How A Chilling Saudi Cyberwar Ensnared Jamal Khashoggi
When Jamal Khashoggi entered the Saudi Consulate in Istanbul on Oct. 2, he didn’t know he was walking into a killing zone. He had become the prime target in a 21st-century information war — one that involved hacking, kidnapping and ultimately murder — waged by Saudi Crown Prince Mohammed bin Salman and his courtiers against dissenters.
How did a battle of ideas, triggered by Khashoggi’s outspoken journalism for The Post, become so deadly? That’s the riddle at the center of the columnist’s death. The answer in part is that the United States, Israel, the United Arab Emirates and other countries that supported Saudi counter-extremism policies helped sharpen the double-edged tools of cyberespionage that drove the conflict toward its catastrophic conclusion in Istanbul.
MBS, as the crown prince is known, promised change, but he delivered instability. The digital arsenal he assembled became an instrument of his own authoritarian rule. MBS came to the information space armed, figuratively speaking, with a bone saw.
Ground zero in this conflict was the Center for Studies and Media Affairs in Riyadh, run by Saud al-Qahtani, a smart, ambitious official in the royal court who played Iago to his headstrong, sometimes paranoid boss. Qahtani and his cyber colleagues worked at first with an Italian company called Hacking Team, and then shopped for products produced by two Israeli companies — NSO Group and its affiliate, Q Cyber Technologies — and by an Emirati firm called DarkMatter, according to many knowledgeable sources who requested anonymity to discuss sensitive intelligence matters. Gradually, Qahtani built a network of surveillance and social-media manipulation to advance MBS’s agenda and suppress his enemies.
The Saudis began constructing their cyber garrison nearly a decade ago, when Qahtani was serving the previous monarch, King Abdullah. The Saudis had understandable reasons for arming themselves in cyberspace. Iran had reportedly launched the “Shamoon” virus in mid-2012, crippling tens of thousands of Saudi computers that took nearly half a year to repair. The kingdom also faced deadly terrorist threats, especially after the fireball of the Islamic State exploded across Syria and Iraq in 2014.
For the Saudis, as for Russian hackers in their assault on the 2016 U.S. presidential election, the information space became a zone of warfare. The weapons of defense and offense became interchangeable. As one European intelligence official told me ruefully: “The tools you need to combat terrorism are the same ones you need to suppress dissent.” The Saudis pushed hard on this double throttle.
Sen. Mark Warner (Va.), the ranking Democrat on the Senate Intelligence Committee, described to me the dangers of this two-sided cyber sword: “Every new surveillance tool has a potential for abuse. That’s why in this country, we have a robust system of law and even a special court to oversee how they are used. In places with fewer legal protections for individuals and no real oversight from other parts of government, these tools are easily abused, and that should concern us all.”
The Saudi leadership’s obsession with social media traces back to the Arab Spring and the uprisings that rocked Tunisia starting in late 2010, then Egypt, Libya, Bahrain and Syria in 2011. The royal court in Riyadh feared that the conservative Saudi monarchy might be the next target of what Marc Lynch, an expert in Arab politics at George Washington University, has called the “hashtag protests.”
Arab intelligence services have always closely monitored their citizens’ communications and other political activities; digital media offered new opportunities for both activism and repression. Saudi intelligence in 2013 sought from Hacking Team tools that could penetrate iPhones and iPads, and in 2015 it wanted similar access to Android phones, according to company records revealed by WikiLeaks in 2015.
King Salman’s accession in January 2015 brought new intensity to the royal court’s cyber efforts. Qahtani, a lawyer and former Air Force member who had been working at the court for more than a decade, wanted to prove his loyalty to the new king’s favorite son, Mohammed. Qahtani made himself an indispensable but increasingly dangerous figure in the inner circle around MBS.
“He breaks things,” is how one well-connected Saudi who knows Qahtani described him. With the patronage of MBS, “he had a lot of carrots, and a lot of sticks.”
A strategic partnership
After MBS became deputy crown prince in April 2015, Qahtani pushed for enhancement of cyber operations. On June 29, 2015, he wrote to the head of Hacking Team and asked for “the complete list of services that your esteemed company offers” and proposed “a long and strategic partnership.”
Hacking Team touts itself on its website as “the hacking suite for governmental interception” and a source of “effective, easy-to-use offensive technology.” The company’s clients by 2013 included about 40 governments, according to a 2016 profile of its founder in Foreign Policy.
Hacking Team’s relationship with Saudi Arabia became so strong that when the Italian company encountered financial difficulties after the 2015 records leak by WikiLeaks, Saudi investors apparently stepped in. A Cyprus-based company called Tablem Limited, headed by a businessman from the Al-Qahtani family, acquired a 20 percent stake in mid-2016, according to a January 2018 post on Motherboard. At a meeting in Milan in May 2016, the new investors were represented by a leading Saudi lawyer named Khalid Al-Thebity, Motherboard reported. The founder of Hacking Team told Motherboard that he wasn’t sure who Qahtani and Thebity were. “The Saudi government is opaque even for me,” he said.
MBS’s royal court had acquired Italian-supplied hacking tools, but American and Saudi sources say that the crown prince sought greater capabilities. He looked at the rapid advances made by a UAE cyber company called DarkMatter, two former U.S. officials said, and he wanted the kingdom to keep pace. DarkMatter could provide training and equipment, these two sources said, but MBS wanted his own state-of-the art systems.
“MBS wanted to mirror the capabilities that the Emiratis had,” said one former U.S. official who worked with the kingdom on counter-terrorism.
Saudi Arabia was joining a crowded field. The proliferation of cyber weapons was accelerating around the world, partly because of the United States’ enthusiasm for anything that could be described as “countering violent extremism.” Explains one former U.S. official who worked with the royal court on cyber matters: “The Saudis felt that as long as they cracked down on extremism, they had a blank check to go after people in their own country, too. We weren’t going to do anything.”
I had a glimpse of the Saudi passion for digital surveillance technology during visits to the kingdom in April 2017 and March 2018. Both times, I was invited to see a new counter-terrorism center within the royal court, which the Saudis dubbed a Digital Extremism Observatory. It was a hyper-modern facility, with scores of technicians sitting at computer screens monitoring Arabic Twitter and other social-media platforms.
The Saudis explained that they were battling the Islamic State as well as Iranian-backed Shiite groups. The director of the center gave me several slick pamphlets. One described how the center had monitored more than 1.2 million tweets and retweets about the Islamic State during the last two weeks of December 2016, and the ability of its software tools to discern “organic support for ISIS with a high rate of precision.” A second pamphlet described sophisticated software tools for analyzing and visualizing social-media networks for supporters of both the Islamic State and Shiite militias.
The enemy was extremism, Saudi officials insisted, repeating the message that MBS was delivering to American and European officials.
One pamphlet boasted that Qahtani’s center “fuses software development with the latest quantitative and qualitative analysis techniques to support . . . the most current needs for intelligence on extremist activities online.” What most observers, including me, didn’t understand was how quickly those tools could be adapted to combat dissident Saudi voices such as Khashoggi’s.
A penchant for risk
Young and inexperienced, the crown prince plunged into risky adventures, on the ground and in cyberspace. To combat Iranian-backed Houthi rebels, he invaded Yemen in 2015 — beginning a ruinous campaign that continues to this day. To check what he saw as Muslim Brotherhood influence in the neighboring country of Qatar, he launched what amounted to a cyber war against Qatar — fought partly with automated bots and other social-media tools of manipulation.
“Cyber fit the natural biases of MBS,” says one former senior U.S. intelligence official who worked extensively with the crown prince. “He prefers high-risk strategies. He minimizes the danger of blowback, and he doesn’t think about the knock-on consequences.” These advanced cyber capabilities might have been less risky if they had been managed by professionals in the Saudi intelligence services, but they instead became political instruments for MBS and his powerful courtier, Qahtani.
The drive for dominance
The kingdom’s drive for digital dominance accelerated in 2017, for several reasons. MBS felt threatened by rivals within the royal family, especially after shadowy reports of two assassination attempts last year, according to U.S. intelligence sources. MBS responded with an internal coup, toppling Mohammed bin Nayef as crown prince in June 2017, and then in November of that year arresting more than 200 princes and other prominent Saudis and holding them at the Ritz-Carlton in Riyadh until they pledged loyalty and paid what amounted to ransom.
But MBS’s putsch provoked a vicious cycle. For every enemy the royal court arrested or put under surveillance, Qahtani and other courtiers warned that new ones were arising — many supposedly recruited by Saudi Arabia’s regional rivals, Iran and Qatar.
Qahtani was an aggressive field commander in cyberspace. He urged Saudis to submit names of suspected Qatar supporters and other dissidents through the Twitter hashtag “Black List.” He defended this social-media mobilization in an August 2017 tweet: “Do you think I make decisions without guidance? I am an employee and an executor of the orders of the king and the crown prince.”
The anti-Qatar campaign became a digital free-for-all. The Saudis and Emiratis felt that they had come late to the information wars, and for nearly a decade they had been fuming about the Qatar-backed satellite television network Al Jazeera and its support for Arab dissent. Now, they were settling scores. As the Qatar feud deepened, it became a hackers’ version of trench warfare — with stolen and leaked emails finding their way anonymously to U.S. news outlets.
Qatar claimed that the UAE hacked its state news agency’s Twitter feed in May 2017 and posted false items. A few months later, emails hacked from the account of Yousef Al Otaiba, UAE ambassador to Washington, were leaked to journalists. In May,an American businessman whose firm reportedly did work for the UAE alleged in a lawsuit that his communications had been hacked by American and British ex-intelligence officers hired by Qatar.
The wide-open U.S. media space became a zone of this Arab battle for influence. As I wrote in a column in May 2018, “For the Middle East combatants, the United States is becoming the new Lebanon — the place where other nations go to fight their dirty proxy wars.”
As 2018 dawned, Qahtani’s Center for Studies and Media Affairs was fighting a multi-front war against enemies, real and imagined. The Saudis continued looking for new weapons. DarkMatter had showed off its capabilities at “Black Hat” hackers’ conventions in Las Vegas in 2016, 2017 and 2018. Among DarkMatter’s offerings was the “Katim” phone system, which could combat other hackers by turning off its camera and microphone and automatically causing the device’s data to self-destruct if it was penetrated by an unauthorized user. Calls to DarkMatter’s headquarters in Abu Dhabi on Thursday weren’t answered, and a person close to the company said it wouldn’t respond.
The Saudis knew that Israel, their historical nemesis, had the most sophisticated cyber tools. And according to American, European and Saudi sources, the Saudis increasingly looked to buy technology from Israeli cyber companies.
The result was one of the most intriguing intelligence alliances in the history of the Middle East, as Israeli companies began sharing with the Saudis some of its cyber secrets. It was a devil’s bargain: Israel gained a secret Sunni Arab ally against Iran (and also an opportunity through cyber cooperation to gather information about the kingdom), and MBS obtained new tools to combat his internal enemies.
Three former U.S. officials say the Saudis specifically sought to purchase a sophisticated phone-hacking system called Pegasus, created by a firm founded in Israel called NSO Group Technologies.
The Pegasus system’s chilling capabilities were summarized in an October 2018 report by the Citizen Lab, a Canadian Internet research organization: “Once the phone is infected, the customer has full access to a victim’s personal files, such as chats, emails and photos. They can even surreptitiously use the phone’s microphones and cameras to view and eavesdrop on their targets.”
To conduct some of its transactions with the Israeli company, two sources say the Saudis worked partly through an affiliate of NSO called Q Cyber Technologies, based in Luxembourg. The company’s website offers few details about its business but displays an upbeat pitch for its cyber services: “Helping make the world a safer place.”
Two sources told me that Q Cyber dealt directly with the Saudis, helping solve problems that arose with cyber-monitoring systems. Q promised that it could access targets in a half-dozen Middle Eastern countries, as well as many of the biggest nations in Europe. Some Israelis were concerned about sharing these super-secret capabilities with a leading Arab nation, but two knowledgeable former U.S. officials told me the Saudi purchase was approved by the Israeli government.
An attorney who represents NSO Group and its Q Cyber affiliate, when asked about reported sales to Saudi Arabia, wouldn’t confirm or deny any of the firm’s clients. He offered this general comment about NSO and sales of its Pegasus surveillance tools: “They’re a supplier of a product. The customer makes representations that the product will be used in a way that’s lawful in that country. Obviously, there are sometimes abuses.”
“Qahtani was given a huge amount of leeway” in acquiring such systems, outside normal intelligence channels, said one British cyber consultant who has worked with him. An American who dealt with Qahtani on cyber matters described him as “very detail-oriented, but overly controlling” in trying to shape dealings with Western intelligence providers in ways that would help MBS politically.
Flies and bees
Khashoggi, as one of Saudi Arabia’s best-known journalists and leading “influencers,” was inexorably drawn into this conflict. As Qahtani beamed up his “army of flies” to combat Qatar on Twitter, Khashoggi’s friends wanted to create an alternative media presence.
Omar Abdulaziz, a young Saudi dissident living in Canada, encouraged Khashoggi in June and July of this year to help recruit a rival army of “electronic bees” to neutralize the Saudi online onslaught, according to a lawsuit filed in Tel Aviv last Sunday.
Khashoggi and Abdulaziz didn’t realize that the Saudis were able to spy on their messages, thanks to Israeli-supplied Pegasus surveillance tools, according to the lawsuit. The complaint alleges that two of Abdulaziz’s brothers were arrested in Saudi Arabia late last summer; one of the imprisoned brothers, pressured by his captors, “begged [Abdulaziz] to stop his work on political activities in which he was involved,” the suit contends. The Pegasus surveillance gave the Saudis information that “contributed in a significant manner to the decision to murder . . . Khashoggi,” the suit alleges.
An NSO spokesperson disputed allegations in the lawsuit. “While as a matter of security, we will not discuss whether a particular government has licensed our technology, this lawsuit is completely unfounded. It shows no evidence that the company’s technology was used and appears to be founded on a collection of so-called reports and articles that have been generated for the sole purpose of creating news headlines that do not reflect the reality of NSO’s work,” the spokesperson said. “We follow an extremely rigorous protocol for licensing our products — which are only provided after a full vetting as well as licensing by the Israeli government. ”
For Qahtani, the anti-Khashoggi campaign was personal. A Saudi official told me that Qahtani felt that he had let down his boss, MBS, by allowing Khashoggi to leave Saudi Arabia in 2017. When Khashoggi fled to the United States later that year and began writing columns for The Post that were critical of Saudi Arabia, Qahtani viewed him as a renegade enemy in the information domain he sought to control.
Just before Khashoggi began writing for The Post, some Saudi officials offered him a column in the pro-Saudi newspaper Al-Hayat, according to two Saudi officials who were briefed on the proposal. But Khashoggi soon began his Post columns, augmenting his voice in social media. The Saudis tried to squeeze him by preventing his son Salah from traveling outside the kingdom, which deeply upset Khashoggi, but he didn’t temper his writing or his independence.
Last July, according to a U.S. official, Qahtani had convinced MBS that Khashoggi was a threat to the kingdom’s attempts to control information, and the crown prince sent a message that month ordering that the renegade journalist be brought back to the kingdom, by force if necessary. The message wasn’t understood by U.S. officials until too late.
Khashoggi became a vulnerable target after he visited the Saudi Consulate in Istanbul in September to obtain papers for his fiancee. He was told to return the following week to complete the paperwork. Meanwhile, according to two Saudi sources, Qahtani helped gather a circle of intelligence and military operatives who were trusted by the royal court. The team sent to Istanbul was commanded by Maher Mutreb, a general involved in intelligence work who had been detailed to the royal court and was responsible for MBS’s communications security when he traveled abroad. A senior Saudi official told me Thursday that Qahtani was “currently banned from traveling and is under custody” as announced Nov. 15 by the Saudi public prosecutor.
Qahtani was fired in October from his job at the royal court and is one of 17 Saudis who were sanctioned by the Treasury Department for their role in Khashoggi’s death. Treasury said in its statement announcing the sanctions that Qahtani “was part of the planning and execution of the operation” that killed the Post journalist and that Mutreb “coordinated and executed” it.
This is a ghastly murder story, but as in any complicated case, we look for clues about how and why the killing took place. This killer’s motive was control of information.
Online Degrees & Certificates For Intelligence Professionals
American Military University’s online degrees and certificates in intelligence are taught by experienced professors. Many serve as leaders in intelligence, military or homeland security sectors and they impart real-world expertise in the online classroom. Our students also connect with an expansive network of intelligence students and professionals who are equally dedicated to service, professionalism, and the continual assessment and enhancement of the intelligence cycle.