DarkMatter (company)

DarkMatter Group is a computer security company founded in the United Arab Emirates (UAE) in 2014 or 2015. The company describes itself as a purely defensive company, but several whistleblowers have alleged that it is involved in offensive cybersecurity ('cracking' or 'hacking'), including on behalf of the Emirati government.

Company history

DarkMatter was founded in either 2014 or 2015 by Faisal al-Bannai, the founder of mobile phone vendor Axiom Telecom and the son of a major general in the Dubai Police Force. Around 2014, Zeline 1, a wholly owned subsidiary of DarkMatter, became active in Finland.

DarkMatter's public launch came in 2015, at the 2nd Annual Arab Future Cities Summit. At this time, the company advertised capabilities including network security and bug sweeping, and promised to create a new, "secure" mobile phone handset. It promoted itself as a "digital defense and intelligence service" for the UAE.

In 2016, DarkMatter replaced CyberPoint as a contractor for Project Raven. Also in 2016, DarkMatter sought smartphone development expertise in Oulu, Finland. DarkMatter recruited several Finnish engineers.

By early 2018, DarkMatter's turnover was hundreds of millions of U.S. dollars. Eighty per cent of its work was for the UAE government and related organizations, including the NESA. It had developed a smartphone model called Katim, Arabic for "silence". DarkMatter was an official provider for the Expo 2020, but has since been dropped in favour of a different company.

In 2021,DarkMatter's cyber activities have already been transferred to Digital14 that now distributes the secure communications system 'Katim'.

A leaked document of 507-pages included emails between the cybersecurity firm Corellium staff and UAE’s DarkMatter employees. It revealed that the security firm offered or sold its tools to DarkMatter and the NSO Group in Israel. According to Corellium, the two companies had access to “a limited time/limited functionality trial version of Corellium’s software”. However, email revealed that a DarkMatter was “very impressed” and was “interested in purchasing it”. The Emirati firm even asked Corellium for a quote.

Recruitment practices

In addition to recruiting via conventional routes such as personal referrals and stalls at trade shows (e.g. Black Hat), DarkMatter headhunts staff from the U.S. National Security Agency and has "poached" competitors' staff after they were contracted to the UAE government, as happened with some CyberPoint employees.

The company has reportedly hired graduates of the Israel Defense Force technology units and is paying them up to $1 million annually.

Simone Maragitelli, an Italian security researcher, blogged about DarkMatter's vague and dubious recruiting practices as a warning to others. He claimed that any questions or objections to the company's practices would result in being told that "''things had been blown out of proportion''" and that information about the job opening was extremely vague despite asking questions.

Allegations of surveillance for UAE government

In response to alleged cyber spying on opponents of Iran's best interests by the government of Iran during 2010 and 2011, the United States assisted the United Arab Emirates in late 2011 with establishing the National Electronic Security Authority (NESA) which is the UAE's equivalent to the US NSA.

Project Raven

Project Raven was a confidential initiative to help the UAE surveil other governments, militants, and human rights activists. Its team included former U.S. intelligence agents, who applied their training to hack phones and computers belonging to Project Raven's victims. The operation was based in a converted mansion in a suburb of Abu Dhabi in Khalifa City nicknamed "the Villa."

From around 2014 to 2016, CyberPoint supplied U.S.-trained contractors to Project Raven. In 2016, news reports emerged that CyberPoint had contracted with the Italian spyware company Hacking Team, which damaged CyberPoint's reputation as a defensive cybersecurity firm. Reportedly dissatisfied with relying upon a U.S.-based contractor, the UAE replaced CyberPoint with DarkMatter as its contractor, and DarkMatter induced several CyberPoint staff to move to DarkMatter. After this, Project Raven reportedly expanded its surveillance to include the targeting of Americans, potentially implicating its American staff in unlawful behaviour.

Following a 24 October 2016 '' The Intercept'' article revealing DarkMatter surveillance for UAE, Samer Khalife, the chief financial officer for DarkMatter, transferred some United States citizens from DarkMatter to a new company Connection Systems and tiger teams were established by DarkMatter to counter the allegations contained in ''The Intercept'' article.

On 1 February 2019, ''Ars Technica'' published comments from DarkMatter's former employee, Daniel Wolford. He stated, "We did not hack Americans...Our mission was simple: advise and assist UAE to create a national cyber security program similar to NTOC (NSA/CSS Threat Operations Center)." The work done creating a "target list," Wolford said, was part of a training operation "to teach the Emiratis about lawful targeting and collection," he asserted. "We tried to show them who is and isn't a threat to their national security."

On 9 December 2021, Loujain al-Hathloul filed a lawsuit in a US district court in Oregon against three former US intelligence and military officers, who carried out hacking operations on behalf of the UAE. According to the lawsuit, the three men — Marc Baier, Ryan Adams, and Daniel Gericke — worked for DarkMatter and assisted the Emirati security officials to exfiltrate data from her iPhone. The hacking had led to al-Hathloul's arrest from the UAE and rendition to Saudi Arabia, where she was detained, imprisoned and tortured.

On 22 December 2021, A very popular messaging app named "ToTok" was deemed to be a secret spy tool developed by the UAE. Very little is known about the tool and what it's capabilities are.

In December 2021, U.S. lawmakers urged the Treasury and State Departments to sanction DarkMatter, NSO Group, Nexa Technologies and Trovicor. The letter signed by the Senate Finance Committee Chairman Ron Wyden, House Intelligence Committee Chairman Adam Schiff and 16 other lawmakers, asked for Global Magnitsky sanctions, as the companies were accused of enabling human rights abuses. The letter demanded that High-ranking executives at DarkMatter, along with the three other firms, be sanctioned.

On 26 August 2022, the three former U.S. intelligence operatives that helped the UAE spy on human rights activists, journalists and governments, were barred from arms export activities under a deal announced by the State Department. The operatives, Marc Baier, Ryan Adams and Daniel Gericke, were prohibited for three years from participating directly or indirectly in any activities subject to the International Traffic in Arms Regulations (ITAR).

Karma spyware

In 2016, Project Raven bought a tool called Karma. Karma was able to remotely exploit Apple iPhones anywhere in the world, without requiring any interaction on the part of the iPhone's owner as long as an username was provided, such as Apple ID, Email address associated with the phone, or phone number. It apparently achieved this by exploiting a zero-day vulnerability in the device's iMessage app. Project Raven operatives were able to view passwords, emails, text messages, photos and location data from the compromised iPhones.

People whose mobile phones have been deliberately compromised using Karma reportedly include:

* The Emir of Qatar, Sheikh Tamim bin Hamad Al Thani nicknamed "Crybaby", Hamad bin Khalifa Al Thani nicknamed "AngryFather", plus his brother and several other close associates.
* Nadia Mansoor, wife of imprisoned UAE human rights activist Ahmed Mansoor. (Nadia was nicknamed "Purple Egret" by Project Raven; Ahmed was nicknamed "Egret".)
* British journalist Rori Donaghy. (Donaghy was nicknamed "Gyro" by Project Raven.)
* Prime Minister of Lebanon Saad Hariri (UAE associated him with supporting Hezbollah.)
* Hundreds of other targets in Europe and the Middle East, including in the governments of Qatar, Yemen, Kuwait, Oman, Serbia, Lebanon, Iran and Turkey.

Around mid-2017, Apple patched some of the security vulnerabilities exploited by Karma, unknowingly reducing the tool's effectiveness.

Certificate authority controversy

In 2016, two DarkMatter whistleblowers and multiple other security researchers expressed concerns that DarkMatter intended to become a certificate authority (CA). This would give it the ''technical'' capability to create fraudulent certificates, which would allow fraudulent websites or software updates to convincingly masquerade as legitimate ones. Such capabilities, if misused, would allow DarkMatter to more easily deploy rootkits to targets' devices, and to decrypt HTTPS communications of Firefox users via man-in-the-middle attacks.

On 28 December 2017, DarkMatter requested that Mozilla include it as a trusted CA in the Firefox web browser. For more than a year, Mozilla's reviewers addressed concerns about DarkMatter's technical practices, eventually questioning on that basis whether DarkMatter met the baseline requirements for inclusion.

On 30 January 2019, Reuters published investigations describing DarkMatter's Project Raven. Mozilla's reviewers noted the investigation's findings. Subsequently, the Electronic Frontier Foundation (EFF) and others asked Mozilla to deny DarkMatter's request, on the basis that the investigation showed DarkMatter to be untrustworthy and therefore liable to misuse its capabilities. , Mozilla's public consultation and deliberations are ongoing.

In July 2019, Mozilla prohibited the government of United Arab Emirates from operating as one of its internet security gatekeepers, following reports on the cyber-espionage program, which was run by Abu Dhabi-based DarkMatter staff for leading a clandestine hacking operation.

In August 2019, Google blocked websites approved by DarkMatter, after Reuters reported the firm's involvement in a hacking operation led by the United Arab Emirates. Google, previously, said that all websites certified by DarkMatter would be marked as unsafe by its Chrome and Android browsers.

FBI investigation and indictments

DarkMatter is under investigation by the FBI for crimes including digital espionage services, involvement in the Jamal Khashoggi assassination, and incarceration of foreign dissidents.

On September 14, 2021, Marc Baier 49, Ryan Adams 34, and Daniel Gericke 40, who had been indicted for violations of United States laws involving computer fraud and improper exporting of technology, agreed to a deferred prosecution agreement in which they would pay a fine over three years of $750,000, $600,000, and $335,000, respectively, for a total of $1.68 million, support FBI and Justice Department investigations, sever ties to any United Arab Emirates intelligence and law enforcement agencies, be under a prohibition of services, including defense articles, associated with ITAR and future computer network exploitation employment, and immediately both relinquish their security clearances from the United States and any foreign entity and be under a lifetime ban on future security clearances from the United States. After the UAE contracts shifted from the US parent firm CyberPoint to its UAE subsidiary DarkMatter, Baier, who was a former employee of the NSA, and Adams and Gericke, who had been in the United States military and intelligence community, failed to receive permission to be employed by the UAE firm. According to Lori Stroud who is a former NSA employee, the trio had worked for the United States-based CyberPoint and then for its UAE subsidiary DarkMatter which in 2018 Faisal al-Bannai confirmed that DarkMatter works very closely with the government of the UAE and is a competitor of the Israeli firm NSO Group. From January 2016 to November 2019, the trio of Marc Baier, Ryan Adams and Daniel Gericke significantly improved the operations that DarkMatter provided to the government of the UAE. DarkMatter was very interested in hacking into Qatar's computers and obtaining and reading its electronic messages, as it was believed that Qatar was supporting a potential terrorist organization named the Muslim Brotherhood. For example, DarkMatter had hacked into an electronic communication between First Lady Michelle Obama and a former Qatari minister regarding Michelle Obama and Conan O'Brien's November 2015 trip to Qatar where both Obama and O'Brien visited the al-Udeid airbase which hosts the forward base headquarters of United States Central Command, the RAF's No. 83 Expeditionary Air Group, and the headquarters of the United States Air Forces Central Command during the Wars in Iraq and Afghanistan.

New United States law

In January 2020 during the FBI investigations into DarkMatter employees' conduct, the United States Congress passed a law proposed in 2019 by congressperson Max Rose of New York. The law requires the United States intelligence agencies to annually assess the risk to the United States national security posed by former intelligence officials and employees that are working for foreign based firms, governments, and entities. This law was driven in part by the United Arab Emirates cyber espionage operations against United States citizens, firms, entities, and government.

See also

* NSO Group
* Stealth Falcon
*George Nader
* Elliott Broidy

Notes

References

External links

*

{{Hacking in the 2020s

Companies based in Abu Dhabi
Software companies established in 2014
Cyber-arms companies
Information technology companies of the United Arab Emirates
Computer surveillance