The U.S. Department of Justice (DoJ) on Tuesday disclosed it fined three intelligence community and military personnel $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company.
The trio in question — Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 — are accused of "knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, "furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets.
"The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government," the DoJ said in a statement.
"Despite being informed on several occasions that their work for [the] U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a 'defense service' requiring a license from the State Department's Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license."
Besides charging the individuals for violations of U.S. export control, computer fraud and access device fraud laws, the hackers-for-hire are alleged to have supervised the creation of sophisticated 'zero-click' exploits that were subsequently weaponized to illegally amass credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to mobile phones around the world.
The development follows a prior investigation by Reuters in 2019, which revealed how former U.S. National Security Agency (NSA) operatives helped the U.A.E. surveil prominent Arab media figures, dissidents, and several unnamed U.S. journalists as part of a clandestine operation dubbed Project Raven undertaken by a cybersecurity company named DarkMatter. The company's propensity to recruit "cyberwarriors from abroad" to research offensive security techniques first came to light in 2016.
The deep-dive report also detailed a zero-click exploit called Karma that made it possible to remotely hack into iPhones of activists, diplomats and rival foreign leaders "simply by uploading phone numbers or email accounts into an automated targeting system." The sophisticated tool was used to retrieve photos, emails, text messages and location information from the victims' phones as well as harvest saved passwords, which could be abused to stage further intrusions.
According to unsealed court documents, Baier, Adams and Gericke designed, implemented, and used Karma for foreign intelligence gathering purposes starting in May 2016 after obtaining an exploit from an unnamed U.S. company that granted zero-click remote access to Apple devices. But after the underlying security weakness was plugged in September, the defendants allegedly contacted another U.S. firm to acquire a second exploit that utilized a different vulnerability in iOS, ultimately using it to rearchitect and modify the Karma exploitation toolkit.
The charges also arrive a day after Apple divulged that it acted to close a zero-day vulnerability (CVE-2021-30860) exploited by NSO Group's Pegasus spyware to target activists in Bahrain and Saudi Arabia.
"The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity," said Assistant Director Bryan Vorndran of the FBI's Cyber Division. "This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences."
Update: A new report from MIT Technology Review has now revealed that the vulnerability that the KARMA platform leveraged to take full control of a target's iPhone was in Apple's iMessage app and that the exploit was developed and sold by an American company named Accuvant, which has since merged with Optiv.
"Accuvant sold hacking exploits to multiple customers in both governments and the private sector, including the United States and its allies — and this exact iMessage exploit was also sold simultaneously to multiple other customers," the report said.
In a separate development, VPN provider ExpressVPN said it was aware of Daniel Gericke's previous employment before hiring him. Gericke, who is currently the Chief Information Officer at the company, is one the three individuals who have been implicated for their unlicensed work as mercenary hackers directing U.A.E.-funded intrusion campaigns.
"We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start," the company said in a statement. "In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security."