How ‘Mr. Hashtag’ Helped Saudi Arabia Spy on Dissidents

Saud Al-Qahtani, a close advisor of crown prince Mohammed bin Salman, was tasked with buying Hacking Team spyware, and apparently moonlighted as a member of online cybercrime website Hack Forums.

|
Oct 29 2018, 6:06pm

Earlier this month, security researchers revealed that the Saudi Arabian government tried to hack a prominent Saudi dissident and human rights worker who lives in Canada. This came just a few weeks after Amnesty International accused the country of using sophisticated spyware to hack one of its researchers. Then, the New York Times revealed that the Saudis have turned a Twitter employee into a spy who helped them keep tabs on digital rights activists by accessing their accounts and private messages.

These are just the latest revelations about Saudi Arabia’s aggressive push to quash dissent and track down activists online. The regime’s favorite tools online are Twitter bots to spread disinformation and pro-government propaganda, and spyware to keep tabs on those who dare to speak up. It’s part of a broader and years-long crackdown on free speech that has come to the forefront in the aftermath of the state-led murder of journalist Jamal Khashoggi, a Saudi Arabian citizen whose columns in the Washington Post were critical of crown prince Mohammed bin Salman.

Saudi Arabia has become a sophisticated hacking machine, able to target dissidents living on the other side of the world with expensive spyware. The regime has long focused on surveillance; the country bought hacking tools from Italian spyware vendor Hacking Team, according to emails that became public after the company was hacked in 2015. Several Saudi agencies paid Hacking Team almost 5 million euros in five years, according to spreadsheets leaked as part of the 2015 Hacking Team breach. In 2016, a year after Hacking Team’s embarrassing breach, a mysterious Saudi investor acquired 20 percent of the company, saving it from going under, as Motherboard reported earlier this year.

1540834159164-Screen-Shot-2018-10-29-at-12907-PM
A screenshot of a leaked spreadsheet with Hacking Team’s customer list, as of July of 2015.

According to the Hacking Team emails, a Saudi government advisor named Saud Al-Qahtani served as the kingdom’s primary point of contact with Hacking Team. Al-Qahtani also apparently remotely oversaw the murder of Khashoggi via Skype, insulting the journalist and ordering his colleagues to “bring me the head of the dog,” according to Reuters.

Until being fired last week, Saud Al-Qahtani worked as media adviser for Mohammed bin Salman. Some called him Saudi Arabia’s Steve Bannon, or “Mr. Hashtag” for his deft use of propaganda and social media online. He used to play a key role for the government, heading the kingdom's efficient efforts to disseminate disinformation and harass critics on social media, which earned him the nickname of “troll master.”

But off of social media, Al-Qahtani—or someone claiming to be him—seems to have played a much more important role for the government: Reaching out to and setting up meetings with Hacking Team in order to purchase the company’s surveillance tools. And, perhaps, trawling the rest of the internet looking for hacking tools for the country to use against dissidents.

“We need you to come ASAP”

Most importantly, Al-Qahtani appears to have been integral to Saudi Arabia’s relationship with Hacking Team: Someone also identifying himself as Saud Al-Qahtani had a large correspondence over the years with Hacking Team using the official government email s.qahtani@royalcourt.gov.sa, and saudq@saudq.com, according to company emails leaked by hackers in 2015.

“We here at the Center for Media Monitoring and Analysis at the Saudi Royal Court (THE King Office) would like to be in productive cooperation with you and develop a long and strategic partnership,” Al-Qahtani wrote using that .gov.sa address in a message sent directly to Hacking Team’s co-founder and CEO David Vincenzetti in 2015.

The emails show that Hacking Team was conducting business with this person; Vincenzetti promptly answered Al-Qahtani, noting that his “trusted Arab colleague will get in touch with you shortly.” Another email exchanged between that official Saudi government email address and Hacking Team referenced phone calls between company representatives and Al-Qahtani, and one of the emails appears to be tech support troubleshooting.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

In 2012, years before the government-affiliated s.qahtani@royalcourt.gov.sa email address reached out to Hacking Team, someone calling themselves “Saud Al-Qahtani” and representing themselves as a member of the Saudi government, reached out to Hacking Team saying the Saudi government was interested in buying spyware, according to the emails. That Al-Qahtani identified as an employee of “royal court of saudi arabia, the king office,” and used the email saudq1978@gmail.com.

Al-Qahtani’s verified Twitter handle, where he makes strong political statements against Saudi Arabia’s enemies in the region, is @saudq1978, which was created in February 2011. The saudq1978@gmail.com email address was also used in 2009 to register an account on the popular website Hack Forums, which predates both the Hacking Team emails and the registration of the verified Twitter account, Motherboard has learned.

“We need you to come ASAP,” someone using the saudq1978@gmail.com email address wrote in one of the first emails exchanged with Hacking Team employees.

Motherboard has not been able to definitively link the saudq1978@gmail.com email to Al-Qahtani, but the tone and substance of the emails are similar to those sent from the s.qahtani@royalcourt.gov.sa email address. The emails also show that Hacking Team was initially skeptical and asked him to use an official email address.

“Since our policy allows us to work with governmental agencies only, I would like to know more information about this opportunity (the agency name and its needs). Your official email address is highly appreciated,” a sales manager told them.

The person using saudq1978@gmail.com told Hacking Team that, at the time, the Royal Court did not use official email. “Im authorized from my government to contact you. We are from the royal court of saudi arabia, the king office,” they wrote. “We don't have official emails and we use secure fax only.”

Hacking Team was apparently satisfied with this response (or a follow-up fax), because the company continued to correspond with that email address, and eventually set up a meeting in Saudi Arabia’s capital of Riyadh: “It is a pleasure for Hacking Team to visit you in Riyadh. We would be available to show you a live demo and a presentation of our solution on May the 9th 2012,” an account manager said in an email.

1540835972676-26083230857_60d515ed0b_o
Defense Secretary James N. Mattis meets with Saudi Arabia’s Crown Prince Mohammed bin Salman.(Image: US Department of Defense)

Around the same time it was corresponding with Hacking Team, whoever was using the saudq1978@gmail.com email address was also actively looking for hacking and surveillance tools elsewhere on the internet.

Someone using the same saudq1978@gmail.com email address used in earlier correspondence with Hacking Team as “Saud Al-Qahtani” was also a prolific member of the online cybercrime community Hack Forums for years, asking for help hacking victims and using surveillance software. The forum is considered a place mostly for young hackers with limited skills, where people can exchange hacking tips and buy rudimentary hacking tools and services.

Users need an email to register for a user account on the forum, and the email saudq1978@gmail.com was used to register the user Nokia2mon2, according to data published online by hackers who breached Hack Forums in 2011, which was reviewed by Motherboard.

A longtime Hack Forums insider told Motherboard that Nokia2mon2 had a Saudi Arabian address on the Paypal account he used to make donations to the forum. The source said that some vendors on the forums at the time operated under the assumption that the user was working for the Saudi Arabian government.

“I got the impression that he was well connected to the Royal family,” the source, who asked to remain anonymous to avoid bringing attention to his online persona, said in an online chat. “The rumor was that he was using Hack Forums to get tools to spy on journalists, foreigners, and dissidents.”

“The rumor was that he was using Hack Forums to get tools to spy on journalists, foreigners, and dissidents.”

In its entry about Nokia2mon2, the forum wiki calls him “one of the most known Hack Forums users.”

Nokia2mon2 made hefty donations, amounting to more than $10,000, to the forum, according to awards given to him by the site’s moderation team and listed on his user profile. Nokia2mon2 made 501 posts on the site between 2009 and April 2016, when the account went inactive. The user often asked for help using and buying spyware.

“IS THERE ANY RAT THAT CAN INFECT MAC PC?“ Nokia2mon2 asked in March 2014, using the infosec lingo for Remote Access Tool, software that can be used to control computers remotely and is popular among malicious hackers who want to break into victims’ computers and steal their files or turn on their webcams.

In another thread, the user said they were looking for an “expert” who could help with njRAT, a relatively popular and easy to use piece of spyware, because “AFTER executing THE FILE IN VICTIM after 1 SECOND its [disconnected].” The user offered $200 for their service.

1540834287648-Screen-Shot-2018-10-29-at-13103-PM
The Hack Forums account apparently belonging to former Saudi government employee Saud Al-Qahtani.

Security researcher Jacob Riggs was the first one to alert Motherboard that Al-Qahtani’s apparent Gmail appeared in both the Hacking Team leak and the Hack Forums leak. Motherboard independently verified that saudq1978@gmail.com is indeed the email associated with Nokia2mon2. We were not able to conclusively link that Gmail address to the former Saudi government advisor Saud Al-Qahtani, but through the Hacking Team emails were able to confirm that the email address was used to solicit hacking tools and to plan an in-person meeting with Hacking Team in Saudi Arabia.

Dylan Hailey, a cybersecurity researcher who said he used to monitor Hack Forums as part of his job at the time, told Motherboard that he still remembers the user Nokia2mon2.

What stuck out the most about Nokia2mon2, Hailey said, was that he was willing to offer a lot of money for relatively easy and generally cheap services.

“He did pay large amounts to have people target others for him, but he did it very poorly,” Hailey said in an online chat, adding that it was unusual because he believed many of the users on the site to be young people who typically didn’t have a lot of spare cash. “When most people from that site were minors it was rare to see that,” he added.

Hailey said he didn’t know who Nokia2mon2 was at the time. But he said it was clear the user was from Saudi Arabia or at least from the Middle East because one time Nokia2mon2 attempted to pay someone to setup malware for him and he exposed banking information that indicated he was from Saudi Arabia. Another time, Hailey recalled, Nokia2mon2 asked for help hacking a target by posting the victim’s email address, which prompted many users to spam the target.

Emails sent to saudq1978@gmail.com were not returned. Vincenzetti did not respond when I reached out to him via text message. The Saudi embassy in Washington DC did not respond to a phone call, nor to a message sent through its contact page.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.