Lori, “[I]f you stay here, you’re going to struggle and you’re going to be asked to do this stuff.” And she said no, no, no. They've assured me not. “Lori, you’re going to be asked to do this stuff. There’s logically no other reason for them to shift the contract [to DarkMatter].” She didn’t have the same suspicion; at least not for quite a while.
DarkMatter would go on to spy on Emirati activist Ahmed Mansoor, British journalist Rori Donaghy, and three US journalists who have never been identified, causing Stroud to raise questions and become sidelined by the company. She would eventually provide information to the FBI for their investigation.
What was the breaking point for you?
I think when the shift happened over to DarkMatter [in December 2015].…[W]e said…you’re shifting here and going to work for a foreign intelligence service? They said, no, we’re going to work for this other commercial company.… Well who owns that?…. That was the breaking point for us.
DarkMatter was founded by an Emirati named Faisal Al Bannai. Evenden says when he learned in mid-December 2015 that the contract was moving to DarkMatter, he and his wife and child were in the US for the holidays. Evenden decided not to jump to DarkMatter, but he says CyberPoint told him he should tell Baier and Adams that he would stay in Abu Dhabi.
Even though we already made the decision [that] I'm not going to work for DarkMatter.… [T]hey said, don’t tell them that yet, just stay on for as long as you can. So I went back [to Abu Dhabi without my wife], and everything was completely fine, until Ryan realized that [my wife] didn’t come back with me and it raised all this suspicion.
Evenden says they accused him of trying to collect intelligence on their activities.
[Ryan asked], Are you staying or are you not? But imagine that 1,000 times more aggressive. A lot of yelling, a lot of screaming… interrogating us about how much information we’ve shared with people….
Were you collecting intelligence on them at that point?
Ultimately,… you want to get as much information as you can before you leave. So yeah [I wanted information].
I told them we haven’t fully decided [about leaving]. Yeah I lied. At a certain point I finally said yeah this is it. I’ll send my two weeks notice for the contract. They let me finish out the end of that week and then I left … January 16. I probably stayed another two weeks [after that to pack up the house].
In early 2016, after more than half a dozen CyberPoint employees quit their jobs and returned to the US from the UAE, the FBI contacted them to ask about their activities there and whether their team had targeted Americans or US infrastructure as part of the UAE's spying operations.
If you found this article useful or interesting, feel free to share it with others.
If you’d like to receive other articles like this delivered to your email inbox, subscribe here: