Lord Of The Flies: An Open-Source Investigation Into Saud Al-Qahtani

Before tuning in via Skype to oversee the murder and dismemberment of Saudi Arabian journalist Jamal Khashoggi, Saud al-Qahtani, a high-level adviser to the crown prince of Saudi Arabia, Mohammed bin Salman (MBS), was best known for running social media operations for the royal court and serving as MBS’s chief propagandist and enforcer. His portfolio also included hacking and monitoring critics of the Kingdom and MBS.

What follows below is a summary of this investigation’s findings into al-Qahtani’s activities. The full report can be viewed here.

You can read the Arabic translation of the report here.

In 2012 and again in 2015, someone identifying themselves as al-Qahtani attempted to procure surveillance tools from controversial Italian spyware vendor Hacking Team. On July 5, 2015, this correspondence was unknowingly exposed by a hacker using the handle “Phineas Phisher,” who stole and published approximately 400 gigabytes of Hacking Team’s internal documents, source code and emails.

Al-Qahtani’s outreach to the spyware vendor appear to have gone unnoticed for years until August 29, 2017, when an Arabic-language Twitter account was created and began publicizing excerpts of al-Qahtani’s emails to Hacking Team. 

The account, which used the username @HIAHY and the display name تاريخ وذكريات (History and Memories), also tied the email addresses used by al-Qahtani to several online accounts. @HIAHY pointed out that an email address used by the individual purporting to be al-Qahtani to communicate with Hacking Team — saudq1978@gmail.com — was also used to register an account under the handle nokia2mon2 on the popular hacking website Hack Forums, which itself was breached in June 2011 by hacktivist group LulzSec.

Additional reporting by Motherboard in August 2018 revealed that the leaked Hacking Team correspondence included two additional email addresses used by the person purporting to be al-Qahtani: s.qahtani@royalcourt.gov.sa and saudq@saudq.com. 

Neither @HIAHY nor Motherboard were able to definitively prove that al-Qahtani owned the leaked email addresses, though both provided persuasive circumstantial evidence that al-Qahtani was indeed behind the emails to Hacking Team, and that he was the owner of the nokia2mon2 profile on Hack Forums.

This report expands on research and reporting by @HIAHY and Motherboard in seven sections. First, the report’s key findings are summarized. Second, a short biography charts al-Qahtani’s rise to power and summarizes his involvement in the Khashoggi murder. Third, al-Qahtani is shown to own the email addresses in the Hacking Team dump as well as a previously unreported mobile phone number — +966 55 548 9750 — that also appears in the leaked Hacking Team emails. Fourth, al-Qahtani’s activity on Hack Forums is examined in detail. Fifth, a previously unreported network of web infrastructure used by al-Qahtani for malicious purposes is identified and analyzed. Sixth, the contact information shown to belong to al-Qahtani in section three is used to uncover additional details about his online footprint, including his creation of fake social media profiles. Finally, the report’s conclusion addresses al-Qahtani’s unclear role in MBS’s continued efforts to silence critics and dissidents. 

The following are among the report’s key findings:

Al-Qahtani Owns The Contact Information Attributed To Him In The Hacking Team Leak

Saud al-Qahtani owns the email addresses saudq1978@gmail.com, saud@saudq.com and s.qahtani@royalcourt.gov.sa as well as the mobile phone number +966 55 548 9750. This confirms that it was al-Qahtani who reached out to Hacking Team to purchase their spyware tools in 2012 and 2015. 

The individual identifying themselves as al-Qahtani in emails to Hacking Team in 2012 and 2015 used two email addresses (saudq1978@gmail.com and saud@saudq.com) and a phone number (+966 55 548 9750) that can be definitively linked to al-Qahtani through information leakage from Google’s and Twitter’s password recovery pages.

The same individual also used the email address s.qahtani@royalcourt.gov.sa to communicate with Hacking Team. Thought it was not possible to definitively demonstrate al-Qahtani’s ownership of this email address through information leakage on password recovery pages, this report judges with high confidence that s.qahtani@royalcourt.gov.sa is al-Qahtani’s official government email address, owing in part to a June 2015 email exchange with a Hacking Team representative that involved the seamless, contemporaneous use of s.qahtani@royalcourt.gov.sa and al-Qahtani’s saud@saudq.com email address, which demonstrated a common owner of the two accounts.

Al-Qahtani Registered At Least 22 Domains, Some For Malware, DDoS Attacks

Al-Qahtani registered at least 22 domains since 2009, some of which have been used as command and control servers for malware:

  • aldewan-almalaky[.]com
  • aldewan-sa[.]com
  • aldewanalmalaky[.]com
  • aldewanksa[.]com
  • aldewannews[.]com
  • dewanmalaky[.]com
  • fahadserver[.]com
  • jasmn[.]info
  • ksa-aldewan-almalaky[.]com
  • kt-library[.]com
  • m-d-sa-news[.]com
  • markaz-dewan[.]com
  • markaz-dewan[.]net
  • markaz-royal[.]com
  • markaz-royal[.]net
  • royalcourt-ksa[.]com
  • royalcourt-sa[.]com
  • royalcourt-saudi-arabia[.]com
  • sa-aldewan-almalaky[.]com
  • saudidewan[.]com
  • saudq[.]com
  • saudqq[.]com

For example, several subdomains for markaz-royal[.]net were used by al-Qahtani to host malicious payloads and were detected as running malware such as Blackshades and Darkness/Optima. The host nokia2mon2.markaz-royal[.]net was included in a list of more than 13,000 hosts identified by the FBI as being involved with Blackshades activity and was was also observed as hosting a shell booter, which allows compromised websites to be used for DDoS attacks.

Another subdomain, saud4.markaz-royal[.]net, hosted Optima malware, based on Wayback Machine snapshots, which captured a Russian FAQ page for Optima and the login page for the Optima control panel:

In September 2016 and October 2016, two iterations of a text file hosted on a saudqq[.]com host were preserved by the Wayback Machine and include what appear to be SMS logs of two-factor authentication codes, login notifications and other communications sent to approximately one dozen phone numbers across Canada. 

The September 2016 capture shows logs for 12 SMS messages to Canadian numbers with area codes for Quebec (450) and Manitoba (204). The messages were sent from Canadian numbers with area codes for Ontario (289, 705), Toronto (647), Montreal (438) and Alberta (403). All of the messages are WhatsApp verification codes, except for one Google verification code (personally identifying information has been redacted): 

The October 2016 capture contains 142 SMS messages, all of which were sent to Canadian numbers with the Quebecois area code 450. Only five numbers were targeted — two were messaged once each; one was messaged 17 times; another was messaged 47 times; and another still was messaged 76 times. The content of the messages varied widely. Messages appearing to be security or confirmation codes were sent for Coinbase, WeChat, Instagram, Microsoft, VK, WhatsApp, Steam, AirBnB, Viber and AOL.

Some messages included security warnings: 

  • “Someone is replacing the security info for Microsoft account [redacted]@gmail.com. Not you? https://account.live[.]com/Proofs/Manage”
  • “Verification code: [redacted]. The code is only used for removing WeChat restrictions. Do not share it with anyone.”
  • “Unusual sign-in for Microsoft account [redacted]. Review at https://account.

Al-Qahtani demonstrated exceptionally poor operational security when registering nearly all of these domains. The Whois records of all but three (saudq.com, saudqq.com and jasmn.info) included either his personal email address (saudq1978@gmail.com), mobile phone number (+966 55 548 9750) or variations on his real name.

Just two of the domains listed above are currently active: saudq.com and jasmn.info.

Al-Qahtani Was Active On Hack Forums, Purchased Spyware, Posted While Drunk

Confirming that saudq1978@gmail.com is owned by al-Qahtani establishes that the Hack Forums account registered with that email address, nokia2mon2, also belongs to al-Qahtani. Al-Qahtani was an active user on Hack Forums, posting more than 500 times between July 2009 and September 2016.

Among other things, al-Qahtani’s posts on Hack Forums detail the hacking tools and services he purchased and used and the social media platforms and mobile apps he targeted. By June 2011, less than two years after joining the forum, he estimated that he had 90% of paid and free RATs on the market. Al-Qahtani also paid Hack Forum members to have social media accounts deleted and sought to manufacture engagement activity on major social media platforms, including YouTube and Facebook.

He also posted at least three times while drunk, by his own admission, and opined on topics unrelated to hacking such as the role of religion in politics and policy toward Iran.

Al-Qahtani fell victim to at least three scams while he was active on Hack Forums, and, in December 2015, his account was briefly hacked. When he regained control of his account, he advised fellow Hack Forum members to enable two-factor authentication.

Created Fake Accounts On LinkedIn, Facebook

Using the contact information owned by al-Qahtani, it was possible to identify additional contact information for him and identify several accounts linked to these email addresses and phone numbers. He has a LinkedIn Premium account under the name “saud a” (al-Qahtani’s middle name is Abdullah), where he describes himself as a “headhunter” based in Saudi Arabia.

He created a Facebook profile under the persona of a pro-Mubarak “Egyptian citizen at the end of his life,” and he also has accounts on Snapchat, WhatsApp and Signal.

Conclusion

MBS’s repression machine is alive and well thanks in no small part to the Trump administration’s refusal to hold the Saudi strongman and his regime to account. 

Since Khashoggi was murdered last October, the CIA has observed its “duty to warn on three separate occasions, sharing intelligence to alert dissidents based in the U.S., Canada and Norway to threats originating from Saudi Arabia. 

The extent to which the crown prince’s right-hand man, Saud al-Qahtani, is continuing to play a role in Saudi Arabia’s campaign of intimidation is unclear. 

The Saudi government has not publicly discussed his whereabouts, though in private, Saudis officials claim that he is under house arrest. 

However, multiple media outlets have cited sources saying that he is still in MBS’s good graces and continuing to work in a similar capacity as before he was officially ousted from the royal court. In January 2019, the Washington Post reported that al-Qahtani had been seen in the offices of the royal court in Riyadh. That same month, Washington Post columnist David Ignatius reported that MBS is in regular contact with al-Qahtani, who had recently met with his senior deputies from the Center, citing U.S. and Saudi sources. In April 2019, a source told the Guardian that MBS remains loyal to al-Qahtani, who is “actively engaged” in a role similar to the one he held as head of the Center, though now within MBS’s private office.  

The best open-source indication to date that al-Qahtani is continuing his hacking work comes from the Guardian, which reported in June 2019, that it was targeted by a Saudi hacking team at the order of al-Qahtani. The newspaper was initially warned of the order by a source in Riyadh earlier this year, and the threat was subsequently corroborated by a confidential internal order signed by al-Qahtani, which the Guardian reviewed. The document, dated March 7, 2019, was written in Arabic and instructed “heads of technological and technical departments” run from the cybersecurity directorate within the private office of the MBS to “carry out the penetration of the servers of the Guardian newspaper and those who worked on the report that was published, and deal with the issue with complete secrecy, then send us all the data as soon as possible.”

Al-Qahtani is not among the 11 suspects facing trial in Saudi Arabia for the murder of Khashoggi.

On June 19, 2019, Agnes Callamard, the United Nations (UN) Special Rapporteur on extrajudicial, summary or arbitrary killings, published a report on Khashoggi’s death, calling it a “premeditated extrajudicial execution” at the hands of the Saudi state. “His killing was the result of elaborate planning involving extensive coordination and significant human and financial resources. It was overseen, planned and endorsed by high-level officials. It was premeditated.”

The report specifically names al-Qahtani and MBS as two high-level officials who have not been criminally charged but for whom there is “credible evidence meriting further investigation.” 

Callamard is scheduled to present the findings of her investigation to the UN Human Rights Council on June 27, 2019. Khashoggi’s fiancée, Hatice Cengiz, will also address the Council. 

The findings included in this report are not exhaustive, and research into al-Qahtani’s web infrastructure is ongoing. In addition to the 22 domains analyzed above, this investigation identified several other domains that are likely linked to al-Qahtani but require further research and analysis. Any additional findings will be published in a follow-up report.

#وش_تعرف_عن_النحل