Former US intelligence officials admit to hacking for UAE at hearing in Virginia
Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, agreed to pay a cumulative $1.7m in penalties, the amount they earned while working for the UAE, to resolve charges of violating US export controls, computer fraud and illegal use of other people's computer access.
The federal district court in Alexandria, Virginia agreed to defer prosecution for three years in the complex case, which highlighted the global market of government's seeking highly trained computer security experts to spy on perceived enemies and threats.
Baier, Adams and Gericke were part of a clandestine unit named Project Raven, first reported by Reuters, which hacked into the accounts of human rights activists, journalists and rival governments at the behest of the UAE’s monarchy.
The three defendants had previously worked in the US intelligence community, including the National Security Agency and in the military.
According to the justice department, they had originally worked for a US company providing cyber intelligence operations for the UAE government that met US regulations.
The men then moved in 2016 to higher-paying jobs at a UAE government-linked company, identified in media reports as DarkMatter, where they began carrying out hacking jobs on designated targets, including servers inside the US.
Media reports said the targets were both inside and outside the country, and the operation's methods consisted largely of uploading malware and exploiting software and hardware vulnerabilities to break into and gain control of servers, phones and other digital equipment.
The former programme operatives said they believed they were following the law because superiors promised them the US government had approved the work.
Baier, Adams and Gericke admitted to deploying a sophisticated cyberweapon called “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on malicious links, according to court papers.
Karma allowed users to access tens of millions of devices and qualified as an intelligence gathering system under federal export control rules.
But the operatives did not obtain the required US government permission to sell the tool to the UAE, authorities said.
Project Raven used Karma to hack into thousands of targets including a Nobel Prize-winning Yemeni human rights activist and a BBC television show host, Reuters reported.
Lori Stroud, a former US National Security Agency analyst who worked on Project Raven and then acted as a whistleblower said she was pleased to see the charges.
“The most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice," she said.
A Reuters investigation found that Project Raven spied on numerous human rights activists, some of whom were later tortured by UAE security forces.
Aside from paying fines, the three men were stripped of US security clearances, banned from the US intelligence community and forbidden from hacking, AFP reported.
The US Federal Bureau of Investigation (FBI) "will fully investigate individuals and companies that profit from illegal criminal cyber activity," said FBI Assistant Director Bryan Vorndran in a statement.