The
Department of Justice this week announced it entered an agreement with three
former US intelligence employees who will pay $1,685,000 to resolve criminal
charges after violating laws related to export control, computer fraud, and
access device fraud while aiding the United Arab Emirates in hacking campaigns.
Defendants Marc Baier,
Ryan Adams, and Daniel Gericke are all former operatives of the US intelligence
community or US military. Through a deferred prosecution agreement (DPA), which
also restricts their future activities and employment, the three defendants
avoid prosecution.
Court documents state
Baier, Adams, and Gericke worked as senior managers for a UAE firm that
“supported and carried out computer network exploitation (CNE)
operations” for the UAE government between 2016 and 2019, the DoJ writes in a
release. A Reuters report from 2019 states they
were part of a division called Project Raven, which conducted spying campaigns
on behalf of the UAE and broke into the accounts of other government,
activists, and reporters.
When the three operatives
left US government employment, they worked for a US company the DoJ identifies
as “US Company One.” The firm provided cyber services to a UAE
government agency and, according to the DoJ, was compliant with International
Traffic in Arms Regulations (ITAR) pursuant to a Technical Assistance Agreement
(TAA) issued by the State Department’s Directorate of Defense Trade Controls
(DDTC).
The TAA — signed by US Company
One, the UAE government, and its relevant intelligence agency — required all
participants to follow US export control laws and obtain preapproval from a US
government agency before releasing information about “cryptographic
analysis and/or computer network exploitation or attack.” It also
prohibited targeting US citizens, permanent residents, companies, and entities.
Defendants received ITAR and TAA training as employees.
In January 2016, the three
were offered higher compensation and more budget to join another organization that
the DoJ identifies as UAE CO but which is believed to be DarkMatter, a UAE
cybersecurity firm that reportedly did computer network exploitation for the
UAE government. There, they became senior managers of a team known as Cyber
Intelligence-Operations (CIO).
Before they left, US
Company One “repeatedly informed” its employees that the services
they were providing the UAE government were considered “defense
services” under ITAR, and US citizens couldn’t legally provide the same
services to UAE CO without getting a separate TAA.
But after they left to
join UAE CO, the defendants sought continual access to US Company One’s
ITAR-controlled data, including from company employees and in violation of the
TAA and ITAR.
From January 2016 through
November 2019, the defendants, along with UAE CO employees, expanded and
evolved the sophistication of the network exploitation operations that CIO
provided for the UAE government. Over an 18-month period, for example,
employees built two similar “zero-click” hacking and data collection
tools that used US-based servers belonging to a US tech firm.
These systems, known as
“KARMA” and “KARMA 2,” were used to gain remote,
unauthorized access to smartphones and mobile devices used by the US tech
firm’s operating system. CIO employees — whose activities
were supervised by or known to the defendants, the DoJ notes — used the KARMA
systems to obtain targets’ credentials and other authentication tokens issued
by US companies such as email providers, cloud storage providers, and social
media companies.
“U.A.E. CO employees
whose activities were supervised by and known to the defendants thereafter
leveraged zero-click exploits to illegally obtain and use access credentials
for online accounts issued by U.S. companies, and to obtain unauthorized access
to computers, like mobile phones, around the world, including in the United
States,” officials write in a statement.
While the DoJ does not
specify the details of KARMA, KARMA2, or the US company that made the software,
earlier Reuters reporting indicates the tool was used to target iPhones without
their owners’ knowledge.
The US tech firm updated
its operating system for its smartphones and other mobile devices in September
2016, lessening the usefulness of KARMA. CIO later built KARMA 2, another tool
that used a different exploit. After the FBI informed the company of KARMA 2,
it again updated its OS in August 2017. While the functionality of KARMA and
KARMA 2 was lessened after these updates, both tools were still effective
against devices running older versions of the tech company’s OS.
An
International Insider Threat
Early on in their
employment with UAE CO, the three defendants caused employees with US Company
One to provide them with TAA-restricted information, in violation of their
agreement and without the needed preapproval from the US government. Over
multiple years, they used “illicit, fraudulent, and criminal means”
to gain unauthorized access to computers in the US and steal information,
documents, records, personal data, credentials, and authentication tokens.
This is a case of insider
threat with far-reaching and severe implications. CISOs and security leaders
would do well to consider this when offboarding individuals with access to
valuable and potentially dangerous tools, experts say. Are you aware of what employees are
sharing, and who they are sharing it with? Are your employees trained in ITAR
and TAA, if they need to be?
The agreement reached this
week is a warning to those who might consider violating these regulations and
pursuing criminal activity: It could come at a high cost. This is
“the first-of-its-kind” resolution of an investigation into two types
of crime: providing unlicensed, export-controlled defense services in support
of network exploitation, and a commercial company creating systems designed to
let others access data without authorizations from computers around the world,
Mark Lesko, acting assistant attorney general for the DoJ, said in a
statement.
Under the terms of the
agreement, Baier, Adams, and Gericke agreed to pay $750,000, $600,000, and
$335,000, respectively, under a three-year term. They have also
also agreed to cooperate with the FBI and US government organizations as
requested.
All three relinquish any
US or foreign security clearances and have a lifetime ban on future US security
clearances. They will also face employment restrictions, including a ban on
employment that involves computer network exploitation, exporting defense
articles, or providing defense services.
“This is a clear
message to anybody, including former U.S. government employees, who had
considered using cyberspace to leverage export-controlled information for the
benefit of a foreign government or a foreign commercial
company — there is risk, and there will be consequences,” said assistant
director Bryan Vorndran of the FBI’s Cyber Division.
