from the oh...-and-US-people-too! dept
Three former US intelligence community employees (two who worked for the NSA) have just agreed to pay $1.68 million in fines for violating export control regulations by providing the United Arab Emirates government with powerful hacking tools that government used to target dissidents, pro-democracy activists, and other perceived enemies of the UAE.
If that seems a little light for giving authoritarian thugs better ways to locate, punish, or completely disappear residents and citizens who have angered them by asking for basic human rights, you're right: it is. But that's what the DOJ has agreed to do.
On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.
There's even more detail in the indictment [PDF] filed last September, which contains a long list of charges against each of the defendants. There are also many details left hidden -- details that have been made public by previous reporting, but which the DOJ insists on pretending it can't say out loud.
Reuters published a long expose of this trio's efforts back in 2019. It did so with the help of former NSA employee, Lori Stroud, who became part of "Project Raven," a clandestine group composed of former US intelligence analysts who aided UAE in surveilling other governments, militants, and activists opposed to the UAE's oppressive governing.
They also apparently helped the UAE spy on US citizens:
[I]n 2016, the Emiratis moved Project Raven to a UAE cybersecurity firm named DarkMatter. Before long, Stroud and other Americans involved in the effort say they saw the mission cross a red line: targeting fellow Americans for surveillance.
“I am working for a foreign intelligence agency who is targeting U.S. persons,” she told Reuters. “I am officially the bad kind of spy.”
Project Raven originated in Cyberpoint, a Maryland-based computer security company. Baier worked for Cyberpoint when he recruited Stroud. Cyberpoint has its own disturbing connections -- ones exposed by the hacking of Italian malware purveyor, Hacking Team.
The document dump includes lists of client information, including an Excel file that appears to show that Cyberpoint was the partner used to sell Hacking Team spyware to the United Arab Emirates. The firm began selling to the UAE in 2011 and has earned at least $634,500 in revenue from the relationship. The UAE paid an annual maintenance fee through January of this year.
Cyberpoint’s point of contact with Hacking Team is “mbaier@cyberpointllc.com,” according to the client document.
As can be inferred from the email address, Marc Baier was instrumental in this effort, which allowed Hacking Team to elude local restrictions and UN bans on selling to blacklisted countries. By using Cyberpoint as a middleman, Hacking Team sold UAE powerful exploits. And it appears Project Raven developed some nasty tricks of its own -- ones capable of taking over targets' phones to bcc: UAE on all communications.
The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.
Despite this information being in the public domain since January 2019, the DOJ's September 14, 2021 statement tries to play it coy:
U.S. Company Two updated the operating system for its smartphones and other mobile devices in September 2016, undercutting the usefulness of KARMA. Accordingly, CIO created KARMA 2, which relied on a different exploit. In the summer of 2017, the FBI informed U.S. Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality. However, both KARMA and KARMA 2 remained effective against U.S. Company Two devices that used older versions of its operating system.
Back to the Reuters report:
The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.
And that makes the mysterious "U.S. Company One" that Baier and the other two defendants worked for Cyberpoint, Hacking Team's middleman and eventual partner in hacking crime with the UAE government following the migration of Project Raven from Cyberpoint to Darkmatter (i.e., the "U.A.E. Co.")
Given what has already been made public about this, the fine (which is split between the three defendants) seems incredibly low. And yet the DOJ personnel involved are out there trying to pretend this wrist slap will act as some kind of deterrent. Here's Acting Assistant Attorney General Mark Lesko:
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
Great. Except no real prosecution happened here. Here's more:
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”
This only shows both the risks and the consequences are minimal.
What it really shows is that if you commit the right kinds of crime, you can pretty much get away with it. I doubt anyone but the defendants are happy with this agreement. But a case like this -- one that involves multiple malware developers involved with multiple shady governments -- is already problematic for all of the involved stakeholders, who would prefer to keep their cyber secrets secret. It also involves former NSA employees who brokered deals with malware developers to allow UAE to purchase regulated digital weapons from companies that were either forbidden or unwilling to sell to the UAE government directly. And then there's Apple, which had to patch its own products twice to eliminate the flaws being exploited by UAE government spies -- itself not a fan of discussing proprietary info in public.
That's a lot of information no one would want to see discussed, even in general terms, in open court. There's only so much redaction and sealed documents can hide. And there's a chance the defendants -- with little left to lose during a serious prosecution -- would start advocating for this information to be revealed to the public. A lot of entities wanted these people punished. And many of those same entities had no desire to see this thing go to trial.
In the end, it's a settlement, not an agreement, and it gives the appearance the DOJ doesn't really want to push a prosecution where its own dirty spyware laundry, along with that of some of its preferred contractors, might be aired. The $1.6 million fine seems more like a buyout, with the DOJ obtaining a little credibility and no one accused of anything left stinging too much from this performative slap.
Filed Under: daniel gericke, export controls, marc baier, nsa, ryan adams, uae, usic