Cybersecurity · cyberwar · Information Warfare

Hacking in Qatar Highlights a Shift Toward Espionage-for-Hire


DOHA, Qatar — The report appeared just after midnight on the official Qatari news agency’s website, and its contents were stunning: The emir of Qatar was quoted as describing “tensions” with President Trump and speculating he may not last in office, recommending friendship with Iran, praising the Palestinian militants of Hamas, and then attesting to his own “good” relations with Israel.

The contradictory statements could hardly have been better contrived to alienate the United States and Arab countries around the Gulf, and Qatar immediately began to deny the report, early on May 24. But within 20 minutes, satellite networks controlled by Saudi Arabia and the United Arab Emirates had seized on the damning news flash and began interviewing long lines of well-prepared commentators to expound on the perfidy of Qatar.

The Qatari government said the news agency had been hacked, a claim now supported by the F.B.I. and British law enforcement officials. Though they would not say so publicly, Qatari officials blamed the Saudis and Emiratis.

Probably not coincidentally, a few days later, emails hacked from the Emirates’ ambassador to Washington began turning up in the Western news media and then the Qatari news network Al Jazeera.

The cyber-intrigue was the opening skirmish in a pitched battle among ostensible Gulf allies this week. Saudi Arabia and the U.A.E. rallied dependent Arab states to cut off diplomatic relations, travel and trade with Qatar, and the unity of the American-backed alliance against the Islamic State and Iran has been fractured.

But the dirty tricks also heralded a broader transformation in international espionage. The dust-up in the Gulf is the clearest sign yet that cyberattacks coupled with disinformation campaigns are no longer the exclusive domain of sophisticated powers like Russia. Any country can get in the game for the relatively low price of a few freelance hackers.

The F.B.I. and other experts concluded the hack of Qatar’s news agency was the result of a computer break-in, and was most likely carried out by Russian hackers for hire, according to American and Qatari officials briefed on the investigation. F.B.I. officials told The New York Times that Russian mercenary hackers have frequently come up in investigations of attacks sponsored by nation-states.

In fact, the hacking war in the Gulf region has likely been going on for years, though it has never played out on such a public stage. In 2015, for example, an Arab intermediary with ties to Qatar provided The Times with internal emails from the Emirati Foreign Ministry which stated that the U.A.E. was knowingly violating a United Nations resolution by shipping weapons to Libyan militias.

“The fact of the matter is that the U.A.E. violated the U.N. Security Council Resolution on Libya and continues to do so,” Ahmed al-Qasimi, a senior Emirati diplomat, wrote in an internal email that was dated Aug. 4, 2015, and provided to The Times. Other internal Emirati emails about Libyan dealings and North Korean arms deals surfaced through Qatari-linked websites and the Guardian newspaper.

Qatar has, at times, backed its own Libyan client militias on the other side of a three-year proxy war against the U.A.E — with both sides confounding Western attempts to broker a unity government in Libya.

In a report scheduled to be released on Friday, two independent cybersecurity researchers claim that at least one group of hackers can be found working as freelancers for a number of Gulf states, and that their methods bear a striking resemblance to the methods used to hack the Emirati ambassador.

“They seem to be hackers-for-hire, freelancing for all sorts of different clients, and adapting their skills as needed,” said Collin Anderson, who is one of the researchers. Mr. Anderson and his partner, Claudio Guarnieri, have nicknamed the group Bahamut, after a monstrous fish floating in the Arabian Sea in the Jorge Luis Borges novel “Book of Imaginary Beings.”

The group regularly uses spear phishing attacks — emails designed to look innocent but contain malicious software applications. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group targeted a number of Emirati diplomats as well as other public figures in the Gulf region.

Other news organizations have reported receiving leaked Emirati emails from a group calling itself GlobalLeaks and using email addressing ending in .ru, suggesting the mercenary hackers may be Russians or wish to pose as Russian.

The Emirati ambassador, Yousef al-Otaiba, is well known for his assiduous efforts to convince American think tanks and government officials that Qatar had threatened the stability of the region by cheering the Arab uprisings of 2011 and, in particular, by backing the Muslim Brotherhood.

Mr. Otaiba, a charismatic figure who speaks nearly native-sounding English, has also served as a personal tutor in regional politics to Jared Kushner, the son-in-law and a senior adviser to President Trump.

Several of the newly leaked emails appear to include examples of Mr. Otaiba pressing anti-Qatari arguments with American officials, who banter with him like old friends.

In a Feb. 10, 2015, exchange between Mr. Otaiba and Elliott Abrams, a former Republican White House official, Mr. Abrams appears to joke about the Emirates’ support for the military coup that removed Egypt’s Qatari-allied Islamist president in 2013, almost suggesting that something similar should happen in Qatar. “Too bad the Qatari armed forces can’t… well, I shouldn’t say such things. That would be undemocratic,” the email said.

In another leaked exchange, John Hannah, another former Republican White House official, who is now with the pro-Israel Foundation for the Defense of Democracies, emailed Mr. Otaiba to complain that an Emirati-owned hotel in Doha was providing space for a Hamas news conference.

“How’s this,” Ambassador Otaiba replied. “You move the base then we’ll move the hotel :-).” (He was obliquely referring to the major American air base in Qatar, Al Udeid, that has been the headquarters for operations against the Islamic State. )

In fact, on Thursday, the government of Qatar listed the hacking attack as part of a broader public influence campaign that has been appearing in American newspapers and think tank conferences. A timeline the government distributed to reporters, identified a series of 14 op-ed articles that appeared across the American media in a sudden flurry beginning around the same time — late April — all singling out Qatar for supporting Islamist militants or extremists.

President Trump arrived in the region on May 20, weeks after the barrage of criticism began, for an Arab summit in Saudi Arabia. “He told us exactly: ‘We have to work together in stopping the funding of extremist groups in the region and whenever I read reports about this region I read about Qatar and Saudi,’ ” the Qatari foreign minister, Sheikh Mohammed bin Abdulrahman Al Thani, recalled on Thursday.

“Mr. President,” the foreign minister said he replied, “are the reports based on media reports or intelligence reports? If it is based on media reports, then this is something we cannot answer.”

“We assured them that we have strong cooperation with our security agencies,” the foreign minister added.

Then, three days after the Trump meeting in Riyadh, the Foundation for the Defense of Democracies held a conference in Washington dedicated to criticism of Qatar, titled “Qatar and the Muslim Brotherhood’s Global Affiliates.”

Robert M. Gates, the former defense secretary and a friend of Mr. Otaiba, gave the keynote. Attendees included many of the authors of the critical op-ed articles and senior Obama administration officials. Organizers encouraged Mr. Otaiba to attend, and his staff sent Abu Dhabi, the Emirati capital, a detailed report.

No representative of Qatar was invited. The hack of the Qatari news agency took place after midnight that night.

Mr. Anderson, the cyber security researcher, said the low cost and relative ease of hiring hackers meant that more such attacks would surely follow.

“This is the future for what countries all around the world can do,” he said, “if they have the money and the resources.”

By Thursday night, Qatar’s Al Jazeera network reported that hackers were attempting to overload and crash its internet servers.

Advertisements

2 thoughts on “Hacking in Qatar Highlights a Shift Toward Espionage-for-Hire

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s