The Department of Justice this week announced it entered an agreement with three former US intelligence employees who will pay $1,685,000 to resolve criminal charges after violating laws related to export control, computer fraud, and access device fraud while aiding the United Arab Emirates in hacking campaigns.
Defendants Marc Baier, Ryan Adams, and Daniel Gericke are all former operatives of the US intelligence community or US military. Through a deferred prosecution agreement (DPA), which also restricts their future activities and employment, the three defendants avoid prosecution.
Court documents state Baier, Adams, and Gericke worked as senior managers for a UAE firm that "supported and carried out computer network exploitation (CNE) operations" for the UAE government between 2016 and 2019, the DoJ writes in a release. A Reuters report from 2019 states they were part of a division called Project Raven, which conducted spying campaigns on behalf of the UAE and broke into the accounts of other government, activists, and reporters.
When the three operatives left US government employment, they worked for a US company the DoJ identifies as "US Company One." The firm provided cyber services to a UAE government agency and, according to the DoJ, was compliant with International Traffic in Arms Regulations (ITAR) pursuant to a Technical Assistance Agreement (TAA) issued by the State Department's Directorate of Defense Trade Controls (DDTC).
The TAA — signed by US Company One, the UAE government, and its relevant intelligence agency — required all participants to follow US export control laws and obtain preapproval from a US government agency before releasing information about "cryptographic analysis and/or computer network exploitation or attack." It also prohibited targeting US citizens, permanent residents, companies, and entities. Defendants received ITAR and TAA training as employees.
In January 2016, the three were offered higher compensation and more budget to join another organization that the DoJ identifies as UAE CO but which is believed to be DarkMatter, a UAE cybersecurity firm that reportedly did computer network exploitation for the UAE government. There, they became senior managers of a team known as Cyber Intelligence-Operations (CIO).
Before they left, US Company One "repeatedly informed" its employees that the services they were providing the UAE government were considered "defense services" under ITAR, and US citizens couldn't legally provide the same services to UAE CO without getting a separate TAA.
But after they left to join UAE CO, the defendants sought continual access to US Company One's ITAR-controlled data, including from company employees and in violation of the TAA and ITAR.
From January 2016 through November 2019, the defendants, along with UAE CO employees, expanded and evolved the sophistication of the network exploitation operations that CIO provided for the UAE government. Over an 18-month period, for example, employees built two similar "zero-click" hacking and data collection tools that used US-based servers belonging to a US tech firm.
These systems, known as "KARMA" and "KARMA 2," were used to gain remote, unauthorized access to smartphones and mobile devices used by the US tech firm's operating system. CIO employees — whose activities were supervised by or known to the defendants, the DoJ notes — used the KARMA systems to obtain targets' credentials and other authentication tokens issued by US companies such as email providers, cloud storage providers, and social media companies.
"U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States," officials write in a statement.
While the DoJ does not specify the details of KARMA, KARMA2, or the US company that made the software, earlier Reuters reporting indicates the tool was used to target iPhones without their owners' knowledge.
The US tech firm updated its operating system for its smartphones and other mobile devices in September 2016, lessening the usefulness of KARMA. CIO later built KARMA 2, another tool that used a different exploit. After the FBI informed the company of KARMA 2, it again updated its OS in August 2017. While the functionality of KARMA and KARMA 2 was lessened after these updates, both tools were still effective against devices running older versions of the tech company's OS.
International Insider Threat
Early on in their employment with UAE CO, the three defendants caused employees with US Company One to provide them with TAA-restricted information, in violation of their agreement and without the needed preapproval from the US government. Over multiple years, they used "illicit, fraudulent, and criminal means" to gain unauthorized access to computers in the US and steal information, documents, records, personal data, credentials, and authentication tokens.
This is a case of insider threat with far-reaching and severe implications. CISOs and security leaders would do well to consider this when offboarding individuals with access to valuable and potentially dangerous tools, experts say. Are you aware of what employees are sharing, and who they are sharing it with? Are your employees trained in ITAR and TAA, if they need to be?
The agreement reached this week is a warning to those who might consider violating these regulations and pursuing criminal activity: It could come at a high cost. This is "the first-of-its-kind" resolution of an investigation into two types of crime: providing unlicensed, export-controlled defense services in support of network exploitation, and a commercial company creating systems designed to let others access data without authorizations from computers around the world, Mark Lesko, acting assistant attorney general for the DoJ, said in a statement.
Under the terms of the agreement, Baier, Adams, and Gericke agreed to pay $750,000, $600,000, and $335,000, respectively, under a three-year term. They have also also agreed to cooperate with the FBI and US government organizations as requested.
All three relinquish any US or foreign security clearances and have a lifetime ban on future US security clearances. They will also face employment restrictions, including a ban on employment that involves computer network exploitation, exporting defense articles, or providing defense services.
"This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company — there is risk, and there will be consequences," said assistant director Bryan Vorndran of the FBI's Cyber Division.