Twitter breach in 2015 tied to Saudi dissident arrests

Twitter headquarters in San Francisco. Picture: Bloomberg/David Paul Morris

Twitter headquarters in San Francisco. Picture: Bloomberg/David Paul Morris

Published Aug 20, 2020

Share

By Ryan Gallagher

An internal breach at Twitter a half decade ago yielded data that was later used by Saudi Arabia to harass or arrest people critical of the government, according to lawsuits, human rights groups and the relative of a person apprehended in 2018.

In 2015, two Twitter employees allegedly accessed more than 6,000 accounts while acting as spies for the government of Saudi Arabia. Some details of the incident have been disclosed by U.S. prosecutors, who charged the two men last November, and in recent lawsuits by people who alleged their accounts were among those breached. But few other details have emerged about what the Saudi government may have done with the data.

Now, the sister of a Saudi man who ran an anonymous Twitter account said her brother's disappearance resulted from the activities of the alleged Twitter spies. Abdulrahman al-Sadhan was working at his office in Riyadh on March 12, 2018 when Saudi Arabia's secret police showed up and took him away, according to his sister, Areej al-Sadhan. His family hasn't seen him since, and until he was permitted to make a short phone call to a relative in February, they worried that he might have been killed.

A 36-year-old employee of the humanitarian group Red Crescent Movement, al-Sadhan was a regular commentator on human rights and social justice issues in Saudi Arabia. He voiced his opinions on an anonymous Twitter account that had garnered thousands of followers, according to his sister.

"It is clear this was a targeted attack on purpose on activists and critics on Twitter," said Areej al-Sadhan, who explained that she was told that her brother's account was breached by a person familiar with the U.S. investigation. "My brother, unfortunately, is one of those who was targeted. Now we are seriously concerned about his well being and health, given the awful history of human rights abuses in Saudi Arabia."

Several Middle East human rights organizations said they have identified six Saudi citizens who ran anonymous or pseudonymous Twitter accounts critical of the government who have been arrested. In at least five of those instances, the timing of the arrests and the Twitter breach indicate they are connected, according to Gamal Eid, executive director of the Arabic Network for Human Rights Information, or ANHRI, an Egypt-based group that monitors human rights violations in the region.

Three of the five Saudis who were arrested since 2015 used the Twitter names @sama7ti, @coluche_ar, and @mahwe13, according to ANHRI. A sixth case was identified by the human rights group Prisoners of Conscience, which said a Saudi man who posted political commentary on Twitter under the name @albna5y had been arrested in September 2017.

"I think all of them were arrested as a result of the Twitter hack" carried out by the alleged spies within the company, Eid said, adding that the arrests left him "deeply concerned" about the fate of activists in the country. "Saudi Arabia is spending millions of dollars on digital espionage and hacking the accounts of human rights defenders, critics and opponents.''

Two other Saudi dissidents, one in Canada and the other in the U.S., have claimed in lawsuits that their Twitter accounts were among those targeted by the alleged internal spying, an action that they say endangered them or their friends in Saudi Arabia.

Last month, Twitter suffered an embarrassing data breach in which 130 accounts were hijacked, including those of Barack Obama, Joe Biden, Jeff Bezos and Elon Musk. A 17-year-old Florida man was accused of being the mastermind, and two others were arrested for their role in the scheme, a cryptocurrency scam that allegedly netted more than $100,000.

While the Justice Department's indictment of Twitter's Saudi infiltrators has generated less publicity, it exposed a more serious issue: The reams of data collected on users by Twitter and other social-media companies makes them an ideal target for nation-state spying operations against which there are few effective defenses.

The Saudi operation underscores the stakes involved. Government critics in Saudi Arabia have been jailed and even executed, as in the case of the former Washington Post columnist Jamal Khashoggi, who was murdered in 2018 in the Saudi consulate in Istanbul.

"The recent hack of Twitter got a lot of attention because there were a lot of powerful people who were targeted," said Ben Gharagozli, a California-based civil rights attorney. The 2015 incident was "so much worse," he added.

"I don't think there's enough awareness of that,'' he said. "It's put a lot of people at risk of harm."

Saudi Arabia's Ministry of Foreign Affairs didn't respond to a request for comment, nor did the Saudi Embassy in Washington.

In August 2017, one of Saudi Crown Prince Mohammed Bin Salman's then-closest advisers, Saud al-Qahtani, issued a warning through his own verified Twitter account against anonymous Twitter accounts: "Does a pseudonym protect you from the #blacklist?" al-Qahtani wrote. "No."

Al-Qahtani explained that governments could find out the real identities of people using Twitter anonymously. He mentioned "technical ways" of tracing people's IP addresses, as well as a "secret I'm not going to say." In September 2019, Twitter permanently suspended al-Qahtani's account, citing "violations of our platform manipulation policies." Al-Qahtani was removed from his government post after the Khashoggi murder and placed under investigation. The public prosecutor later said there was insufficient evidence to charge him; however, he remains on a U.S. government sanctions list for his alleged role in the killing.

A Twitter spokesperson said once the company had learned of the alleged breach by the two employees, it "cooperated with federal authorities and took immediate action to notify and protect affected individuals.'' Twitter said its teams, including information security and corporate security, work to support employees around the world "when they deal with concerns, including pressures they may be put under for access to non-public information."

Twitter declined to provide the names of accounts that were compromised, saying it only provides disclosure of non-public information of users for valid legal reasons.

In 2015, the FBI notified Twitter that at least one of its employees was spying for Saudi Arabia, according to sources with knowledge of the investigation that followed.

Twitter employees Ali Alzabarah, a Saudi citizen, and Ahmad Abouammo, an American-Lebanese citizen, were charged by the U.S. Justice Department last year with secretly working as spies for the Saudi government. They collected information from Twitter's internal systems that revealed the phone numbers, IP addresses and other details associated with Saudi dissidents who were operating on the platform, according to the DOJ's case.

They were accused of either accepting gifts and cash, or promises of future employment, from Saudi officials in exchange for private information about Twitter users who criticized the Saudi royal family and government. In a single day in June 2015, Alzabarah allegedly accessed without authorization the private data of approximately 5,502 Twitter users, according to a criminal complaint filed in November last year.

Abouammo is currently awaiting trial for offenses including acting as an agent of a foreign government, wire fraud and money laundering. He pleaded not guilty.

Alzabarah was confronted by Twitter in December 2015 about his alleged actions and fled to Saudi Arabia the next day. There, Alzabarah was appointed as the chief executive officer of the Misk Initiatives Center, a subsidiary of the Saudi crown prince's Misk Foundation. (Bloomberg has an agreement with the Misk Foundation to improve financial literacy and develop financial journalism skills for young professionals in Saudi Arabia.)

Neither Abouammo nor Alzabarah responded to an emailed request for comment.

Following the charges against its former employees last year, Twitter said it had made changes to its internal systems, employee training and security policies.

The company also said it had sent notices to owners of accounts that Alzabarah appeared to have accessed without authorization. Some of the few dozen recipients, which included security and privacy researchers, surveillance specialists and journalists, worked at the Tor project, which seeks to allow users to use the internet anonymously, without interference from government censors or surveillance, according to the New York Times.

A few other details about the Twitter breach have emerged from lawsuits filed against the company by men who claim they were targeted by Saudi Arabia as a result.

Omar Abdulaziz, a Saudi dissident video blogger, alleges in his lawsuit that Saudi Arabia recruited Alzabarah to access his private Twitter information, including direct messages and other information. He said the company never warned him that his account had been compromised on behalf of the Saudis, putting him in danger and forcing him to leave his apartment in Canada and to quit his graduate studies. Twitter said it properly warned Abdulaziz that his account had been targeted by a state-sponsored effort. On Aug. 12, a U.S. magistrate judge dismissed the case, while questioning Twitter's responsibility to police rogue employees conducting a covert espionage campaign for a nation-state. Abdulaziz's lawyers said they plan to file an amended complaint.

Another Saudi dissident, Ali al-Ahmed, who is based in Washington, filed a lawsuit against Twitter in July alleging that his account was one of those compromised by Alzabarah and Abouammo. Al-Ahmed said in an interview that he used his account to communicate using private messages with other Saudi dissidents, including Abdulrahman al-Sadhan and sources close to the Saudi government, who would sometimes leak information to him. Twitter said it also notified al-Ahmed in 2015 that his account had been compromised, which al-Ahmed denies.

"A lot of people inside the country don't use their real name on Twitter. So they followed me and we exchanged messages," al-Ahmed said. "Some of them ended up dead or in jail."

Al-Ahmed runs the Institute for Gulf Affairs, a Washington-based think tank that draws attention to human rights abuses in Saudi Arabia. He said that he gained political asylum from the U.S. in 1998 and has for more than two decades attracted negative attention from Saudi authorities, due to his criticism of the country's rulers.

Al-Ahmed is hoping that his lawsuit may be able to uncover more individuals who were allegedly targeted by the two former Twitter employees.

"This is the test case," he said. "We cannot allow the Saudi government to dictate who is allowed to be on Twitter and to access information from Twitter that could lead to imprisonment, death and torture. It is outrageous."

The information the former Twitter employees allegedly passed to Saudi officials could have proven useful at tracking down the precise locations of different dissidents, according to Iyad el-Baghdadi, an Arab pro-democracy activist. El-Baghdadi has attracted his own unwanted attention from the Saudi government due to his opposition to its policies. Last year, he was placed under protective custody in Norway after authorities there reportedly received a tip from the CIA that he was in danger.

"I think what they were looking for was the phone numbers that were associated with particular accounts," he said. "If they get the phone number for someone in Saudi Arabia who is using a pseudonym on Twitter, they could then find out who the person was. They can look at phone records associated with the number or triangulate the calls."

Another Saudi man reported to have run an anonymous Twitter account was arrested around the same time as al-Sadhan, el-Baghdadi said. The man - Turki Bin Abdul Aziz al-Jasser - had been connected by human rights groups to @coluche_ar, one of the accounts that ANHRI has cited as being among those accessed by the Twitter breach.

Some media have reported that al-Jasser died while being tortured in custody. But Inès Osman, director of the MENA Rights Group, said Saudi authorities in February informed a United Nations team monitoring enforced disappearances that al-Jasser was being held in Al Ha'ir Detention Center near Riyadh. "We believe he is still alive," said Osman.

Areej al-Sadhan, who lives in the U.S., fears for the safety of her brother, but hopes he will eventually be freed.

Campaigning for his release hasn't been easy. Since she began trying to raise awareness about his case on Twitter and elsewhere, she said she has endured a torrent of threats from supporters of the Saudi government, who have warned her that, if she continues to speak out, she is "going to regret it."

"I will keep speaking up," she said. "In case something happens, people will know that I have been threatened. I just want to see my brother again. It shouldn't be a crime to express opinions on social media."

SAUDI-TWITTER 2089 words · 2 photos

Twitter breach tied to Saudi dissident arrests

Editor’s Pick

Repeating to add second photo

(c) 2020, Bloomberg · Ryan Gallagher · WORLD, TECHNOLOGY, MIDDLE-EAST · Aug 19, 2020 - 3:48 PM

An internal breach at Twitter a half decade ago yielded data that was later used by Saudi Arabia to harass or arrest people critical of the government, according to lawsuits, human rights groups and the relative of a person apprehended in 2018.

In 2015, two Twitter employees allegedly accessed more than 6,000 accounts while acting as spies for the government of Saudi Arabia. Some details of the incident have been disclosed by U.S. prosecutors, who charged the two men last November, and in recent lawsuits by people who alleged their accounts were among those breached. But few other details have emerged about what the Saudi government may have done with the data.

Now, the sister of a Saudi man who ran an anonymous Twitter account said her brother's disappearance resulted from the activities of the alleged Twitter spies. Abdulrahman al-Sadhan was working at his office in Riyadh on March 12, 2018 when Saudi Arabia's secret police showed up and took him away, according to his sister, Areej al-Sadhan. His family hasn't seen him since, and until he was permitted to make a short phone call to a relative in February, they worried that he might have been killed.

A 36-year-old employee of the humanitarian group Red Crescent Movement, al-Sadhan was a regular commentator on human rights and social justice issues in Saudi Arabia. He voiced his opinions on an anonymous Twitter account that had garnered thousands of followers, according to his sister.

"It is clear this was a targeted attack on purpose on activists and critics on Twitter," said Areej al-Sadhan, who explained that she was told that her brother's account was breached by a person familiar with the U.S. investigation. "My brother, unfortunately, is one of those who was targeted. Now we are seriously concerned about his well being and health, given the awful history of human rights abuses in Saudi Arabia."

Several Middle East human rights organizations said they have identified six Saudi citizens who ran anonymous or pseudonymous Twitter accounts critical of the government who have been arrested. In at least five of those instances, the timing of the arrests and the Twitter breach indicate they are connected, according to Gamal Eid, executive director of the Arabic Network for Human Rights Information, or ANHRI, an Egypt-based group that monitors human rights violations in the region.

Three of the five Saudis who were arrested since 2015 used the Twitter names @sama7ti, @coluche_ar, and @mahwe13, according to ANHRI. A sixth case was identified by the human rights group Prisoners of Conscience, which said a Saudi man who posted political commentary on Twitter under the name @albna5y had been arrested in September 2017.

"I think all of them were arrested as a result of the Twitter hack" carried out by the alleged spies within the company, Eid said, adding that the arrests left him "deeply concerned" about the fate of activists in the country. "Saudi Arabia is spending millions of dollars on digital espionage and hacking the accounts of human rights defenders, critics and opponents.''

Two other Saudi dissidents, one in Canada and the other in the U.S., have claimed in lawsuits that their Twitter accounts were among those targeted by the alleged internal spying, an action that they say endangered them or their friends in Saudi Arabia.

Last month, Twitter suffered an embarrassing data breach in which 130 accounts were hijacked, including those of Barack Obama, Joe Biden, Jeff Bezos and Elon Musk. A 17-year-old Florida man was accused of being the mastermind, and two others were arrested for their role in the scheme, a cryptocurrency scam that allegedly netted more than $100,000.

While the Justice Department's indictment of Twitter's Saudi infiltrators has generated less publicity, it exposed a more serious issue: The reams of data collected on users by Twitter and other social-media companies makes them an ideal target for nation-state spying operations against which there are few effective defenses.

The Saudi operation underscores the stakes involved. Government critics in Saudi Arabia have been jailed and even executed, as in the case of the former Washington Post columnist Jamal Khashoggi, who was murdered in 2018 in the Saudi consulate in Istanbul.

"The recent hack of Twitter got a lot of attention because there were a lot of powerful people who were targeted," said Ben Gharagozli, a California-based civil rights attorney. The 2015 incident was "so much worse," he added.

"I don't think there's enough awareness of that,'' he said. "It's put a lot of people at risk of harm."

Saudi Arabia's Ministry of Foreign Affairs didn't respond to a request for comment, nor did the Saudi Embassy in Washington.

In August 2017, one of Saudi Crown Prince Mohammed Bin Salman's then-closest advisers, Saud al-Qahtani, issued a warning through his own verified Twitter account against anonymous Twitter accounts: "Does a pseudonym protect you from the #blacklist?" al-Qahtani wrote. "No."

Al-Qahtani explained that governments could find out the real identities of people using Twitter anonymously. He mentioned "technical ways" of tracing people's IP addresses, as well as a "secret I'm not going to say." In September 2019, Twitter permanently suspended al-Qahtani's account, citing "violations of our platform manipulation policies." Al-Qahtani was removed from his government post after the Khashoggi murder and placed under investigation. The public prosecutor later said there was insufficient evidence to charge him; however, he remains on a U.S. government sanctions list for his alleged role in the killing.

A Twitter spokesperson said once the company had learned of the alleged breach by the two employees, it "cooperated with federal authorities and took immediate action to notify and protect affected individuals.'' Twitter said its teams, including information security and corporate security, work to support employees around the world "when they deal with concerns, including pressures they may be put under for access to non-public information."

Twitter declined to provide the names of accounts that were compromised, saying it only provides disclosure of non-public information of users for valid legal reasons.

In 2015, the FBI notified Twitter that at least one of its employees was spying for Saudi Arabia, according to sources with knowledge of the investigation that followed.

Twitter employees Ali Alzabarah, a Saudi citizen, and Ahmad Abouammo, an American-Lebanese citizen, were charged by the U.S. Justice Department last year with secretly working as spies for the Saudi government. They collected information from Twitter's internal systems that revealed the phone numbers, IP addresses and other details associated with Saudi dissidents who were operating on the platform, according to the DOJ's case.

They were accused of either accepting gifts and cash, or promises of future employment, from Saudi officials in exchange for private information about Twitter users who criticized the Saudi royal family and government. In a single day in June 2015, Alzabarah allegedly accessed without authorization the private data of approximately 5,502 Twitter users, according to a criminal complaint filed in November last year.

Abouammo is currently awaiting trial for offenses including acting as an agent of a foreign government, wire fraud and money laundering. He pleaded not guilty.

Alzabarah was confronted by Twitter in December 2015 about his alleged actions and fled to Saudi Arabia the next day. There, Alzabarah was appointed as the chief executive officer of the Misk Initiatives Center, a subsidiary of the Saudi crown prince's Misk Foundation. (Bloomberg has an agreement with the Misk Foundation to improve financial literacy and develop financial journalism skills for young professionals in Saudi Arabia.)

Neither Abouammo nor Alzabarah responded to an emailed request for comment.

Following the charges against its former employees last year, Twitter said it had made changes to its internal systems, employee training and security policies.

The company also said it had sent notices to owners of accounts that Alzabarah appeared to have accessed without authorization. Some of the few dozen recipients, which included security and privacy researchers, surveillance specialists and journalists, worked at the Tor project, which seeks to allow users to use the internet anonymously, without interference from government censors or surveillance, according to the New York Times.

A few other details about the Twitter breach have emerged from lawsuits filed against the company by men who claim they were targeted by Saudi Arabia as a result.

Omar Abdulaziz, a Saudi dissident video blogger, alleges in his lawsuit that Saudi Arabia recruited Alzabarah to access his private Twitter information, including direct messages and other information. He said the company never warned him that his account had been compromised on behalf of the Saudis, putting him in danger and forcing him to leave his apartment in Canada and to quit his graduate studies. Twitter said it properly warned Abdulaziz that his account had been targeted by a state-sponsored effort. On Aug. 12, a U.S. magistrate judge dismissed the case, while questioning Twitter's responsibility to police rogue employees conducting a covert espionage campaign for a nation-state. Abdulaziz's lawyers said they plan to file an amended complaint.

Another Saudi dissident, Ali al-Ahmed, who is based in Washington, filed a lawsuit against Twitter in July alleging that his account was one of those compromised by Alzabarah and Abouammo. Al-Ahmed said in an interview that he used his account to communicate using private messages with other Saudi dissidents, including Abdulrahman al-Sadhan and sources close to the Saudi government, who would sometimes leak information to him. Twitter said it also notified al-Ahmed in 2015 that his account had been compromised, which al-Ahmed denies.

"A lot of people inside the country don't use their real name on Twitter. So they followed me and we exchanged messages," al-Ahmed said. "Some of them ended up dead or in jail."

Al-Ahmed runs the Institute for Gulf Affairs, a Washington-based think tank that draws attention to human rights abuses in Saudi Arabia. He said that he gained political asylum from the U.S. in 1998 and has for more than two decades attracted negative attention from Saudi authorities, due to his criticism of the country's rulers.

Al-Ahmed is hoping that his lawsuit may be able to uncover more individuals who were allegedly targeted by the two former Twitter employees.

"This is the test case," he said. "We cannot allow the Saudi government to dictate who is allowed to be on Twitter and to access information from Twitter that could lead to imprisonment, death and torture. It is outrageous."

The information the former Twitter employees allegedly passed to Saudi officials could have proven useful at tracking down the precise locations of different dissidents, according to Iyad el-Baghdadi, an Arab pro-democracy activist. El-Baghdadi has attracted his own unwanted attention from the Saudi government due to his opposition to its policies. Last year, he was placed under protective custody in Norway after authorities there reportedly received a tip from the CIA that he was in danger.

"I think what they were looking for was the phone numbers that were associated with particular accounts," he said. "If they get the phone number for someone in Saudi Arabia who is using a pseudonym on Twitter, they could then find out who the person was. They can look at phone records associated with the number or triangulate the calls."

Another Saudi man reported to have run an anonymous Twitter account was arrested around the same time as al-Sadhan, el-Baghdadi said. The man - Turki Bin Abdul Aziz al-Jasser - had been connected by human rights groups to @coluche_ar, one of the accounts that ANHRI has cited as being among those accessed by the Twitter breach.

Some media have reported that al-Jasser died while being tortured in custody. But Inès Osman, director of the MENA Rights Group, said Saudi authorities in February informed a United Nations team monitoring enforced disappearances that al-Jasser was being held in Al Ha'ir Detention Center near Riyadh. "We believe he is still alive," said Osman.

Areej al-Sadhan, who lives in the U.S., fears for the safety of her brother, but hopes he will eventually be freed.

Campaigning for his release hasn't been easy. Since she began trying to raise awareness about his case on Twitter and elsewhere, she said she has endured a torrent of threats from supporters of the Saudi government, who have warned her that, if she continues to speak out, she is "going to regret it."

"I will keep speaking up," she said. "In case something happens, people will know that I have been threatened. I just want to see my brother again. It shouldn't be a crime to express opinions on social media."

Bloomberg

Related Topics:

cyber crime