Three former U.S. intelligence operatives, who went to work as mercenary hackers for the United Arab Emirates (UAE), entered into a deferred prosecution agreement (DPA) with the Department of Justice that will enable them to escape prosecution for conspiring to violate hacking laws on behalf of a foreign government known for persecuting peaceful critics.
Two U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and one former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the American military were among more than a dozen former U.S. intelligence operatives recruited to help the United Arab Emirates engage in surveillance of other governments, militants and human rights activists critical of the monarchy.
The UAE is a federation of seven semiautonomous kingdoms with a resident population of approximately 9.4 million, of whom only about 11 percent are citizens. The UAE is extremely repressive for human rights advocates and criticism of the authorities is regularly met with imprisonment and torture.
Human Rights Watch and the Gulf Center for Human Rights said that UAE authorities have a deplorable human rights record, silencing opposition, subjecting critics to torture and using advanced technology to monitor private behavior.
Under a DPA, the government will bring charges against a defendant but agrees not to move forward on those charges. In exchange, the defendant agrees to abide by certain requirements or conditions.
For Baier, Adams, and Gericke, it is like a ‘get out of jail free’ card that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve violations of U.S. export control, computer fraud and access device fraud laws.
UAE has emerged as one of the world’s leading superpowers in mobile hacking as a result of help from Americans.
According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019.
Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target.
U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”
“Today’s announcement shines a light on the unlawful activity of three former members of the U.S. Intelligence Community and military,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyber operations. These charges and the associated penalties make clear that the FBI will continue to investigate such violations.”
After leaving U.S. government employment, Baier, Adams and Gericke worked for a business described only as “U.S. Company One” that provided cyber services to a U.A.E. government agency in compliance with the ITAR pursuant to a DDTC-issued Technical Assistance Agreement (TAA) signed by the company, the U.A.E. government, and its relevant intelligence agency.
In January 2016, after receiving an offer for higher compensation and an expanded budget, the defendants joined U.A.E. CO as senior managers of a team known as Cyber Intelligence-Operations (CIO). Prior to their departure, U.S. Company One repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR, and that U.S. persons could not lawfully provide such services to U.A.E. CO without obtaining a separate TAA. After joining U.A.E. CO, the defendants sought continued access to U.S. Company One’s ITAR-controlled information, including from U.S. Company One employees, in violation of the TAA and the ITAR. At that time, Baier reportedly represented CyberPoint, an intelligence contractor founded in Baltimore which did much of its business in the UAE.
Between January 2016 and November 2019, the defendants and other U.A.E. CO CIO employees expanded the breadth and increased the sophistication of the CNE operations that CIO was providing to the U.A.E. government.
For example, over an 18-month period, CIO employees, with defendants’ support, direction and supervision, created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the United States belonging to a U.S. technology company (which is identified as ‘U.S. Company Two’) to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system.
The defendants and other CIO employees colloquially referred to these two systems as “KARMA” and “KARMA 2.”
CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals’ login credentials and other unique digital codes issued to authorized users issued by U.S. companies, including email providers, cloud storage providers, and social media companies.
CIO employees then used these access devices without authorization to log into the target’s accounts to steal data, including from servers within the United States.
In 2015, control over Project Raven was transferred from CyberPoint to a local Emirati company called DarkMatter.
U.S. Company Two updated the operating system for its smartphones and other mobile devices in September 2016, undercutting the usefulness of KARMA. Accordingly, CIO created KARMA 2, which relied on a different exploit.
In the summer of 2017, the FBI informed U.S. Company Two that its devices were vulnerable to the exploit used by KARMA 2.
In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality. However, both KARMA and KARMA 2 remained effective against U.S. Company Two devices that used older versions of its operating system.
The UAE government, armed with the tactics, tools, and talent provided to them by these three defendants and other former American intelligence operatives, military personnel and corporations that do business with US intelligence agencies, is stronger and more repressive than ever.