The Washington Post

Three ex-u.s. intelligen­ce operatives admit to working as hackers for UAE

Men to pay $1.7 million in deal with DOJ over developmen­t of spyware

- BY SPENCER S. HSU spencer.hsu@washpost.com John Hudson contribute­d to this report.

Three former U.S. intelligen­ce operatives have admitted to working illegally as mercenary hackers for the United Arab Emirates in operations that included developing sophistica­ted spyware capable of tapping into mobile devices without any action by their users, the Justice Department announced Tuesday.

The men — charged with conspiring to violate U.S. military export control and computer fraud law — were allegedly part of a clandestin­e effort that helped the UAE spy on targets around the world, using servers and computers and evading detection by providers of compromise­d devices, including in the United States.

Such “zero-click remote exploits” are considered a Holy Grail for surveillan­ce by government, corporate and criminal entities because they grant access to devices virtually invisibly. The discovery of a similar advanced hack on a Saudi activist’s iphone prompted Apple on Monday to issue an emergency software update for its products worldwide.

Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, entered a deferred prosecutio­n agreement with the federal government in which they admitted their conduct and agreed to give up $1.7 million and U.S. security clearances, restrict their future employment and “cooperate fully” with investigat­ors.

In return, U.S. prosecutor­s agreed to drop all charges after a three-year period, according to a 48-page agreement signed by the men on Sept. 7.

Court filings did not explicitly say why the government offered the concession. But U.S. officials alluded to the legal novelty of the case, in which the men were allegedly part of Project Raven. First disclosed by Reuters in 2019, the secret project helped the wealthy Persian Gulf nation spy on targets including journalist­s, foreign leaders, dissidents and even U.S. citizens.

The news service reported that the State Department in 2014 was aware that contractor­s were helping the emirates launch cyber-surveillan­ce operations through an American company licensed to access military technical data and services.

“This agreement is the first-ofits-kind resolution of an investigat­ion into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitati­on, and a commercial company creating, supporting and operating systems specifical­ly designed to allow others to access data without authorizat­ion from computers worldwide, including in the United States,” said Mark J. Lesko, acting assistant U.S. attorney general for the national security division.

“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Lesko said in a Justice Department statement.

While Apple disclosed Monday that it acted to close a vulnerabil­ity exploited by invasive spyware from Israel’s NSO Group, the Justice Department’s legal action Tuesday spotlighte­d earlier activity of Darkmatter, an NSO competitor working for another key U.S. Middle East ally in the UAE.

Reuters previously reported that Baier was a program manager for Project Raven, adding Tuesday that Adams and Gericke were operators within the effort.

Reuters reported that Raven started with a Maryland company that had a State Department export license, but in 2015, the U.S. said in court filings, the Emirates government transferre­d the work to a Uae-based company, Darkmatter, with some American employees making the switch.

According to the Justice Department, the Maryland company was required under its State Department agreement to obtain approval before releasing informatio­n regarding “cryptograp­hic analysis and/or computer network exploitati­on or attack,” and was barred from targeting U.S. people, companies or entities in the United States.

The Maryland company warned employees leaving for the UAE company that they could not continue their work without obtaining a new State Department approval.

However, in court papers, the defendants acknowledg­ed they ignored warnings. Between January 2016 and November 2019, the defendants and other employees expanded the breadth and sophistica­tion of hacking operations, the government said, including by acquiring a powerful tool named Karma — which Reuters reported was used to remotely break into iphones.

In charging papers, the Justice Department confirmed that the UAE employees created two similar “zero-click” intelligen­ce-gathering systems — which they called Karma and Karma 2. The systems leveraged servers in the United States belonging to a “U.S. Company Two,” apparently Apple, to obtain remote unauthoriz­ed access to any of tens of millions of smartphone­s and mobile devices using the company’s operating system, including in the United States.

The company updated its operating system in September 2016, undercutti­ng Karma, prosecutor­s said. In summer 2017, the FBI informed the company that its devices were vulnerable to Karma 2, leading to another operating system update that August, the Justice Department said.

In a statement to Reuters, Lori Stroud, a former NSA analyst who worked on Project Raven and then acted as a whistleblo­wer, commended the FBI’S “dedication to justice” and the news service for its investigat­ive journalism, saying, “the timely, technical informatio­n reported created the awareness and momentum to ensure justice.”

Attorneys for the three defendants did not immediatel­y respond to an emailed request for comment.

Spokesmen for the State Department and the National Security Agency declined to comment.

Asked why it agreed to potentiall­y dismiss charges against the men, a Justice Department official said the case is the first of its kind and is intended to serve as a warning to others who could now be fully prosecuted for similar conduct. The official, who spoke on the condition of anonymity because the person was not authorized to speak publicly, said the financial penalties and lifelong employment limitation­s are significan­t, as reflected by the criminal resolution for activity not backed by the U.S. government.

In a statement, FBI Washington Field Office head Steven M. D’antuono said the defendants were informed on several occasions that their work constitute­d a “defense service” requiring a military export license from the State Department’s Directorat­e of Defense Trade Controls.

“These individual­s chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyberopera­tions,” D’antuono said.

Former U.S. government employees do not enjoy a “free pass” to provide defense services with licenses and oversight, said acting U.S. attorney Channing D. Phillips of Washington.

Newspapers in English

Newspapers from United States