Fraud Management & Cybercrime , Governance & Risk Management , Insider Threat
Feds Allege Saudi Spies Infiltrated TwitterUS Charges Two Ex-Employees and Saudi National With Spying on Twitter Users
The U.S. Department of Justice has charged three men with perpetrating a campaign to infiltrate Twitter and spy on critics of the Saudi government.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
On Wednesday, prosecutors unsealed a criminal complaint against two ex-employees of Twitter: Ali Alzabarah, 35, of Saudi Arabia, and Ahmad Abouammo, 41, of Seattle. The complaint also names Ahmed Almutairi, aka Ahmed Aljbreen, a 30-year old Saudi national.
All three men have been charged with acting as illegal agents of a foreign government.
“The criminal complaint unsealed today alleges that Saudi agents mined Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users,” says U.S. Attorney David L. Anderson. “U.S. law protects U.S. companies from such an unlawful foreign intrusion. We will not allow U.S. companies or U.S. technology to become tools of foreign repression in violation of U.S. law.”
FBI Warns of Insider Threat
The FBI arrested Abouammo, a U.S. citizen, in Seattle on Tuesday. He's also been charged with lying to agents when they interviewed him in October 2018, as well as attempting to obstruct the investigation by providing them with a falsified invoice.
Alzabarah has been accused of sharing 6,000 Twitter users' private details with Saudi officials in 2015.
But both Alzabarah and Almutairi remain at large and are believed to be in Saudi Arabia. Federal warrants have been issued for their arrest.
“The FBI will not stand by and allow foreign governments to illegally exploit private user information from U.S. companies," says FBI Special Agent in Charge John F. Bennett. “Insider threats pose a critical threat to American businesses and our national security.”
"We would like to thank the FBI and the U.S. Department of Justice for their support with this investigation."
As The Wall Street Journal reports, the charges are unusual because they involve a Middle Eastern ally of the U.S. and include allegations of spying.
But the alleged campaign squares with previously seen efforts by the ruling regime in Saudi Arabia to aggressively pursue critics, some of whom it has directly targeted via state-sanctioned assassinations, according to Western intelligence agencies (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
Confidential Information Sought by Saudis
Here's how the ex-Twitter employees allegedly spied on users: From November 2014 until at least May 2015, Almutairi and unnamed Saudi foreign officials convinced the two then-Twitter employees "to use their employee credentials to gain access without authorization to certain nonpublic information about the individuals behind certain Twitter accounts," the Justice Department says.
"Specifically, representatives of the kingdom of Saudi Arabia and the Saudi royal family sought the private information of Twitter users, including their email addresses, IP addresses, and dates of birth, of persons some of whom published posts deemed by the Saudi royal family to be critical of the regime," prosecutors say. "This information could have been used to identify and locate the Twitter users who published these posts."
Almutairi allegedly "arranged meetings, acted as a go-between and facilitated communications between the Saudi government and the other defendants," according to court documents.
Abouammo met with a Saudi official on Nov. 29, 2014, while in London to attend a Twitter global media summit, and one week later began accessing information on certain Twitter users, including Twitter-User-1, "a prominent critic of the kingdom of Saudi Arabia and the royal family with over 1 million Twitter followers," according to the criminal complaint, written by FBI Special Agent Letitia Wu, who works in the counterintelligence division of the bureau's San Francisco office.
That Twitter account, the Guardian reports, belonged to Omar Abdulaziz, a prominent journalist who was close to the late Washington Post columnist Jamal Khashoggi, who was a U.S. resident. The U.S. Central Intelligence Agency has concluded that Khashoggi, a vocal critic of the Saudi government, was killed in October 2018 on the orders of Saudi Crown Prince Mohammed bin Salman in the country's consulate in Istanbul.
Abouammo and Alzabarah allegedly received goods and payments in return for their services. Abouammo, for example, allegedly saw a $100,000 wire transfer get sent to a close relative in Beirut, and also received a Hublot Unico Big Bang King Gold Ceramic watch worth $20,000, which he attempted to sell via Craigslist, according to court documents. Abouammo allegedly told the FBI that he'd purchased the watch from a store in the U.K., but the bureau says that when a U.K. law enforcement official visited the store, they were told that it didn't sell that type of watch.
Abouammo Worked as Media Partnership Manager
Abouammo worked as a media partnership manager for the Middle East and North Africa, or MENA, from Nov. 3, 2013, to May 22, 2015, and "was involved in assisting notable accounts of public interest, brands, journalists and celebrities for the MENA region with content, Twitter strategy and sharing best practices," according to the complaint.
After Abouammo took a job with a new company in May 2015 and moved to Seattle, he continued to attempt to facilitate Saudi requests - typically from "Foreign-Official-1," by routing the official's requests to his former Twitter co-workers, according to court documents. While the official is not named in the documents, they say that in 2015 he became the head of a Saudi royal family member's private office.
Alzabarah Worked as Site Reliability Engineer
Alzabarah is a Saudi citizen who lived in San Bruno, California, from 2014 until at least Dec. 3, 2015, after originally entering the U.S. in 2005 on a scholarship funded by the Saudi government, according to court documents. From August 2013 to December 2015, he was employed as a "site reliability engineer" at Twitter's headquarters in San Francisco, prosecutors say.
Alzabarah's alleged assistance to the Saudi government continued until at least December 2015, according to the criminal complaint.
Federal officials say Twitter managers confronted Alzabarah, accusing him of inappropriately accessing Twitter user information, after which he sought help from Almutairi and others and fled the U.S. the following day. He allegedly emailed his resignation notice to Twitter while in transit.
“The criminal complaint … alleges that Saudi agents mined Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users”
—U.S. Attorney David L. Anderson
Both of the ex-Twitter employees violated the Twitter "playbook" agreement they'd signed, prohibiting them from engaging in outside employment or consulting or doing anything that would create a conflict of interest with the company, and both men had also signed confidentiality agreements, in which they promised to "keep and hold all … proprietary information in strict confidence and trust," according to the complaint.
In addition, both men had signed a security agreement in which they promised to not share any confidential data - including user data - with any third parties without prior approval, as well as another agreement requiring them to disclose any gifts they received that were worth more than $100, which they agreed to return.
Twitter, in a statement shared with Information Security Media Group, thanked the FBI and Justice Department for its assistance.
"We recognize the lengths bad actors will go to try and undermine our service. Our company limits access to sensitive account information to a limited group of trained and vetted employees," Twitter says in the statement. "We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable. We have tools in place to protect their privacy and their ability to do their vital work. We’re committed to protecting those who use our service to advocate for equality, individual freedoms, and human rights."