US intelligence agents helped UAE build secret surveillance unit

In the years after 9/11, former United States counterterrorism czar Richard Clarke warned Congress the country needed more expansive spying powers to prevent another catastrophe.

Five years after leaving government, he shopped the same idea to an enthusiastic partner: an Arab monarchy with deep pockets.

In 2008, Clarke went to work as a consultant guiding the United Arab Emirates (UAE) as it created a cyber-surveillance capability that would utilise top US intelligence contractors to help monitor threats against the tiny nation.

The secret unit Clarke helped create had an ominous acronym: DREAD, short for Development Research Exploitation and Analysis Department. In the years that followed, the UAE unit expanded its hunt far beyond suspected extremists to include a Saudi women’s rights activist, diplomats at the United Nations and personnel at FIFA, the world soccer body. By 2012, the programme would be known among its US operatives by a codename: Project Raven.

Reuters News Agency reports this year revealed how a group of former National Security Agency (NSA) operatives and other elite US intelligence veterans helped the UAE spy on a wide range of targets through the previously undisclosed programme – from “terrorists” to human rights activists, journalists and dissidents.

Now, an examination of the origins of DREAD, reported by Reuters for the first time, shows how a pair of former senior White House leaders, working with ex-NSA spies and Washington contractors, played pivotal roles in building a programme whose actions are now under scrutiny by federal authorities.

‘The NSA wanted it to happen’

To chart the UAE spying mission’s evolution, Reuters examined more than 10,000 DREAD programme documents and interviewed more than a dozen contractors, intelligence operatives and former government insiders with direct knowledge of the programme. The documents Reuters reviewed span nearly a decade of the DREAD programme, starting in 2008, and include internal memos describing the project’s logistics, operational plans and targets.

Clarke was the first in a string of former White House and US defence executives who arrived in the UAE after 9/11 to build the spying unit. Utilising his close relationship to the country’s rulers, forged through decades of experience as a senior US decision-maker, Clarke won numerous security consulting contracts in the UAE. One of them was to help build the secret spying unit in an unused airport facility in Abu Dhabi.

In an interview in Washington, Clarke said that after recommending that the UAE create a cyber-surveillance agency, his company, Good Harbor Consulting, was hired to help the country build it. The idea, Clarke said, was to create a unit capable of tracking “terrorists”. He said the plan was approved by the US State Department and the NSA, and that Good Harbor followed US law.

“The incentive was to help in the fight against al-Qaeda. The UAE is a very good counterterrorism partner. You need to remember the timing back then, post 9-11,” Clarke said. “The NSA wanted it to happen.”

The NSA did not answer written questions about its knowledge of DREAD or its relationship to any of the contractors. The State Department said it carefully vets foreign defence service agreements for human rights issues. UAE spokespeople at its Washington embassy and Ministry of Foreign Affairs did not respond to requests for comment.

Clarke’s work in creating DREAD launched a decade of deepening involvement in the UAE hacking unit by Washington insiders and US intelligence veterans. The US helped the UAE broaden the mission from a narrow focus on active extremist threats to a vast surveillance operation targeting thousands of people around the world perceived as foes by the Emirati government.

One of Clarke’s former Good Harbor partners, Paul Kurtz, said Reuters’ earlier reports showed that the programme expanded into dangerous terrain and that the proliferation of cyber-skills merits greater US oversight. “I have felt revulsion reading what ultimately happened,” said Kurtz, a former senior director for national security at the White House.

‘These skillsets do not belong to you’

At least five former White House veterans worked for Clarke in the UAE, either on DREAD or other projects. Clarke’s Good Harbor ceded control of DREAD in 2010 to other US contractors, just as the operation began successfully hacking targets.

A succession of US contractors helped keep DREAD’s contingent of US citizens on the UAE’s payroll, an engagement that was permitted through secret State Department agreements, Reuters found.

The programme’s evolution illustrates how Washington’s contractor culture benefits from a system of legal and regulatory loopholes that allows ex-spies and government insiders to transfer their skills to foreign countries, even ones reputed to have poor human rights track records.

US operatives for DREAD were able to sidestep the few guardrails against foreign espionage work that existed, including restrictions on the hacking of US computer systems.

Despite prohibitions against targeting US servers, for instance, by 2012 DREAD operatives had targeted Google, Hotmail and Yahoo email accounts. Eventually, the expanding surveillance dragnet even swept up other US citizens, as Reuters reported earlier this year.

In an interview, Mike Rogers, former chairman of the US. House Intelligence Committee, said he has watched with growing concern as more and more former US intelligence officials cash in by working for foreign countries.

“These skillsets do not belong to you,” he said of ex-US agents, but to the US government that trained them. Just as Washington would not let its spies work in the pay of foreign nations while employed at the NSA, he said, “Why on God’s green earth would we encourage you to do that after you leave the government?”

An NSA spokesman said former employees are mandated for life not to reveal classified information.

A service within a service

For years before the creation of DREAD, Clarke grappled with the need for domestic surveillance in the US, as well as its potential dangers.

Clarke, a counterterrorism czar to Bill Clinton and George W Bush, is perhaps best known for offering an unequivocal public apology for Washington’s inability to prevent the 9/11 attacks.

“Your government failed you. Those entrusted with protecting you failed you. And I failed you,” Clarke said in 2004, one year after leaving government, testifying before a US commission established to investigate intelligence failures leading to the 9/11 attacks.

To prevent future attacks, Clarke urged the US to create a domestic spying service, while saying such a unit must avoid civil liberties violations. “We’d have to explain to the American people in a very compelling way why they needed a domestic intelligence service, because I think most Americans would be fearful of a secret police,” he said.

Clarke’s testimony to the 9/11 Commission helped lead to the creation in 2005 of a domestic intelligence service within the Federal Bureau of Investigation (FBI) – described as “a service within a service” – staffed by federal agents, language analysts and surveillance specialists.

Two years earlier, Clarke had joined his former deputy Roger Cressey at the newly launched Good Harbor Consulting, a security advisory group. Clarke brought one of the most famous names in US national security.

He also brought a decades-long relationship with a potential client of immense wealth: Sheikh Mohammed bin Zayed al-Nahyan, known as MBZ, the son of the UAE’s most powerful ruler. In the months preceding the 1991 US-led war on Iraq, Clarke, then a senior US diplomat, had been sent to the Gulf to seek assistance from regional allies. MBZ stepped up as the US prepared to go to war.

MBZ helped Clarke obtain permission from the Emirati government for bombing runs in UAE airspace, and he funnelled billions toward the US war effort. In 1991, when Congress questioned whether Washington should allow a $682m arms sale to UAE, Clarke bristled.

“They transferred four billion dollars to the US Treasury to support the war effort,” he told the House Subcommittee On Arms Control. “Is that the kind of nation that we should snub by denying them 20 attack helicopters? I don’t think so.” The UAE got the choppers.

A rare opportunity

In the years after Clarke joined Good Harbor in 2003, MBZ, the de facto ruler of the UAE, granted the company the rare opportunity to help build the country’s homeland security strategy from the ground up. Clarke’s Good Harbor soon won a series of security contracts to help the UAE secure its infrastructure, including work to protect the Gulf state’s seaports, nuclear projects, airports, embassies and petrochemical facilities, according to two people with direct knowledge of the contracts.

Along with helping stand up an emergency response department and maritime security unit, Clarke believed the UAE required an NSA-like agency with the ability to spy on “terrorists”. Clarke said he placed Good Harbor partner Paul Kurtz, himself a former White House veteran, in charge of the contract.

“At the highest level, it was cyber-defence and how you protect your own networks,” Kurtz said in a phone interview with Reuters. The UAE wanted to know, he said, “How do I understand more about what terrorists may be doing?”

Asked whether he was concerned the UAE could use the capability to crack down on activists or dissidents, Clarke stressed that “the overarching concern was getting al-Qaeda”. He said he had limited visibility into the programme at the time and that Kurtz was responsible for the day-to-day management of the contract to build the programme.

Kurtz said his personal involvement was limited to high level consulting, with his knowledge of daily activities “next to none”. For technical expertise on hacking, he said, Good Harbor relied on subcontractors from the American defence company SRA International, managed by an executive named Karl Gumtow.

SRA, then a 7,000-employee operation based in Fairfax, Virginia, was chosen because of its experience with NSA contracts, Clarke said.

A more active role

Utilising eight contractors from SRA, Good Harbor started building DREAD in 2008 inside a building that resembled a small aeroplane hangar on the edge of the Al Bateen airport in Abu Dhabi. The programme began as an arm of MBZ’s royal court, and was initially managed by the prince’s son, Khalid.

The contractors built the project from scratch. They trained potential Emirati staff in hacking techniques and created covert computer networks and anonymous Internet accounts the UAE could use for surveillance operations.

In 2009, the group set out to build a spy tool codenamed “the Thread”, software that would enable the Emiratis to steal files from Windows computers and transmit them to servers controlled by the Court of the Crown Prince, DREAD programme documents show.

Beyond offering guidance and support, Good Harbor and SRA did not envision an active role in hacking operations.

The programme was intended to leave the UAE equipped with the cyber-capabilities to pursue “terrorism” threats on its own. But within months, the US staff could see they needed to take the lead from their less experienced Emirati colleagues, said three former DREAD operatives.

Some UAE trainees appeared disinterested and ill-equipped. One trainer, a former SRA contractor and ex-NSA cryptographer named Keith Tuttle, concluded one student had “lost interest” and another “continues to struggle with technology”, a programme report card reviewed by Reuters shows.

That left the US staff with little choice but to get more involved, two former DREAD operatives told Reuters, eventually doing everything aside from hitting the final button on a computer intrusion. Tuttle, citing advice from his attorneys, declined to comment.

A spokesman for General Dynamics, the owner of SRA International after multiple business acquisitions, said the original contract with Good Harbor ended in 2010. He declined further comment.

The hacking requests from UAE security forces to the new unit accelerated after Christmas 2009, just one year after Good Harbor started on DREAD. UAE leaders received intelligence warnings that a violent extremist attack could be imminent. A panicked request came to the nascent hacker team: Help us spy on outbound Internet traffic coming from a suspected extremist’s home computer network located in the northern part of the country.

DREAD’s SRA handlers were still months from finishing the Windows hacking software, Thread. Suddenly, US operatives were cobbling together makeshift spy tools based on computer security testing software found for free online, according to two people with direct knowledge of the incident.

Yet, they succeeded within weeks, hacking the suspected extremist in a mission seen by the Emiratis as a key success that may have prevented an attack. The incident marked a crucial moment in the relationship. With that success came more targeting requests and a deeper role for the US staff, said two people with direct knowledge.

By the end of 2010, Good Harbor stepped back from DREAD, leaving control in the hands of SRA Vice President Gumtow, programme documents show. He had just started his own Maryland company, CyberPoint. “Our focus was to help them defend their country,” Gumtow said in a phone interview.

With Good Harbor’s departure, Kurtz joined CyberPoint, although he said his involvement in DREAD ended by 2011.

Rogue persons?

Within two years, Gumtow expanded the number of US staff on the programme from about a dozen to as many as 40. More than a dozen were poached from the halls of the NSA or its contractor list. DREAD’s annual budget reached an estimated $34m, project documents show.

Some US recruits had concerns about working for a foreign spy service. But the programme’s connection to respected national security figures such as Clarke, Kurtz and Gumtow led them to conclude the effort was above board, four former operatives said.

Jonathan Cole, a former US intelligence operative who joined DREAD in 2014, said he believed the UAE mission had Washington’s blessing due to the involvement of CyberPoint’s Maryland-based staff in other classified programs for the US government. “I made some assumptions,” Cole said.

In 2011, the programme moved to the first of a series of secret converted mansions, known as the Villa, and among its US contractors was given the codename Project Raven.

Gumtow told Reuters his US contractors were hired only to train Emirati hackers, and were prohibited from assisting in operations themselves. US law generally prohibits citizens from hacking computer systems anywhere, but specifically prohibits targeting of other US citizens, companies or servers.

Although Gumtow managed the DREAD contract for five years from Baltimore, he said he never learned of such activities occurring among his staff. He said his visibility was limited, as he visited his UAE staff five or six times a year.

“I did not get involved in day-to-day programme activities,” Gumtow said. “If we had a rogue person, then there’s nothing I can do.”

Still, the US team soon occupied almost every key position in the programme. US operatives helped locate target accounts, discover their vulnerabilities and cue up cyberattacks. To stay within the bounds of the law, the US staff did not press the button on the ultimate attack, but would often literally stand over the shoulders of the Emiratis who did, 10 former operatives told Reuters.

World Cup hacking

After the 2011 Arab Spring demonstrations shook the region, Emirati security experts feared their country was next. DREAD’s targets began to shift from counterterrorism to a separate category the UAE termed “national security targets” – assisting in a broad crackdown against dissidents and others seen as a political threat.

The operations came to include the previously unreported hacks of a German human rights group, the UN’s offices in New York and FIFA executives.

Between 2012 and 2015, individual teams were tasked with hacking into entire rival governments, as the programme’s focus shifted from counterterrorism to espionage against geopolitical foes, documents show.

One target was UAE archrival Qatar, which in 2010 gained global attention by winning the right to hold football’s 2022 World Cup. In 2014, DREAD operatives targeted directors at FIFA, the Swiss-based body that runs international football, and people involved in Qatar’s World Cup organising body.

The ploy was designed to steal damaging information about Qatar’s World Cup bid, which could be leaked to embarrass the UAE’s Gulf rival. Allegations that FIFA officials were bribed by Qatar in exchange for granting its World Cup bid surfaced in media reports in 2014.

The FIFA hacking operation, codenamed Brutal Challenge, was planned by an ex-NSA analyst named Chris Smith, according to DREAD operation planning memos reviewed by Reuters. The hackers sent boobytrapped Facebook messages and emails containing a malicious link to a website called “worldcupgirls”. Clicking on the link deployed spyware into the target’s computer.

It is not clear whether the mission succeeded. But the targets included Hassan al-Thawadi, secretary-general of Qatar’s FIFA organising body, and Jack Warner, a former FIFA executive who the US later indicted on money laundering charges.

Qatar’s Supreme Committee for Delivery and Legacy, a governmental body in charge of helping organise the 2022 footballing tournament, had no comment. A spokesman for Qatar’s government said the country saw its successful bid to host the World Cup as “a chance for the world to see our region in a new light”.

In a statement, a spokeswoman said FIFA was “not aware” of any hacking incidents related to Qatar’s World Cup bid. A second spokesperson said a FIFA internal investigation did not find that Qatar paid bribes to win the right to host the tournament.

Warner, who is facing extradition to the US from Trinidad and Tobago, could not be reached for comment. He has repeatedly proclaimed he is innocent of the charges. Smith did not respond to messages sent through email and social media.

US companies targeted

To conduct its UAE business, CyberPoint obtained a State Department foreign defence services licence in 2010 and 2014.

The agreements, reviewed by Reuters, are written in broad language. Hacking operations are described as “collecting information from communications systems inside and outside the UAE”. The agreements placed no restrictions against targeting human rights activists, journalists or US allies.

A State Department spokesman said that before granting such a licence, the agency carefully weighs human rights concerns. The authorisation does not grant the right to violate human rights, he said. But he declined to comment on the agreements between the agency and CyberPoint.

The DREAD agreements did prohibit the programme from assisting in hacking operations against US citizens or US-owned email servers. Doing so “could subject you to criminal liability under US law, even if the activities were conducted overseas”, warned a CyberPoint legal counsel in a 2011 memo.

This restriction was often sidestepped, project documents show. CyberPoint employees assisted in the hacking of hundreds of Google, Yahoo, Hotmail and Facebook accounts, sharing screenshots from the intrusions in presentations with senior Emirati intelligence officers. For example, DREAD accessed Google and Yahoo accounts to steal its targets’ internet browser history, with the hackers highlighting their porn preferences in reports to managers, documents show.

In 2012, the programme targeted the Hotmail and Gmail accounts of five staffers of the Konrad Adenauer Foundation, a German pro-democracy group that at the time was pushing for greater press and speech freedoms in the UAE. DREAD intercepted messages from one foundation manager’s hacked Gmail account. “Assume all comm channels have been” compromised, the manager’s message to an employee read.

Behind the scenes, the German ambassador to the UAE was called to meet with officials from the Emirates’ Ministry of Foreign Affairs, who said the German non-profit must leave the country, said a person with direct knowledge. In March 2012, the group was ordered out. The foundation declined comment.

US operatives also helped target the Gmail and Facebook accounts of Ahmed Ghaith al-Suwaidi, an Emirati economist and member of the Muslim Brotherhood, in 2011. In January 2012, DREAD hackers reported Al-Suwaidi had emailed signed documents putting his wife in charge of his assets in case anything happened to him, DREAD operation documents show.

Two months later, al-Suwaidi was arrested and detained in a secret prison, where he said he was tortured and forced to sign a confession, said Amnesty International. In 2013, as part of a trial of 94 activists accused of fomenting a coup, he was convicted and sentenced to 10 years in prison. Mohamed Al Zaabi, a friend and fellow activist, said al-Suwaidi had never advocated for a coup and had simply pushed for political reform.

Gumtow said that, to the best of his knowledge, CyberPoint was careful to stay within the bounds of the licence and US law.

‘For Emirati Eyes Only’

Over time, conflict emerged between the Emiratis and US staff over the selection of targets, which the US staff believed sometimes crossed the line into hacking US-related entities. The locals began restricting the US staff’s access to surveillance databases, marking some “For Emirati Eyes Only.” Near the end of 2015, the UAE cancelled its CyberPoint contract and hired a UAE cybersecurity firm, DarkMatter.

Gumtow warned his employees that if they remained in the programme, they would no longer be authorised under the State Department agreement and would be essentially going rogue. More than a dozen stayed.

While DarkMatter took over DREAD, the programme was a tightly held secret, with even some company executives unaware of its existence, said six people with direct knowledge of the matter.

Under DarkMatter, DREAD targeted the UN’s offices in New York in a bid to compromise the email accounts of foreign diplomats from countries seen as UAE rivals, said a former operative. A UN spokesman confirmed the organisation’s cybersecurity team identified attacks from a hacking group associated with the UAE.

In some cases, DREAD’s surveillance operations preceded the torture of targets.

In 2017, operatives hacked the emails of Saudi women’s rights activist Loujain al-Hathloul, after she tried to defy a ban against women driving in Saudi Arabia, a former DREAD operative said. Three years earlier, al-Hathloul, who was studying in the UAE, had been arrested by the Saudis after trying to drive across the border into Saudi Arabia and jailed for 73 days.

DREAD operatives monitoring al-Hathloul gave her the codename Purple Sword.

In 2018, just weeks before a royal decree allowed Saudi women to drive legally for the first time, UAE security forces arrested al-Hathloul again in Abu Dhabi and placed her in a private jet back to her native Saudi Arabia, a close UAE ally. Once there, Saudi security forces jailed her on charges of sedition, torturing her in a secret facility outside Jeddah, where she remains, her brother Walid al-Hathloul told Reuters.

“It’s very disappointing to see Americans taking advantage of skills they learned in the US to help this regime,” he said. “They are basically like mercenaries.”

A Saudi embassy spokesman did not respond to requests for comment.

In a brief emailed statement, DarkMatter said it was unaware of Reuters’ findings or any improper actions by the company.

A federal grand jury in Washington has been investigating whether US staff violated US hacking laws in the UAE mission. The FBI and the Justice Department declined to comment.

Congress is also asking questions, citing the earlier Reuters reports while pressing the State Department to explain DREAD and pushing for more transparency in foreign licence agreements. Foreign governments “have apparently exploited the advanced training and expertise of individuals who developed their technical skills while in U.S. national service,” members wrote in May to the director of national intelligence and secretary of state.

Rogers, the former House Intelligence Committee chairman, said it is time for Washington to impose tougher restrictions on foreign intelligence contracting. “Outright eliminating those opportunities, I think, should absolutely be on the table,” he said.

Kurtz, who helped launch the programme 10 years ago, agreed the US government needs to reconsider how it controls the transfer of cyber-capabilities overseas. “It can be a very slippery slope,” he said.