Former US Intelligence Officers Spied on US for UAEDOJ Levies $1.68 Million to Settle Federal Charges on Defendants
Three former U.S. Intelligence Community and military personnel have agreed to pay more than $1.68 million to settle federal charges for providing hacking-related services to the United Arab Emirates, according to the U.S. Department of Justice.
See Also: Automating Security Operations
U.S. citizens Marc Baier, 49, and Ryan Adams, 34, along with former citizen Daniel Gericke, 40, who were all employees of the USIC or the U.S. military, provided services, including a sophisticated zero-click exploit, to the UAE, violating U.S. export control, computer fraud and abuse laws, according to the DOJ.
The DOJ report says the men entered into a deferred prosecution agreement, or DP, that restricts their future activities and employment. It also required them to pay a fine of $1,685,000 to resolve a Department of Justice probe regarding the violations.
The DOJ says it filed the DPA on Wednesday, along with criminal information alleging that the defendants conspired to violate such laws.
The unit includes "more than a dozen former U.S. intelligence operatives recruited to help the UAE engage in surveillance of other governments, militants and human rights activists critical of the monarchy," Reuters says.
Project Raven staff were reported to have utilized an espionage platform known as Karma to hack into the iPhones of hundreds of activists, political leaders and suspected terrorists.
In May 2019, a measure was introduced to make sure that Congress was informed whenever U.S. companies sold offensive cyber technologies and services to other nations' governments.
The measure came after a U.S. firm sold the UAE technologies that were used to target activists and journalists (see: Bill Would Help Congress Track Offensive 'Cyber Tool' Sales).
There's no question that a line was crossed legally with Project Raven, Jake Williams, a former member of the National Security Agency's elite hacking team, tells Information Security Media Group.
"The second U.S. companies and U.S. persons were targeted under the program, every U.S. person involved likely knew it was only a matter of time before the other shoe dropped," Williams, who is also the CTO of cybersecurity firm BreachQuest, says.
At face value, the fines and restrictions appear to be sufficient to deter future behavior of this type, he adds.
The DOJ reports that the defendants were employed by a UAE-based company conducting computer network exploitation, or CNE, operations for the UAE government between 2016 and 2019.
Even though they were told on several occasions that their work would require a license from the State Department’s Directorate of Defense Trade Controls under International Traffic in Arms Regulations, the defendants continued their activities without a license, according to the DOJ.
The services included "support, direction and supervision in the creation of sophisticated 'zero-click' computer hacking and intelligence gathering systems," the document says.
The defendants supervised staff at the UAE company who they knew were using these zero-click exploits to illegally access credentials for online accounts issued by U.S. companies, as well as computers and mobile phones around the world, the DOJ says.
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” says acting Assistant Attorney General Mark J. Lesko of the Justice Department’s National Security Division.
"This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity," says Lesko, who says the defendants provided unlicensed export-controlled defense services for hacking, while the commercial company created, supported and operated systems designed to enable authorized access to computers worldwide, including in the U.S.
The DOJ document says that the accused intelligence officers joined and became senior managers in the cyber intelligence-operations of a UAE company in January 2016 for a higher pay package.
"Baier, Adams and Gericke worked for a U.S. company, called U.S Company One, that provided cyber services to a UAE government agency in compliance with the ITAR pursuant to a DDTC-issued Technical Assistance Agreement signed by U.S. Company One, the UAE government, and its relevant intelligence agency," the report says.
The U.S. Company One’s TAA, it says, required the parties to abide by U.S. export control laws, obtain preapproval from a U.S. government agency prior to releasing information regarding "cryptographic analysis and/or computer network exploitation or attack," and not "target or exploit U.S. persons…" The DOJ report also notes: "While employed by U.S. Company One, the defendants received periodic ITAR and TAA training."
Prior to their departure, however, the U.S. company warned its employees, including the defendants, that the services they were providing constituted "defense services" under the ITAR, and that U.S. persons could not lawfully provide such services to a foreign company without obtaining a separate TAA, the DOJ notes.
But upon joining the firm, the defendants sought continued access to U.S. Company One’s ITAR-controlled information, including from U.S. Company One employees, in violation of the TAA and the ITAR, it adds.