Is the UAE tied to Bahamut, the mercenary Middle Eastern hacker group?

With seemingly little pattern to their attacks, most countries in the Middle East have been the victim of this secretive hacker group. Their well-planned attacks have targeted Turkey, Qatar, Pakistan, Iran, Egypt, and Saudi Arabia; with considerable attention to targeting activists, journalists and human rights organisations.

The group’s name Bahamut, refers to a gargantuan sea monster in ancient Arab mythology, where the earth rests on the head of a bull, standing on the Bahamut, which is in turn held up by an angel. The mythical name passed into English, becoming the root for the word ‘behemoth’.

The group regained notoriety after Blackberry released a report on the group detailing its methods, capabilities and broad reach. The report also warned against rising cyberwarfare capacities in a rapidly changing Middle East.

The Blackberry report built on a number of previous reports detailing hacks that started as far back as 2016. Given the broad range of targets, and diverse interests, Blackberry researchers concluded that the group was likely a mercenary group for hire “reflecting a skill-level well beyond most other known threat actor groups.”

The group uses a variety of methods, including zero-day exploits (weaknesses the designer of a computer or phone is unaware of) and intelligent phishing campaigns, which present fake versions of websites or official text messages to a user, while prompting them to enter their username and password. 

Blackberry reports that Bahamut has also designed compromised phone apps, with near perfect websites including privacy policies and terms of service. These included video streaming services, call recording, music, prayer time, chat, vpn and Quran apps. 

One particular strength of theirs is fake news, with a demonstrated ability to create fake activist and journalist personas and profiles and set up entire fake news websites providing actual news, with subtle misinformation.

Murky waters

From when it first surfaced in 2016, Bahamut has adopted a number of names, with Blackberry researchers finding strong similarities between its many aliases. For instance, under the guise of The White Company, it attacked Pakistani security interests and newspapers.

The report poses serious questions however, between possible parallels between the group and the United Arab Emirates.

First, Bahamut’s rise occurred in the same year that the UAE began building its nascent cyberwarfare capacities. It’s infamous DarkMatter tech group was the final version of Project Raven, which used former US National Security Agency employees to spy on and hack governments, human rights activists and American citizens. 

In 2016, and 2017 Project Raven would break into hundreds of iPhones and computers around the world, including individuals in the governments of Qatar, Turkey, Yemen and Iran. 

In the same vein, the UAE would play a key role in brokering a deal between Saudi Arabian representatives of Crown Prince Mohammed bin Salman, and the NSO Group, an Israeli intelligence and surveillance company with deep political ties.

The deal netted Saudi Arabian intelligence’s use of Pegasus, a hacking software capable of cracking previously secure Macbooks and iPhones. Both the UAE and Saudi Arabia made full use of their new capacities, hacking journalist Jamal Khashoggi’s phone prior to his murder, as well as a broad array of dissidents, enemies and political opponents.

While the UAE’s ties to Israeli NSO group stretch back as far as 2013, their introduction to Saudi Arabia took place months before MBS’s infamous purge in 2017, which saw 159 Saudi princes and business leaders imprisoned in the Ritz Carlton. 

Coincidence or correlation?

One of Bahamut’s aliases, Windswept was was exposed by Dark Matter analyst and security researcher Taha Karim, a French national of North African descent. His report expands on how Windswept had the capacity to use zero-day exploits on Apple phones and computers, well after the company he worked for had established its use of the same techniques on dissidents, activists and political opponents.

While it remains uncertain if Karim was aware of complete ongoings in his company, a striking parallel exists between the two groups who were using the same hacking methods on some of the same targets at the time.

But the coincidences only increase.

Qatar crisis

One of the main triggers to the Gulf crisis that left Qatar besieged was the hacking of the Qatar News Agency, which US intelligence officials confirm was discussed by senior members of the UAE government, while emphasising they were unsure if they carried out the attack directly or contracted a third party to execute it.

On May 24 2017, the compromised QNA website shared false reports that misquoted Qatar’s Emir Sheikh Tamim bin Hamad al Thani declaring Iran an “Islamic power” and praising Hamas.

Citing the Emir’s incendiary comments, Saudi Arabia, UAE, Bahrain, and Egypt collectively banned Qatari media outlets, declared a trade and diplomatic boycott, before sealing borders with the small Gulf state as well. 

The hack on QNA was routed through a Russian IP address, similar to Bahamut’s usual attacks, even though it doesn’t prove the hack originated in Russia. The hack was also supported by an army of fake Twitter bots, that worked to spread the fake news. 

An Al Jazeera investigative documentary reveals that 80,000 fake Twitter accounts were used. Qatari investigators claim nearly 80 percent of the clicks on a Tuesday at midnight came from one IP address in the UAE, which kept refreshing the page, presumably waiting for the story to pop-up. 

While state-backed hackers have stolen and leaked corporate emails, hacked the US democratic convention, possibly shifted the course of the US 2016 election and carried out attacks on Ukraine’s power plants, this marks the first time a cyber attack has used fake news to spark an international confrontation. 

The only other recorded group established in its use of fake social media accounts, fake news articles and websites is Bahamut, presenting a worrying possibility. 

Missing paper trail

In its defence, the UAE was also the victim of alleged attacks by Bahamut. Given past precedent that its own citizens are not protected from the long-reach of its surveillance state with the hacking and torture of renowned Emirati activist Ahmed Mansoor; the defence is not absolute.

Among the alleged victims was Shaima Gargash, current UAE deputy Chief of Mission to the United States, UAE Foreign Minister Anwar Gargash, the head of an Emirati think tank, among other state institutions. 

No news articles can be found however, mentioning any form of hack on Shaima Gargash. As for the UAE’s foreign minister, while a hack is referenced, it was never carried out. The Foreign Minister was allegedly phished with a fake Google sign-in, taking place after the Qatar News agency hack, as he attempted to read an article about Middle Eastern government support for Donald Trump.

Critically enough, no reports can be found of a hack on the UAE’s Ministry of Defense, its Supreme Council for National Security, or the head of a think tank where attacks were alleged to have taken place.

Similar methods, similar tools

While no hard evidence exists to link the UAE to Bahamut, their methods and the timing of their increased cyberwarfare capacity yields significant similarities, leaving open the possibility that Bahamut may have been contracted as a third-party to Emirati ends.

Leaving aside both the UAE and Bahamut’s ownership and use of a zero-day exploit against dissidents, a concerning link arises with the Israeli NSO group that provided the hacking software to the UAE in the first place. 

A Bellingcat security report details how Bahamut used a fake notification from an app called Truecaller to target a relative of Iranian President Hassan Rouhani, two Iranian dissidents, and the head of an Emirati think tank. 

A nearly similar attack was documented by an Amnesty International report, pointing out that Israeli hacking software was used against Morrocan activists, through a false notification from the Truecaller app. Amnesty International confirmed this was done through Israeli Pegasus spyware, which has since been widely used by the UAE and Saudi Arabia. 

In a written description of the Bahamut, Jorge Luis Borges details how God created the Bahamut to support the earth, placing water beneath the Bahamut for support, and darkness under the water. 

“The knowledge of mankind fails as to what is under the darkness,” writes Borges. Nearly 53 years later, his words still hold true. Bahamut’s makers and sponsors may never leave the dark.