Lessons Learned From a Saudi Spy Case at Twitter

Originally published at: https://worldview.stratfor.com/article/lessons-learned-saudi-spy-case-twitter-mbs-khashoggi

HIGHLIGHTS

• New charges against two former Twitter employees whom Saudi Arabia recruited for spying purposes demonstrate the need for companies to keep tight control on which employees are able to access what kind of information and more.
• In this specific case, Riyadh was not chasing critical business secrets, but user data for a specific group of Twitter accounts. 
• The case illustrates that the threat of old-fashioned human intelligence remains potent, as Riyadh wished to recruit insiders, rather than hack Twitter.

In an age in which cybersecurity is top-notch, sometimes all it takes for hostile intelligence to gain a treasure trove of information is some old-fashioned espionage tradecraft — like finding an insider. In a criminal complaint filed Nov. 5 in U.S. District Court in San Francisco, the FBI accused two former Twitter employees and a third man of acting as agents of the Saudi government in the United States without declaring themselves. Two of the men, Ali Alzabarah and Ahmed Almutairi, are Saudi citizens, while the other, Ahmad Abouammo, is a U.S. citizen of Saudi descent. The men are charged with helping the Saudi government identify political dissidents and others on the social media platform who were critical of the government and Crown Prince Mohammed bin Salman. 

I've already written on the case for Stratfor's Threat Lens clients, but there are some important lessons in the affair for a wider audience — like rethinking just what kind of information it's important to protect, being circumspect on just which employees are entrusted with critical data and keeping an eye on who might be snooping around a company's workers. 

Recruiting Insiders

According to the criminal complaint, Abouammo — who is in U.S. custody alongside Almutairi — was employed at Twitter as a media partnerships manager from November 2013 to May 2015, when he worked with prominent users in the Middle East and North Africa, such as government officials, companies, journalists and celebrities. He became a focal point of the Saudi government in April 2014, when Twitter assigned him to handle Riyadh's inquiries and requests. The complaint notes that in late 2014, Abouammo met with Almutairi, who was running a social media company connected to the Prince Mohammed bin Salman bin Abdulaziz Foundation (MiSK), a charity with ties to "Royal Family Member 1" — who appears to be Mohammed bin Salman, the man who would later become Saudi Arabia's crown prince. 

In December 2014, Abouammo reportedly met with Bader al-Askar, the charity's director, in London and received an expensive watch from him. (The complaint states that Abouammo attempted to sell the watch, which he valued at $35,000, for $25,000 on Craigslist. He reportedly lied about its value in a subsequent FBI interview.) Reading between the lines of the complaint, the meeting in London was clearly the "pitch" stage of the human intelligence recruitment cycle, and Abouammo appears to have taken the bait — hook, line and sinker. After the meeting, Abouammo made several queries in Twitter's database for information on users of interest to Saudi Arabia. Al-Askar then paid him for the information, depositing the money in an account in Beirut that Abouammo's relative there opened on his behalf. Although Abouammo left his job at Twitter in June 2015 to move to Seattle, he continued to contact former colleagues at the company for information he needed to satisfy al-Askar's requests, receiving money for his services. All told, Abouammo received at least $300,000 in cash from al-Askar, plus the watch.

In February 2015, Almutairi called Alzabarah, who worked as a site reliability engineer at Twitter from August 2013 to December 2015 after initially coming to the United States on a Saudi government-funded scholarship to attend university in 2005. According to the complaint, a few days after establishing contact with Alzabarah, Almutairi traveled to San Francisco to have dinner with the engineer. Alzabarah, meanwhile, sent Almutairi a copy of his resume the same day they met for dinner. 

In May 2015, Alzabarah traveled to Washington, D.C., to meet with al-Askar. By the time of the meeting arranged by Almutairi, al-Askar was a member of the Saudi royal court, serving as the director of the private office of the crown prince. During the visit, it appears that al-Askar pitched and recruited Alzabarah, because within a week after returning from Washington, Alzabarah began conducting bulk searches of the Twitter account information of people of interest to the Saudi government. In total, the complaint alleges that he accessed the account information of over 6,000 users — including 33 accounts about which Saudi law enforcement agencies had demanded information from Twitter as part of "emergency disclosure requests."  

On Dec. 3, Alzabarah left his job at Twitter, abruptly returning to Saudi Arabia with his wife. He reportedly sent his resignation message to the company from the plane after he left the United States. Exactly why Alzabarah left the company is not publicly known, as authorities redacted seven paragraphs from the publicly released letter that might have explained the reasons for his sudden resignation. But given Alzabarah's hasty departure and the number of calls he made to Saudi officials during the process, including the consul general in Los Angeles, it is very likely that Twitter security and, possibly, the FBI questioned him about his activities on Dec. 2, 2015. 

Within a month of returning home, Alzabarah began working for al-Askar at MiSK as part of the team working on social media issues. From information recovered from Alzabarah's Apple Notes app, it appears that he was motivated by the offer of a lucrative job inside the kingdom, as well as government help in resolving an unidentified issue for his father, instead of bulk cash like Abouammo. Still, he did contact al-Askar to inquire if his efforts might qualify for some of the $1.9 million in reward money the Saudi government was offering for information that helped prevent terrorist attacks, as some of the Twitter users of interest to Riyadh were terrorism suspects. 

Maintaining Vigilance 

In writing about countering corporate espionage threats, we often outline how important it is to identify what data is truly important to protect; only grant access to such information to certain people; carefully vet such employees; and then control when, where and how they can access it. 

But in terms of determining what data to protect, it is important to recognize that different information will be of value to different spies. In this case, the Saudis were not interested in Twitter's algorithm — the secret sauce that makes the app work — the way a competitor would be. Instead, they were eager to glean information on the identities of a very specific set of Twitter users — to the extent that they were willing to pay hundreds of thousands of dollars to obtain it. This means that when deciding what information to protect, corporations should consider the goals and desires of various espionage actors, and not just what they consider to be valuable to their business internally.  

In addition to user-provided biographical data, Abouammo and Alzabarah succeeded in accessing information about the devices and browsers the targets used to access Twitter, as well as their IP addresses — the type of technical information that would be very useful to anyone wanting to compromise their devices with tailored malware. 

In this case, the criminal complaint noted that neither Abouammo nor Alzabarah had a work-related need to access the confidential user information data that they obtained and passed on to the Saudi government. Twitter has reportedly addressed the problem by limiting access to user data, but given that Riyadh and other governmental and nongovernmental actors are clearly interested in this type of information, countries like Saudi Arabia will continue to woo anyone — not just Saudis — who might be able to provide it with offers of large sums of cash. Because of this, profiling and stereotyping can be counterproductive. Furthermore, the fact that anyone might find themselves the target of a human intelligence recruitment pitch highlights the need to train employees on how to spot and respond to human intelligence approaches, not only so they can recognize when someone has targeted them, but also so they can notice when someone may have recruited their co-workers. 

This case also illustrates that — current digital age notwithstanding — the low-tech, old-fashioned human intelligence threat remains extremely relevant. I've often argued that in a case where a company has good cybersecurity, it is often easier and cheaper for malefactors to simply recruit an insider than it is to try to hack their way into the information they desire. The Saudi Twitter affair also shows how insiders who have been recruited as corporate spies can serve as "advanced persistent insider threats" by remaining in place for months or even years as they feed information to a hostile intelligence actor. 

It is certainly no surprise that the Saudis would attempt to gather this type of information from Twitter given the global reach that social media has achieved. Twitter is also not the only social media company in the crosshairs; it just happens to be the one we have heard about because of this criminal case. Furthermore, the Saudis are not the only threat in this sphere, as a wide array of state and non-state actors have undoubtedly recruited corporate spies in a large number of companies and are in the process of spotting and recruiting others as I write this. Ultimately, it's a threat that pertains not just to Twitter but every company, especially in the current environment in which the corporate espionage threat is more critical than ever. Companies, however, don't have to fatalistically accept this reality. They can — and indeed must — work to identify and thwart the spies in their midst.