How a chilling Saudi
cyberwar ensnared Jamal Khashoggi
By David Ignatius, Columnist (Washington Post)
December 7
When Jamal Khashoggi entered the Saudi Consulate in Istanbul
on Oct. 2, he didn’t know he was walking into a killing zone. He had become the
prime target in a 21st-century information war — one that involved hacking,
kidnapping and ultimately murder — waged by Saudi Crown Prince Mohammed bin Salman
and his courtiers against dissenters.
How did a battle of ideas, triggered by Khashoggi’s
outspoken journalism for The Post, become so deadly? That’s the riddle at the
center of the columnist’s death. The answer in part is that the United States,
Israel, the United Arab Emirates and other countries that supported Saudi
counter-extremism policies helped sharpen the double-edged tools of
cyberespionage that drove the conflict toward its catastrophic conclusion in
Istanbul.
MBS, as the crown prince is known, promised change, but he
delivered instability. The digital arsenal he assembled became an instrument of
his own authoritarian rule. MBS came to the information space armed,
figuratively speaking, with a bone saw.
Ground zero in this conflict was the Center for Studies and
Media Affairs in Riyadh, run by Saud al-Qahtani, a smart, ambitious official in
the royal court who played Iago to his headstrong, sometimes paranoid boss.
Qahtani and his cyber colleagues worked at first with an Italian company called
Hacking Team, and then shopped for products produced by two Israeli companies —
NSO Group and its affiliate, Q Cyber Technologies — and by an Emirati firm
called DarkMatter, according to many knowledgeable
sources who requested anonymity to discuss sensitive intelligence matters.
Gradually, Qahtani built a network of surveillance and social-media
manipulation to advance MBS’s agenda and suppress his enemies.
The Saudis began constructing their cyber garrison nearly a
decade ago, when Qahtani was serving the previous monarch, King Abdullah. The
Saudis had understandable reasons for arming themselves in cyberspace. Iran had
reportedly launched the “Shamoon” virus in mid-2012,
crippling tens of thousands of Saudi computers that took nearly half a year to
repair. The kingdom also faced deadly terrorist threats, especially after the
fireball of the Islamic State exploded across Syria and Iraq in 2014.
For the Saudis, as for Russian hackers in their assault on
the 2016 U.S. presidential election, the information space became a zone of
warfare. The weapons of defense and offense became interchangeable. As one
European intelligence official told me ruefully: “The tools you need to combat
terrorism are the same ones you need to suppress dissent.” The Saudis pushed
hard on this double throttle.
Sen. Mark Warner (Va.), the ranking Democrat on the Senate
Intelligence Committee, described to me the dangers of this two-sided cyber
sword: “Every new surveillance tool has a potential for abuse. That’s why in
this country, we have a robust system of law and even a special court to
oversee how they are used. In places with fewer legal protections for
individuals and no real oversight from other parts of government, these tools
are easily abused, and that should concern us all.”
Social-media
obsession
The Saudi leadership’s obsession with social media traces
back to the Arab Spring and the uprisings that rocked Tunisia starting in late
2010, then Egypt, Libya, Bahrain and Syria in 2011. The royal court in Riyadh
feared that the conservative Saudi monarchy might be the next target of what Marc
Lynch, an expert in Arab politics at George Washington University, has called
the “hashtag protests.”
Arab intelligence services have always closely monitored
their citizens’ communications and other political activities; digital media
offered new opportunities for both activism and repression. Saudi intelligence
in 2013 sought from Hacking Team tools that could penetrate iPhones and iPads,
and in 2015 it wanted similar access to Android phones, according to company
records revealed by WikiLeaks in 2015.
King Salman’s accession in January 2015 brought new
intensity to the royal court’s cyber efforts. Qahtani, a lawyer and former Air
Force member who had been working at the court for more than a decade, wanted
to prove his loyalty to the new king’s favorite son, Mohammed. Qahtani made
himself an indispensable but increasingly dangerous figure in the inner circle
around MBS.
“He breaks things,” is how one well-connected Saudi who
knows Qahtani described him. With the patronage of MBS, “he had a lot of carrots,
and a lot of sticks.”
A strategic
partnership
After MBS became deputy crown prince in April 2015, Qahtani
pushed for enhancement of cyber operations. On June 29, 2015, he wrote to the
head of Hacking Team and asked for “the complete list of services that your
esteemed company offers” and proposed “a long and strategic partnership.”
Hacking Team touts itself on its website as “the hacking
suite for governmental interception” and a source of “effective, easy-to-use
offensive technology.” The company’s clients by 2013 included about 40
governments, according to a 2016 profile of its founder in Foreign Policy.
Hacking Team’s relationship with Saudi Arabia became so
strong that when the Italian company encountered financial difficulties after
the 2015 records leak by WikiLeaks, Saudi investors apparently stepped in. A
Cyprus-based company called Tablem Limited, headed by
a businessman from the Al-Qahtani family, acquired a 20 percent stake in
mid-2016, according to a January 2018 post on Motherboard. At a meeting in
Milan in May 2016, the new investors were represented by a leading Saudi lawyer
named Khalid Al-Thebity, Motherboard reported. The
founder of Hacking Team told Motherboard that he wasn’t sure who Qahtani and Thebity were. “The Saudi government is opaque even for me,”
he said.
MBS’s royal court had acquired Italian-supplied hacking
tools, but American and Saudi sources say that the crown prince sought greater
capabilities. He looked at the rapid advances made by a UAE cyber company
called DarkMatter, two former U.S. officials said,
and he wanted the kingdom to keep pace. DarkMatter
could provide training and equipment, these two sources said, but MBS wanted
his own state-of-the art systems.
“MBS wanted to mirror the capabilities that the Emiratis
had,” said one former U.S. official who worked with the kingdom on
counter-terrorism.
Saudi Arabia was joining a crowded field. The proliferation
of cyber weapons was accelerating around the world, partly because of the
United States’ enthusiasm for anything that could be described as “countering
violent extremism.” Explains one former U.S. official who worked with the royal
court on cyber matters: “The Saudis felt that as long as they cracked down on
extremism, they had a blank check to go after people in their own country, too.
We weren’t going to do anything.”
State-of-the-art
surveillance
I had a glimpse of the Saudi passion for digital
surveillance technology during visits to the kingdom in April 2017 and March
2018. Both times, I was invited to see a new counter-terrorism center within
the royal court, which the Saudis dubbed a Digital Extremism Observatory. It
was a hyper-modern facility, with scores of technicians sitting at computer
screens monitoring Arabic Twitter and other social-media platforms.
The Saudis explained that they were battling the Islamic
State as well as Iranian-backed Shiite groups. The director of the center gave
me several slick pamphlets. One described how the center had monitored more
than 1.2 million tweets and retweets about the Islamic State during the last
two weeks of December 2016, and the ability of its software tools to discern
“organic support for ISIS with a high rate of precision.” A second pamphlet
described sophisticated software tools for analyzing and visualizing
social-media networks for supporters of both the Islamic State and Shiite
militias.
The enemy was extremism, Saudi officials insisted, repeating
the message that MBS was delivering to American and European officials.
One pamphlet boasted that Qahtani’s center “fuses software
development with the latest quantitative and qualitative analysis techniques to
support . . . the most current needs for
intelligence on extremist activities online.” What most observers, including
me, didn’t understand was how quickly those tools could be adapted to combat
dissident Saudi voices such as Khashoggi’s.
A penchant for risk
Young and inexperienced, the crown prince plunged into risky
adventures, on the ground and in cyberspace. To combat Iranian-backed Houthi
rebels, he invaded Yemen in 2015 — beginning a ruinous campaign that continues
to this day. To check what he saw as Muslim Brotherhood influence in the
neighboring country of Qatar, he launched what amounted to a cyber war against
Qatar — fought partly with automated bots and other social-media tools of
manipulation.
“Cyber fit the natural biases of MBS,” says one former
senior U.S. intelligence official who worked extensively with the crown prince.
“He prefers high-risk strategies. He minimizes the danger of blowback, and he
doesn’t think about the knock-on consequences.” These advanced cyber
capabilities might have been less risky if they had been managed by
professionals in the Saudi intelligence services, but they instead became
political instruments for MBS and his powerful courtier, Qahtani.
The drive for
dominance
The kingdom’s drive for digital dominance accelerated in
2017, for several reasons. MBS felt threatened by rivals within the royal
family, especially after shadowy reports of two assassination attempts last
year, according to U.S. intelligence sources. MBS responded with an internal
coup, toppling Mohammed bin Nayef as crown prince in June 2017, and then in
November of that year arresting more than 200 princes and other prominent
Saudis and holding them at the Ritz-Carlton in Riyadh until they pledged
loyalty and paid what amounted to ransom.
But MBS’s putsch provoked a vicious cycle. For every enemy
the royal court arrested or put under surveillance, Qahtani and other courtiers
warned that new ones were arising — many supposedly recruited by Saudi Arabia’s
regional rivals, Iran and Qatar.
Qahtani was an aggressive field commander in cyberspace. He
urged Saudis to submit names of suspected Qatar supporters and other dissidents
through the Twitter hashtag “Black List.” He defended this social-media
mobilization in an August 2017 tweet: “Do you think I make decisions without
guidance? I am an employee and an executor of the orders of the king and the
crown prince.”
The anti-Qatar campaign became a digital free-for-all. The
Saudis and Emiratis felt that they had come late to the information wars, and
for nearly a decade they had been fuming about the Qatar-backed satellite
television network Al Jazeera and its support for Arab dissent. Now, they were
settling scores. As the Qatar feud deepened, it became a hackers’ version of
trench warfare — with stolen and leaked emails finding their way anonymously to
U.S. news outlets.
Qatar claimed that the UAE hacked its state news agency’s
Twitter feed in May 2017 and posted false items. A few months later, emails
hacked from the account of Yousef Al Otaiba, UAE
ambassador to Washington, were leaked to journalists. In May,an American businessman whose firm reportedly did
work for the UAE alleged in a lawsuit that his communications had been hacked
by American and British ex-intelligence officers hired by Qatar.
The wide-open U.S. media space became a zone of this Arab
battle for influence. As I wrote in a column in May 2018, “For the Middle East
combatants, the United States is becoming the new Lebanon — the place where
other nations go to fight their dirty proxy wars.”
Devil's bargain
As 2018 dawned, Qahtani’s Center for Studies and Media
Affairs was fighting a multi-front war against enemies, real and imagined. The
Saudis continued looking for new weapons. DarkMatter
had showed off its capabilities at “Black Hat” hackers’ conventions in Las
Vegas in 2016, 2017 and 2018. Among DarkMatter’s
offerings was the “Katim” phone system, which could
combat other hackers by turning off its camera and microphone and automatically
causing the device’s data to self-destruct if it was penetrated by an
unauthorized user. Calls to DarkMatter’s headquarters
in Abu Dhabi on Thursday weren’t answered, and a person close to the company
said it wouldn’t respond.
The Saudis knew that Israel, their historical nemesis, had
the most sophisticated cyber tools. And according to American, European and
Saudi sources, the Saudis increasingly looked to buy technology from Israeli
cyber companies.
The result was one of the most intriguing intelligence
alliances in the history of the Middle East, as Israeli companies began sharing
with the Saudis some of its cyber secrets. It was a devil’s bargain: Israel
gained a secret Sunni Arab ally against Iran (and also
an opportunity through cyber cooperation to gather information about the
kingdom), and MBS obtained new tools to combat his internal enemies.
Three former U.S. officials say the Saudis specifically
sought to purchase a sophisticated phone-hacking system called Pegasus, created
by a firm founded in Israel called NSO Group Technologies.
The Pegasus system’s chilling capabilities were summarized
in an October 2018 report by the Citizen Lab, a Canadian Internet research
organization: “Once the phone is infected, the customer has full access to a
victim’s personal files, such as chats, emails and photos. They can even
surreptitiously use the phone’s microphones and cameras to view and eavesdrop
on their targets.”
To conduct some of its transactions with the Israeli
company, two sources say the Saudis worked partly through an affiliate of NSO
called Q Cyber Technologies, based in Luxembourg. The company’s website offers
few details about its business but displays an upbeat pitch for its cyber
services: “Helping make the world a safer place.”
Two sources told me that Q Cyber dealt directly with the
Saudis, helping solve problems that arose with cyber-monitoring systems. Q
promised that it could access targets in a half-dozen Middle Eastern countries,
as well as many of the biggest nations in Europe. Some Israelis were concerned
about sharing these super-secret capabilities with a leading Arab nation, but
two knowledgeable former U.S. officials told me the Saudi purchase was approved
by the Israeli government.
An attorney who represents NSO Group and its Q Cyber
affiliate, when asked about reported sales to Saudi Arabia, wouldn’t confirm or
deny any of the firm’s clients. He offered this general comment about NSO and
sales of its Pegasus surveillance tools: “They’re a supplier of a product. The
customer makes representations that the product will be used in a way that’s
lawful in that country. Obviously, there are sometimes abuses.”
“Qahtani was given a huge amount of leeway” in acquiring
such systems, outside normal intelligence channels, said one British cyber
consultant who has worked with him. An American who dealt with Qahtani on cyber
matters described him as “very detail-oriented, but overly controlling” in
trying to shape dealings with Western intelligence providers in ways that would
help MBS politically.
Flies and bees
Khashoggi, as one of Saudi Arabia’s best-known journalists
and leading “influencers,” was inexorably drawn into this conflict. As Qahtani beamed
up his “army of flies” to combat Qatar on Twitter, Khashoggi’s friends wanted
to create an alternative media presence.
Omar Abdulaziz, a young Saudi
dissident living in Canada, encouraged Khashoggi in June and July of this year
to help recruit a rival army of “electronic bees” to neutralize the Saudi
online onslaught, according to a lawsuit filed in Tel Aviv last Sunday.
Khashoggi and Abdulaziz didn’t
realize that the Saudis were able to spy on their messages, thanks to
Israeli-supplied Pegasus surveillance tools, according to the lawsuit. The
complaint alleges that two of Abdulaziz’s brothers
were arrested in Saudi Arabia late last summer; one of the imprisoned brothers,
pressured by his captors, “begged [Abdulaziz] to stop
his work on political activities in which he was involved,” the suit contends.
The Pegasus surveillance gave the Saudis information that “contributed in a
significant manner to the decision to murder . . .
Khashoggi,” the suit alleges.
An NSO spokesperson disputed allegations in the lawsuit.
“While as a matter of security, we will not discuss whether a particular government has licensed our technology, this
lawsuit is completely unfounded. It shows no evidence that the company’s
technology was used and appears to be founded on a collection of so-called
reports and articles that have been generated for the sole purpose of creating
news headlines that do not reflect the reality of NSO’s work,” the spokesperson
said. “We follow an extremely rigorous protocol for licensing our products —
which are only provided after a full vetting as well as licensing by the
Israeli government. “
For Qahtani, the anti-Khashoggi campaign was personal. A
Saudi official told me that Qahtani felt that he had let down his boss, MBS, by
allowing Khashoggi to leave Saudi Arabia in 2017. When Khashoggi fled to the
United States later that year and began writing columns for The Post that were
critical of Saudi Arabia, Qahtani viewed him as a renegade enemy in the
information domain he sought to control.
Just before Khashoggi began writing for The Post, some Saudi
officials offered him a column in the pro-Saudi newspaper Al-Hayat, according
to two Saudi officials who were briefed on the proposal. But Khashoggi soon
began his Post columns, augmenting his voice in social media. The Saudis tried
to squeeze him by preventing his son Salah from traveling outside the kingdom,
which deeply upset Khashoggi, but he didn’t temper his writing or his
independence.
Last July, according to a U.S. official, Qahtani had
convinced MBS that Khashoggi was a threat to the kingdom’s attempts to control
information, and the crown prince sent a message that month ordering that the
renegade journalist be brought back to the kingdom, by force if necessary. The
message wasn’t understood by U.S. officials until too late.
Khashoggi became a vulnerable target after he visited the
Saudi Consulate in Istanbul in September to obtain papers for his fiancee. He was told to return the following week to
complete the paperwork. Meanwhile, according to two Saudi sources, Qahtani
helped gather a circle of intelligence and military operatives who were trusted
by the royal court. The team sent to Istanbul was commanded by Maher Mutreb, a general involved in intelligence work who had
been detailed to the royal court and was responsible for MBS’s communications
security when he traveled abroad. A senior Saudi official told me Thursday that
Qahtani was “currently banned from traveling and is under custody” as announced
Nov. 15 by the Saudi public prosecutor.
Qahtani was fired in October from his job at the royal court
and is one of 17 Saudis who were sanctioned by the Treasury Department for
their role in Khashoggi’s death. Treasury said in its statement announcing the
sanctions that Qahtani “was part of the planning and execution of the
operation” that killed the Post journalist and that Mutreb
“coordinated and executed” it.
This is a ghastly murder story, but as in any complicated
case, we look for clues about how and why the killing took place. This killer’s
motive was control of information.
Read more from David
Ignatius’s archive, follow him on Twitter or subscribe to his updates on
Facebook.
David Ignatius: The Khashoggi killing had roots in a cutthroat Saudi family feud