Ex-US intel, military trio were cyber-mercenaries for UAE, say prosecutors
Three men charged with breaking export, security laws, agree to deal after infiltrating smartphones with zero-click exploits
Three former US intelligence and military operatives broke America's weapons export and computer security laws by, among other things, helping the United Arab Emirates hijack and siphon data from people's iPhones, it emerged on Tuesday.
US citizens Marc Baier, 49, and Ryan Adams, 34, and ex-citizen Daniel Gericke, 40, were charged [PDF] with using "illicit, fraudulent, and criminal means, including the use of advanced covert hacking systems that utilized computer exploits obtained from the United States and elsewhere, to gain unauthorized access to protected computers in the United States and elsewhere and to illicitly obtain information ... from victims from around the world."
They also, according to the rap sheet, obtained and used people's passwords and authentication tokens to break into accounts and systems in the US and beyond. And they did all that "while evading the export control supervision of the United States government."
The three men also this week agreed to a first-of-its-kind deal [PDF] with Uncle Sam in which their prosecution will be dropped if they cough up $1,685,000 between them; cooperate fully with the Feds; give up all foreign and US security clearances, and never seek the latter again; and accept restrictions on future employment. Bear in mind, they were being paid six-figures salaries, at least, so it's not a total end of their world.
- Mozilla boots alleged snoop troupe from its root cert coop: UAE-based DarkMatter thrown onto CA blocklist
- Inside the Middle East snooping machine
In addition, the trio did not dispute the allegations against them. And so, according to the prosecution, here's a summary of what happened:
Baier, Adams, and Gericke left America's intelligence world and military to join a US-based cybersecurity company offering services to the United Arab Emirates government. This work was seemingly carried out in compliance with Uncle Sam's export controls and rules on not targeting US persons.
After being offered a load of extra cash and a larger budget, the three jumped ship to a UAE-based business that also worked for the Middle East nation's government, and there, as senior managers, they continued their vulnerability exploitation efforts albeit without the necessary paperwork from the US government for providing defense services.
In fact, it's said they spent as much as millions of dollars buying exploits for security holes in computer systems, such as smartphones, from companies in the US, and around the world, between 2015 and 2019 to facilitate their surveillance services without the required licenses from Uncle Sam.
While at the UAE business, between early 2016 and 2019, the trio supported and supervised their colleagues in deploying zero-click exploits that could be used to remotely compromise "any of the tens of millions of smartphones and mobile devices" running a certain tech giant's operating system. The idea being, you send a message to a victim's device, and the handheld is immediately and automatically commandeered, allowing you to siphon off files and gather login credentials for online accounts to ransack. It's a perfect surveillance tool.
This technology was dubbed Karma, and when the vulnerability it exploited was patched in late 2016, a second system called Karma2 was created targeting another hole, until that too was patched in 2017 following an FBI tip-off.
Upset the Apple cart
The prosecutors didn't name the tech giant nor the operating system, but we know it to be Apple and iOS, thanks to an investigation by Reuters in 2019. Karma and its successor were developed by a team called Project Raven, of which Baier, Adams, and Gericke were members. The project had in fact recruited more than a dozen former US intelligence operatives, convincing at least some of them it was all above board with Uncle Sam. Karma reportedly involved booby-trapped iMessages.
In effect, Project Raven was instructed by the UAE’s monarchy to, among other things, infiltrate the devices of hundreds of human-rights activists, journalists, and political figures, and root through their conversations, pictures, emails, documents, and online lives. Some of the activists were tortured by UAE agents.
People in the Middle East and Europe were hit, it is said. When Americans were targeted, some in Project Raven felt that crossed a line. “I am working for a foreign intelligence agency who is targeting US persons,” Lori Stroud, an ex-NSA spy who worked on the project, told Reuters previously. “I am officially the bad kind of spy.”
Stroud ended up blowing the whistle and helping the Feds investigate the team. Agents had been stopping DarkMatter staff as they entered the US to ask them about Project Raven out of concern that American citizens were being spied on and that the UAE had obtained American surveillance techniques.
Prosecutors didn't name the companies involved, though it's been noted that Stroud worked with Baier, Adams, and Gericke at CyberPoint in the US and then together at DarkMatter in UAE. It is alleged DarkMatter ultimately hosted Project Raven at the behest of Emirati intelligence officers.
Speaking of the deal struck with prosecutors, acting Assistant Attorney General Mark J. Lesko said:
This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.
“Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” he added.
The FBI was more blunt. “This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.
Incidentally, Gericke used to be CIO of ExpressVPN. ®