State Department reaches settlements with ex-US intel operatives who worked for UAE
The US State Department on Friday said it had concluded settlements with three former US intelligence operatives who worked as cyber spies for the United Arab Emirates and admitted last year to violating American hacking laws.
Under the agreements, Marc Baier, Ryan Adams and Daniel Gericke will be prohibited from participating in any activities subject to US International Traffic in Arms Regulations for three years, the department said in a statement.
In September 2021, the men admitted to violations of US export control, computer fraud and access device fraud laws. However, rather than facing jail time, the individuals were fined a total of $1.7m in addition to their three-year ban.
According to the Justice Department, they had originally worked for a US company providing cyber intelligence operations for the UAE government that met US regulations.
The men then moved in 2016 to higher-paying jobs at a UAE government-linked company, where they began carrying out hacking jobs on designated targets, including servers inside the US.
According to court documents, the company the men worked at from 2016 to 2019 "supported and carried out computer network exploitation (CNE) operations", also known as hacking operations, for the UAE government.
Given that they were all former employees of the US Intelligence Community or the military, they were required to obtain a licence from the State Department to conduct any work for foreign clients, which they did not do.
"Defendants stole and fraudulently obtained, used, and trafficked in access devices, authentication tokens, passwords, and other means of accessing without authorization protected computers, including protected computers located in the United States," a court document from last year said.
Among the hacking services they oversaw was the creation of a sophisticated "zero-click" attack, which could hack into a device without any action by the targeted user.
"Zero-click" attacks have come under the spotlight in the past several years, most recently with the bombshell investigation that found that the Israeli spyware Pegasus had been used by foreign governments - including the UAE - to spy on journalists, activists, and political dissidents.
Project Raven and Karma
The State Department said the settlement highlighted how important it is to control the export of its defence services to other countries or foreign entities.
"The Department takes seriously all violations of the Arms Export Control Act and the International Traffic in Arms Regulations, because such violations may harm the national security and foreign policy interests of the United States," a State Department official told Middle East Eye.
Baier, Adams and Gericke were part of a clandestine unit named Project Raven, first reported by Reuters, which hacked into the accounts of human rights activists, journalists and rival governments at the behest of the UAE’s monarchy.
They admitted to deploying a sophisticated cyberweapon called “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on malicious links, according to court papers.
Karma allowed users to access tens of millions of devices and qualified as an intelligence gathering system under federal export control rules.
Project Raven used Karma to hack into thousands of targets including a Nobel Prize-winning Yemeni human rights activist and a BBC television show host, Reuters reported.