Why The Kremlin Probably Didn’t Hack Qatar’s State News

Qatar’s enemies are much closer than Moscow, and they’ve been sharpening their knives for a while now…
Doha, the capital of Qatar, at sunset.

Doha, the capital of Qatar, at sunset.


Just in case you missed it, the nation of Qatar woke up Monday morning to find itself a political pariah on the Arabian Peninsula. Almost every state in the Gulf Cooperation Council, the union of wealthy Arabic petrostates to which it belongs, as well as Egypt, cut diplomatic ties over a speech given by its emir, Hamad bin Khalifa Al Thani, declaring support for terrorist groups, and the nation of Iran. Qatari citizens were given two weeks to return home and residents of other Gulf states were asked to leave the tiny emirate.

There’s only one small snag with the whole thing. The inflammatory speech reported by Qatar’s state media agency never happened. Instead, a group of hackers posted a fake article used to justify the diplomatic row, and prompt President Trump to claim that his state visit to Saudi Arabia created an impetus to go after state sponsors of terror in the region. And just to keep this story from getting boring, CNN called out Russia as the primary suspect in the hack, citing unnamed FBI sources.

Of course the report left wiggle room to interpret the Russian hackers being either freelancers or state actors, and Russian officials have denied having anything to do with this mess in a textbook Trumpian way of bashing CNN’s use of anonymous sources, so clearly, it must be true, right? We’ve seen the same exact behavior before already, and this fits quite well into a narrative of unhinged Russians out to wreak havoc on today’s world order. But as we said before, hacks have to benefit the hackers, and in this case, it’s hard to see what possible benefit Russia would have from hacking Qatar.

While at first glance it seems that getting Qatar in trouble with its neighbors would be very bad news for the U.S. Central Command’s forward base, the largest American presence in the region, we should really consider letting Putin off the hook for this one. As with everything else in the Middle East, things are far, far more complicated than they appear. The buried lede here is that while the speech might be fake, Qatar is likely guilty of holding the opinions it’s being accused of holding and its actions since the Arab Spring have consistently infuriated its fellow GCC members.

The Trouble With Qatar

Flush with cash, the small nation has been punching above its weight while Saudi Arabia and its allies tried to ignore the Arab Spring. It threw support to the Muslim Brotherhood as Mohammed Morsi took power after the fall of Mubarak, an organization the Saudis see as a subversive, dangerous group responsible for its homegrown radicals. When Morsi was brought down in a coup, he was accused of being a Qatari spy, which led one Saudi official to threaten the emir of the small state with a similar fate on social media.

Likewise, Qatar has fairly cozy economic relations with Iran and has been accused of supporting Hamas, the terrorist group that has become the de facto governing body of the Gaza Strip, a charge the emirate denies. But its Al Jazeera network is criticized as overly critical of fellow GCC members in its coverage and being far too soft on Hamas, which is why its shuttering is one of the top demands issued by the GCC before diplomatic relations can resume. In essence, the powers that be in Doha, Qatar’s capital, are being charged with being too friendly with the UAE’s and Saudi’s enemies.

The core issue seems to be that Hamas and the Muslim Brotherhood are seen as Iranian proxies, even though both are Sunni organizations. Both have support from the predominantly Shia state which Saudis see as the biggest threat to their regional hegemony, and this is why they seem very happy to have an excuse to throw their weight around and send a list of extremely stern demands to Doha. The UAE, after several diplomatic rows with Qatar already, seems every bit as thrilled to join them.

All this may be yet another manifestation for the Muslim world’s battle for control of what sphere of Islamic influence reigns supreme, and with Qatar stuck in the middle, its hedging with Saudis, Iranians, Americans, and to a smaller extent, Russians, must have the House of Saud seething. Forcing Doha to make tough choices and pipe down by shuttering Al Jazeera under the guise of punishing a state sponsor of terror — which would, of course, let Trump make a victory lap and keep Americans out of the fray — would be a perfect motive for it to approve of such a hack.

Playing Pin The Hack On The Russian

So where do the Russians come in? CNN’s report is rather vague, as noted previously, but there’s a good chance that the FBI knows what it’s talking about when trying to attribute who is behind a hack. Normally, hacking a news site would require login credentials for an editor which would mean launching a standard please-confirm-your-password scam which involves sending e-mails with a link to a fake login page to intercept credentials. In cases like this, you’d target a contributor whose e-mail address is readily available online.

Once you get a working set of credentials, you’d find an editor to target and send a file which you weaponize with something like a PowerShell script that allows you to open a tunnel to the compromised machine. The file is a regular attachment from a regular contributor so it wouldn’t seem all that suspicious, especially if you similarly booby-trapped some documents in the contributor’s cloud folder and were able to find his or her next draft to use as bait after the contributor opened it and allowed you to hijack his or her computer. This is called spear-phishing, and it’s disturbingly effective.

You would rinse and repeat until you stole the credentials of someone who can actually publish stories for the viewing public, and viola, another big, nasty crisis in the Middle East created. But along the way, you’ve left some evidence. Swiping credentials with fake login forms means you need server space to host them and a domain to sell the authenticity of the forms. That tunnel to compromised machines has to end up hitting an IP address as well, and that could also be tied to a particular hacking outfit.

Likewise, if you know what software is used by the news site you’re trying to hack if it’s not custom-written, you can attack it head on with calls that you know will expose enough data to do some real damage. But this would also record an IP address that may not be well enough disguised, or was used in a hack attributed to you before. This is a very simplified version, yes, but it’s enough to illustrate the point. Hackers can leave traces of their work behind, and some of those traces and provide a decent guess when it comes to rough attribution if those hackers aren’t sufficiently careful on their end.

Perhaps the FBI found some of those crumbs pointing a domain registered to someone Russian, or a poorly masked IP pointing to servers in Russia. But if that’s really the case, it would make more sense that these were freelancers hired for the job, not a state agency carrying out Kremlin’s orders. Caught in a delicate situation in Syria, the last thing Russians want is more instability in the region as proxy fights between Saudis and Iranians would include several groups fighting in the war torn nation.

Russia Doesn’t Want Another Afghanistan

With an American-backed coalition closing in on Raqqa, the last stronghold of ISIS, they would find themselves in the middle of even more conflicts for the control over Syria’s future, possibly jeopardizing their base at Tartus. In any Russian commander’s mind that situation would be uncomfortably close to the bloody quagmire that was the Afghan War, and they definitely don’t have either the funds or the appetite for a similar venture. They don’t even seem to have the appetite to help restore the nation, only to do the barest minimum to keep Assad’s regime from completely falling apart.

Considering that cyberattacks against Qatari media are intensifying rather than dying down, Kremlin’s involvement would make even less sense. With the emirate’s economic partnership in oil and gas exploration with Iran, a Russian customer and client state, it’s geopolitically neutral, if not outright friendly ground for Russians. Why digitally sabotage them, then intensify the attack after being called out as a suspect in the case, accelerating that potential parade of horribles they’d want to avoid?

Again, this leaves us with Saudi Arabia and the UAE benefitting most from having Qatar in a diplomatic vice and America on the sidelines. By casting it as a state sponsor of terrorism, they might be hoping CENTCOM won’t be eager to lend its might as a deterrent against Saudi’s military aggression in a possible escalation, and the civilian government will let the whole thing play itself out. For the Saudis there’s virtually zero risk and everything to gain while Qatar is diplomatically and militarily marooned, not sure if it can rely on its powerful, heavily armed ally and tenant.

So forget the Kremlin’s cyber-rampages for a minute. This is far more likely to be the typical everyone-against-everyone, Shia vs. Sunni power struggle which involves a noxious mix of sectarian geopolitics and religion, with a shadowy proxy to do the initial dirty work, like most conflicts in the Middle East. And in a region ruled by autocrats with long memories, this event isn’t going to fizzle out anytime soon…

Politech // Media / Middle East / Russia / World