Three former US intelligence operatives who worked as cyber spies admitted to violating US hacking laws and providing sophisticated computer hacking technology to the United Arab Emirates (UAE). They have reportedly agreed to pay $1.7 million to avoid prosecution in a deal that the Justice Department described on Tuesday as the first of its kind.
The three intelligence operatives -- Marc Baier, Ryan Adams and Daniel Gericke -- were senior managers in a UAE-based clandestine company named Project Raven that conducted hacking operations on behalf of the Emirati government. The three men are accused of providing hacking systems that were used to break into computers in the United States and other parts of the world.
The case in federal court in Washington accuses the former U.S. officials of violating American hacking laws related to export control and computer fraud. According to Reuters, Baier, Adams and Gericke, as part of Project Raven, were asked by the UAE monarchy to hack into the accounts of human rights activists, journalists and rival governments, which the three did.
The three men have now admitted to hacking into several computer systems in the United States and providing the UAE government sophisticated hacking tools and technology, without taking permission from the US government, according to court papers released on Tuesday.
However, that was not where the three accused stopped. They then agreed to pay a combined $1.69 million in a deal with federal authorities to avoid prosecution. Under the deal, they would never again seek a U.S. security clearance to break into the computer systems, a requirement for jobs that entail access to national security secrets.
"Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct," Acting Assistant Attorney General Mark J. Lesko for the Justice Department's National Security Division said in a statement.
Just for Money?
The Justice Department said on Tuesday that the case is unique and a "first-of-its-kind resolution of an investigation into two distinct types of criminal activity," including providing unlicensed technology for hacking.
According to the prosecutors, the three men did all these for money as they left a U.S.-based company that was operating in the UAE and joined an Emirati company that would give them "significant increases" in their salaries. Although the companies haven't been named in the charging documents, Lori Stroud, a former National Security Agency employee, said the three men were her colleagues in the UAE at U.S.-based CyberPoint and then at UAE-owned DarkMatter.
That said, doubts were raised about people working at Project Raven back in 2019, when Reuters, after an investigation, highlighted the growing practice of former intelligence operatives selling their spycraft overseas with little accountability.
However, even before than in 2018, DarkMatter's founder and CEO, Faisal al-Bannai, had told The Associated Press that his doesn't take part in hacking although the firm had close business ties to the Emirati government.
Stroud, who was part of Project Raven, and later acted as a whistleblower is happy that law is finally taking its course and tracing former intelligence operatives who have been selling spycraft to foreign governments.
"The most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice," she said.
Prosecutors said that between January 2016 and November 2019, the trio "expanded the breadth and increased the sophistication" of operations being providing to the UAE government. They would buy software to break into computers and mobile devices from companies around the world, including those based in the U.S, according to the Justice Department. The trio also got preapproval for their original work.
Baier, Adams and Gericke also admitted to using a cyberweapon named 'Karma' that allowed the UAE to hack into iPhones without requiring a target to click on malicious links, according to court papers.
Karma allowed users to access millions of devices and qualified as an intelligence gathering system under federal export control rules. The hacking tools also included one so-called 'zero-click' exploit - which can break into mobile devices without any user interaction - that Baier bought from an unnamed U.S. company in 2016.
However, no one realized that what was being done was completely unethical as the trio did not obtain the required permission from the U.S. government permission to sell the tool to the UAE. The revelations come as a shock given the way intelligence operatives compromised sensitive information with the UAE government. The CIA had warned in a letter earlier this year about "an uptick in the number of former officers who have disclosed sensitive information about CIA activities, personnel, and tradecraft."