Three hackers for hire agreed to pay $1.68m in penalties to resolve a criminal investigation by US Justice Department for providing services to the U.A.E. Government that violated U.S. Export Control and Computer Fraud & Abuse Laws.
Violations of U.S. Export Control laws always make an interesting read. The story only gets more riveting when it is about three former U.S. Intelligence Community employees (USIC)/ the U.S. military, who went rogue and agreed to work as “hackers for hire” for the U.A.E. Government.
This exceptionally unusual & sensitive case resulted in the D.O.J. entering this week into the first of its kind deferred prosecution agreement (D.P.A.) with the three defendants. An enforcement action that denotes former U.S. government employees are certainly not exempted from International Traffic in Arms Regulations (ITAR) compliance, and the importance of controlling advanced cyber-surveillance capabilities and the privatization of digital espionage.
Hackers for hire by the U.A.E.
The defendants, two U.S. citizens, and one former American citizen have admitted to working illegally as hackers for hire for the U.A.E. in operations that included developing sophisticated spyware capable of tapping into mobile devices without their users’ actions, the Justice Department announced Tuesday.
As the D.O.J. documents are heavily redacted, and the subject matter is quite technical, I will add some notes from other headlines to better comprehend the story. Baier, Adams, and Genicke’s story is not a secret; their misconduct was first exposed and documented in a multi-part Reuters investigation in January 2019.
Marc Baier, Ryan Adams, and Daniel Gericke were initially employees of a U.S. company (believed to be Cyberpoint, a U.S. cybersecurity firm that ran “Project Raven” for the U.A.E.). The State Department duly licensed the U.S. company to provide services to the U.A.E., in compliance with the ITAR under a DDTC-issued Technical Assistance Agreement (T.A.A.). But in 2015, the U.A.E. government terminated the U.S. company’s services and transferred the work to a UAE-based company (redacted in the D.P.A. but believed to be DarkMatter).
Note: Project Raven was a confidential initiative to help the U.A.E. (Abu Dhabi) spy on other governments, militants, and human rights activists. Its team included former U.S. intelligence agents who applied their training to hack phones and computers belonging to Project Raven’s victims. DarkMatter reportedly hired more than a dozen former U.S. intelligence operatives and graduates of the Israel Defense Force technology units and was paying them up to $1 million annually. DarkMatter induced several CyberPoint staff to move to DarkMatter.
As per the D.O.J. officials, in January 2016, after receiving an offer for higher compensation and an expanded budget, the three men joined the U.A.E. Company as senior managers of a team known as Cyber Intelligence-Operations (C.I.O.). Before their departure, the U.S. Company repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR and that U.S. persons could not lawfully offer such services to the U.A.E. Company without obtaining a separate T.A.A.
The U.S. Company’s T.A.A. specifically required the parties to abide by U.S. export control laws; obtain preapproval from a U.S. government agency before releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and; not “target or exploit U.S. Persons (i.e., U.S. citizens, permanent resident aliens, or U.S. companies or entities, or other persons in the United States) . . .”
The three defendants had received periodic ITAR and T.A.A. training during their employment with the U.S. Company.
After joining the U.A.E. Company, the defendants sought continued access to their former employer’s ITAR-controlled information, including from its employees, in violation of the T.A.A. and the ITAR.
While working for the U.A.E. Company, the three hackers for hire helped develop two similar iOS zero-click exploits, which they called Karma and Karma2.
The men used servers in the United States belonging to a “U.S. Company Two” (presumably Apple) to obtain remote unauthorized access to tens of millions of smartphones and mobile devices using the company’s operating system (iOS). As per the D.O.J., the defendants leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies and to get unauthorized access to computers, like mobile phones, around the world, including in the United States.
In 2016, Apple updated the operating system for its smartphones and other mobile devices, undercutting the usefulness of Karma. C.I.O. then created Karma 2, which relied on a different exploit.
In the summer of 2017, the F.B.I. informed Apple that its devices were vulnerable to the exploit used by Karma 2. In 2017, Apple patched some of the security vulnerabilities, limiting Karma 2’s functionality. However, both Karma and Karma 2 remained effective against Apple’s devices that used older versions of its operating system.
Note: The “zero-click remote exploits” are considered a supreme surveillance tool by government, corporate and criminal entities because they grant access to devices virtually invisibly. Designed to target Apple iPhones, the two iOS exploits were reportedly used by U.A.E. officials to spy on dissidents, journalists, the Emir of Qatar, and hundreds of other targets in Europe and the Middle East as well government opposition leaders. Project Raven operatives could view passwords, emails, text messages, photos, and location data from the compromised iPhones. The discovery of a similar advanced hack from Israel’s N.S.O. Pegasus on a Saudi activist’s iPhone prompted Apple just last Monday to issue an emergency software update for its products worldwide.
The D.P.A. addressed two distinct types of criminal activity:
1- the provision of unlicensed export-controlled defense services in support of computer network exploitation, and
2- a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States
The three men violated U.S. Export Control and Computer Fraud & Abuse Laws.
Under the terms of the D.P.A., Baier, Adams, and Gericke agreed to pay $750,000, $600,000, and $335,000, respectively.
In addition to the financial penalties, as part of the D.P.A., the defendants agreed to:
- full cooperation with the relevant Department and F.B.I. components;
- the immediate relinquishment of any foreign or U.S. security clearances;
- a lifetime ban on future U.S. security clearances; and certain future employment restrictions, including a prohibition on employment that involves C.N.E. activity or exporting defense articles or providing defense services under the ITAR (e.g., C.N.E. techniques), and
- Restrictions on employment for certain U.A.E. organizations.
In return, U.S. prosecutors agreed to drop all charges after a three-year period.
It is unclear why the D.O.J. would agree to potentially dismiss charges against the three men, as this does sound like a bona fide egregious violation of the ITAR. Being the first of its kind, one could assume that this resolution will serve as a warning others who could now be fully prosecuted for similar conduct.
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”Tweet