The Justice Department announced controversial arrangements with three ex-intelligence operatives from the US that allow them to pay a fine for breaking multiple laws due to their hacking activities against the oppressive government of the United Arab Emirates.
According to the DOJ, Marc Baier, Ryan Adams, and Daniel Gericke, all aged 49, have entered into a “deferred prosecution agreement” which allows them to avoid prison sentences and pay $1,685,000 in return for a Department of Justice investigation into violations of US export control laws, computer fraud, and access device fraud laws.
Project Raven was an attempt by the UAE to spy upon human rights activists, politicians, and dissidents opposing the government. They even hacked into US companies and created two exploits that could be used to break into phones.
After team members raised concerns over the type of hacking that UAE officials were requesting, Reuters and The Intercept did an in-depth investigation of Project Raven’s work and DarkMatter, a UAE cybersecurity company.
Despite the allegations in the court filings, the DOJ stated that Baier, Adams, and Gericke, all ex-NSA employees or military personnel, reached an agreement to pay the fines on September 7.
Baier will have to pay $750,000; Adams will have to pay $600,000. Gericke will be required to pay $335,000 over three years. All three will be required to cooperate with the FBI and DOJ in other investigations and surrender any US security clearances.
They will also be permanently barred from future US security clearances.
According to the DOJ, the three men were senior managers in a UAE company between 2016 and 2019. They continued to hack for the UAE even though they were told that they were not following rules that required them to have a license from the State Department’s Directorate of Defense Trade Controls.
The Justice Department stated in a statement that these services included support, direction, and supervision for the creation of sophisticated “zero-click” computer hacking and intelligence gathering system — which could compromise a target device without requiring any action from the target.
“UAE CO employees, whose activities were monitored by and known to defendants, then leveraged these zero-click exploits to illegally get and use access credentials to online accounts issued by US companies and to gain unauthorized access to computers, such as mobile phones, all over the globe, including the United States.
Acting Assistant Attorney General Mark Lesko from the Justice Department’s National Security Division stated that the agreement was a “first of its kind resolution” to an investigation into two distinct types of criminal activities: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating and supporting operating systems specifically designed for others to have access to data without authorization from computers around the world, including the United States.
Lesko stated that “Hackers for hire and others who support such activities in contravention of US law should expect to be charged for their criminal conduct.”
Channing Phillips, Acting US Attorney, noted that offensive cyber capabilities could cause privacy and security breaches around the world if left unregulated.
Phillips claimed that the US government wanted to make sure that citizens of the US only provided defense services to “support such capabilities to pursuant to proper licenses, and oversight.” Phillips claimed that the agreement reached with the hackers was proof that someone’s status as a former US government employee does not give them a free pass in this regard, although they have not been sentenced to prison.
Other officials from the government reiterated this message and warned other ex-US government hackers not to use their skills for foreign governments.
They ignored US government orders that they comply with US export control laws and obtain preapproval by a US government agency before releasing information about “cryptographic analysis/or computer network exploit or attack” and not “target or abuse US citizens, residents, and companies.”
DOJ stated that the three developed two similar “zero click” computer hacking systems and intelligence gathering systems over 18 months. These servers were owned by a US technology company and used them to gain remote, unauthorized access to all tens to millions of smartphones and other mobile devices that use a US Company’s operating system.
The DOJ stated that defendants and CIO employees referred to these systems as “KARMA” and “KARMA 2”.
CIO employees whose activities had been supervised or known by the defendants used KARMA systems without authorization to obtain login credentials and other authentication tokens (i.e., unique digital codes issued only to authorized users) from US companies. This includes email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to log in to the target’s accounts, including data from servers within the United States, yet again without authorization.
After the US company upgraded its smartphone system to prevent Karma 1, the company was forced into creating Karma 2. In 2017, the FBI intervened again and informed the US company about Karma 2. Both exploits worked against older devices, even after a second update.
Chris Bing, a Reuters reporter, noted via Twitter that Gericke was previously the CIO at ExpressVPN (the largest VPN on the market).
Bugcrowd’s CTO, Casey Ellis, stated that he thought $1.68 million was sufficient to punish those involved and deter others from doing the same.
Ellis stated that “however, the fact it was settled means that we can only speculate about the equities that have been weighed up there.” “As offensive cyber capabilities become more valuable and more widely used, and as international relations shifts, I expect to see more of these oddball outcomes in the future.”
BreachQuest’s CTO Jake Williams stated that Project Raven had crossed a legal border. However, it is not clear if the US individuals involved knew that the project could be used to target US organizations and persons.
“Given the original mission was to counter-terrorism, which is a mission that is loosely defined by its nature, it was obvious that this would be the outcome. Williams stated that the second a US company and US individuals were targeted by the program. “Everyone involved probably knew it was only a matter of time before some legal action is taken.”
“It’s difficult to determine whether the restrictions and fines were appropriate without understanding the whole situation. They seem to be sufficient to deter similar behavior in the future, which is really their goal. The US government wanted to avoid any trial. This would have undoubtedly required the use of the State Secrets Protection Act, something which is never popular with the public.”