The U.S. Department of Justice disclosed that it fined three former US intelligence operatives $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company.
The DOJ said that 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud and access device fraud laws.”
The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) from 2016 to 2019 that supported and carried out computer network exploitation (CNE) operations (i.e., ‘hacking’) for the benefit of the U.A.E. government.
Despite being informed on several occasions that their work for the firm, under the International Traffic in Arms Regulations (ITAR), constituted a ‘defense service’ requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
Baier, Adams and Gericke reached an agreement to pay the fines in addition to other restrictions on their work.
Baier will have to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. They will be also forced to cooperate with the FBI and DOJ on other investigations and give up any foreign or US security clearances.
The defendants were charged for violations of U.S. export control, computer fraud and access device fraud laws. Besides they are also alleged to have supervised the creation of sophisticated ‘zero-click’ exploits that were subsequently weaponized to illegally amass credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to mobile phones around the world.
The three were part of Project Raven undertaken by a cybersecurity company named DarkMatter, to spy on human rights activists, politicians and dissidents opposed to the government. They even hacked into US companies, creating two exploits that were used to break into smartphones.
The zero-click exploit called Karma made it possible to remotely hack into iPhones of activists, diplomats and rival foreign leaders “simply by uploading phone numbers or email accounts into an automated targeting system.” The sophisticated tool was used to retrieve photos, emails, text messages and location information from the victims’ phones as well as harvest saved passwords, which could be abused to stage further intrusions.
According to court documents, Baier, Adams and Gericke designed, implemented, and used Karma for foreign intelligence gathering purposes starting in May 2016 after obtaining an exploit from an unnamed U.S. company that granted zero-click remote access to Apple devices.
But after the underlying security weakness was plugged in September, the defendants allegedly contacted another U.S. firm to acquire a second exploit that utilized a different vulnerability in iOS, ultimately using it to modify the Karma exploitation toolkit.
Assistant Director Bryan Vorndran of the FBI’s Cyber Division stated that the FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity. This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company.