It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.
The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.
It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”
One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.
With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”
We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.