APNewsBreak: Undercover agents target cybersecurity watchdog
NEW YORK (AP) — The researchers who reported that Israeli software was used to spy on Washington Post journalist Jamal Khashoggi’s inner circle before his gruesome death are being targeted in turn by international undercover operatives, The Associated Press has found.
Twice in the past two months, men masquerading as socially conscious investors have lured members of the Citizen Lab internet watchdog group to meetings at luxury hotels to quiz them for hours about their work exposing Israeli surveillance and the details of their personal lives. In both cases, the researchers believe they were secretly recorded.
Citizen Lab Director Ron Deibert described the stunts as “a new low.”
“We condemn these sinister, underhanded activities in the strongest possible terms,” he said in a statement Friday. “Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.”
Who these operatives are working for remains a riddle, but their tactics recall those of private investigators who assume elaborate false identities to gather intelligence or compromising material on critics of powerful figures in government or business.
Citizen Lab, based out of the Munk School at the University of Toronto, has for years played a leading role in exposing state-backed hackers operating in places as far afield as Tibet , Ethiopia and Syria . Lately the group has drawn attention for its repeated exposés of an Israeli surveillance software vendor called the NSO Group, a firm whose wares have been used by governments to target journalists in Mexico , opposition figures in Panama and human rights activists in the Middle East .
In October, Citizen Lab reported that an iPhone belonging to one of Khashoggi’s confidantes had been infected by the NSO’s signature spy software only months before Khashoggi’s grisly murder. The friend, Saudi dissident Omar Abdulaziz, would later claim that the hacking had exposed Khashoggi’s private criticisms of the Saudi royal family to the Arab kingdom’s spies and thus “played a major role” in his death.
In a statement, NSO denied having anything to do with the undercover operations targeting Citizen Lab, “either directly or indirectly” and said it had neither hired nor asked anyone to hire private investigators to pursue the Canadian organization. “Any suggestion to the contrary is factually incorrect and nothing more than baseless speculation,” NSO said.
NSO has long denied that its software was used to target Khashoggi, although it has refused to comment when asked whether it has sold its software to the Saudi government more generally.
The first message reached Bahr Abdul Razzak, a Syrian refugee who works as a Citizen Lab researcher, Dec. 6, when a man calling himself Gary Bowman got in touch via LinkedIn. The man described himself as a South African financial technology executive based in Madrid.
“I came across your profile and think that the work you’ve done helping Syrian refugees and your extensive technical background could be a great fit for our new initiative,” Bowman wrote.
Abdul Razzak said he thought the proposal was a bit odd, but he eventually agreed to meet the man at Toronto’s swanky Shangri-La Hotel on the morning of Dec. 18.
The conversation got weird very quickly, Abdul Razzak said.
Instead of talking about refugees, Abdul Razzak said, Bowman grilled him about his work for Citizen Lab and its investigations into the use of NSO’s software. Abdul Razzak said Bowman appeared to be reading off cue cards, asking him if he was earning enough money and throwing out pointed questions about Israel, the war in Syria and Abdul Razzak’s religiosity.
“Do you pray?” Abdul Razzak recalled Bowman asking. “Why do you write only about NSO?” ″Do you write about it because it’s an Israeli company?” ″Do you hate Israel?”
Abdul Razzak said he emerged from the meeting feeling shaken. He alerted his Citizen Lab colleagues, who quickly determined that the breakfast get-together had been a ruse. Bowman’s supposed Madrid-based company, FlameTech, had no web presence beyond a LinkedIn page, a handful of social media profiles and an entry in the business information platform Crunchbase. A reverse image search revealed that the profile picture of the man listed as FlameTech’s chief executive, Mauricio Alonso, was a stock photograph.
“My immediate gut feeling was: ‘This is a fake,’” said John Scott-Railton, one of Abdul Razzak’s colleagues.
Scott-Railton flagged the incident to the AP, which confirmed that FlameTech was a digital facade.
Searches of the Orbis database of corporate records, which has data on some 300 million global companies, turned up no evidence of a Spanish firm called FlameTech or Flame Tech or any company anywhere in the world matching its description. Similarly, the AP found no record of FlameTech in Madrid’s official registry or of a Gary Bowman in the city’s telephone listings. An Orbis search for Alonso, the supposed chief executive, also drew a blank. When an AP reporter visited Madrid’s Crystal Tower high-rise, where FlameTech claimed to have 250 sq. meters (2,700 sq. feet) of office space, he could find no trace of the firm and calls to the number listed on its website went unanswered.
The AP was about to publish a story about the curious company when, on Jan. 9, Scott-Railton received an intriguing message of his own.
This time the contact came not from Bowman of FlameTech but from someone who identified himself as Michel Lambert, a director at the Paris-based agricultural technology firm CPW-Consulting.
Lambert had done his homework. In his introductory email , he referred to Scott-Railton’s early doctoral research on kite aerial photography — a mapping technique using kite-mounted cameras — and said he was “quite impressed.”
“We have a few projects and clients coming up that could significantly benefit from implementing Kite Aerial Photography,” he said.
Like FlameTech, CPW-Consulting was a fiction. Searches of Orbis and the French commercial court registry Infogreffe turned up no trace of the supposedly Paris-based company or indeed of any Paris-based company bearing the acronym CPW. And when the AP visited CPW’s alleged office there was no evidence of the company; the address was home to a mainly residential apartment building. Residents and the building’s caretaker said they had never heard of the firm.
Whoever dreamed up CPW had taken steps to ensure the illusion survived a casual web search, but even those efforts didn’t bear much scrutiny. The company had issued a help wanted ad, for example, seeking a digital mapping specialist for their Paris office, but Scott-Railton discovered that the language had been lifted almost word-for-word from an ad from an unrelated company seeking a mapping specialist in London. A blog post touted CPW as a major player in Africa, but an examination of the author’s profile suggests the article was the only one the blogger had ever written.
When Lambert suggested an in-person meeting in New York during a Jan. 19 phone call , Scott-Railton felt certain that Lambert was trying to set him up.
But Scott-Railton agreed to the meeting. He planned to lay a trap of his own.
Anyone watching Scott-Railton and Lambert laughing over wagyu beef and lobster bisque at the Peninsula Hotel’s upscale restaurant on Thursday afternoon might have mistaken the pair for friends.
In fact, the lunch was Spy vs. Spy. Scott-Railton had spent the night before trying to hide a homemade camera into his tie, he later told AP, eventually settling for a GoPro action camera and several recording devices hidden about his person. On the table, Lambert had placed a large pen in which Scott-Railton said he spotted a tiny camera lens peeking out from an opening in the top.
Lambert didn’t seem to be alone. At the beginning of the meal, a man sat behind him, holding up his phone as if to take pictures and then abruptly left the restaurant, having eaten nothing. Later, two or three men materialized at the bar and appeared to be monitoring proceedings.
Scott-Railton wasn’t alone either. A few tables away, two Associated Press journalists were making small talk as they waited for a signal from Scott-Railton, who had invited the reporters to observe the lunch from nearby and then interview Lambert near the end of the meal.
The conversation began with a discussion of kites, gossip about African politicians, and a detour through Scott-Railton’s family background. But Lambert, just like Bowman, eventually steered the talk to Citizen Lab and NSO.
“Work drama? Tell me, I like drama!” Lambert said at one point, according to Scott-Railton’s recording of the conversation. “Is there a big competition between the people inside Citizen Lab?” he asked later.
Like Bowman, Lambert appeared to be working off cue cards and occasionally made awkward conversational gambits. At one point he repeated a racist French expression, insisting it wasn’t offensive. He also asked Scott-Railton questions about the Holocaust, anti-Semitism and whether he grew up with any Jewish friends. At another point he asked whether there might not be a “racist element” to Citizen Lab’s interest in Israeli spyware.
After dessert arrived, the AP reporters approached Lambert at his table and asked him why his company didn’t seem to exist.
He seemed to stiffen.
“I know what I’m doing,” Lambert said, as he put his files — and his pen — into a bag. Then he stood up, bumped into a chair and walked off, saying “Ciao” and waving his hand, before returning because he had neglected to pay the bill.
As he paced around the restaurant waiting for the check, Lambert refused to answer questions about who he worked for or why no trace of his firm could be found.
“I don’t have to give you any explanation,” he said. He eventually retreated to a back room and closed the door.
Who Lambert and Bowman really are isn’t clear. Neither man returned emails or phone calls. The websites for both of their supposed companies went offline within hours of the publication of this article, and chunks of information, including the men’s last names, were removed from their respective LinkedIn profiles.
Despite their keen focus on NSO, the AP has found no evidence that the men were linked to the Israeli spyware merchant, which is adamant that it wasn’t involved.
The kind of aggressive investigative tactics used by the mystery men who targeted Citizen Lab have come under fire in the wake of the Harvey Weinstein sexual abuse scandal. Black Cube, an Israeli private investigation firm, apologized after The New Yorker and other media outlets revealed that the company’s operatives had used subterfuge and dirty tricks to help the Hollywood mogul suppress allegations of rape and sexual assault.
Scott-Railton and Abdul Razzak said they didn’t want to speculate about who was involved. But both said they believed they were being steered toward making controversial comments that could be used to blacken Citizen Lab’s reputation.
“It could be they wanted me to say, ‘Yes, I hate Israel,’ or ‘Yes, Citizen Lab is against NSO because it’s Israeli,’” said Abdul Razzak.
Scott-Railton said the elaborate, multinational operation was gratifying, in a way.
“People were paid to fly to a city to sit you down to an expensive meal and try to convince you to say bad things about your work, your colleagues and your employer,” he said.
“That means that your work is important.”
Lori Hinnant and Nicholas Garriga in Paris, Aritz Parra in Madrid, Josef Federman in Jerusalem and Joseph Frederick in New York contributed to this report.
Emails and a transcript relating to the undercover operatives: https://www.documentcloud.org/search/projectid:42174-Citizen-Lab-Undercover-Op
Raphael Satter can be reached at: http://raphaelsatter.com