The Justice Department announced a controversial deal with three former US intelligence operatives that allows them to pay a fine after breaking multiple laws through their offensive hacking for the repressive government of the United Arab Emirates.
The DOJ said 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke "entered into a deferred prosecution agreement" that allows them to avoid prison sentences in exchange for paying $1,685,000 "to resolve a Department of Justice investigation regarding violations of US export control, computer fraud and access device fraud laws."
The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians and dissidents opposed to the government. The three even hacked into US companies, creating two exploits that were used to break into smartphones.
Both Reuters and The Intercept conducted an in-depth investigation into the work of Project Raven and a UAE cybersecurity firm named DarkMatter after members of the team raised concerns about the kind of hacking they were being asked to do by UAE officials.
Despite the accusations listed in the court filing, the DOJ said Baier, Adams and Gericke -- all former NSA employees or members of the US military -- reached an agreement on September 7 to pay the fines in addition to other restrictions on their work.
Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and relinquish any foreign or US security clearances.
They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles or providing defense services.
The DOJ said the three were senior managers at a UAE company from 2016 to 2019 and continued to hack for the UAE despite being told they were violating rules that say people need a license from the State Department's Directorate of Defense Trade Controls to do such work.
"These services included the provision of support, direction and supervision in the creation of sophisticated 'zero-click' computer hacking and intelligence gathering systems -- i.e., one that could compromise a device without any action by the target," the Justice Department explained in a statement.
"UAE CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by US companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States."
Acting Assistant Attorney General Mark Lesko for the Justice Department's National Security Division said the agreement was a "first-of-its-kind resolution" of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.
"Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct," Lesko said.
Acting US Attorney Channing Phillips noted that the proliferation of offensive cyber capabilities undermines privacy and security worldwide when left unregulated.
Phillips claimed the US government was trying to ensure that US citizens only provide defense services "in support of such capabilities pursuant to proper licenses and oversight." Despite the lack of prison sentences, Phillips said the agreement with the three hackers was evidence that a person's "status as a former US government employee certainly does not provide them with a free pass in that regard."
Other government officials reiterated that message, warning other former US government hackers to avoid using their skills to benefit foreign governments.
The three ignored orders from the US government that they abide by US export control laws, obtain preapproval from a US government agency prior to releasing information regarding "cryptographic analysis and/or computer network exploitation or attack," and not "target or exploit US citizens, residents and companies."
The DOJ added that over an 18-month period, the three created two similar "zero-click" computer hacking and intelligence gathering systems that leveraged servers in the US belonging to a US technology company "to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a US Company-provided operating system.
"The defendants and other CIO employees colloquially referred to these two systems as 'KARMA' and 'KARMA 2,'" the DOJ explained.
"CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals' login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by US companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target's accounts to steal data, including from servers within the United States."
The company was forced to create Karma 2 after the US company updated its smartphone system to protect against Karma 1. By 2017, the FBI interjected again, telling the US company that Karma 2 was being used against them. Even after another update, both exploits were effective against older devices sold by the company.
Reuters reporter Chris Bing noted on Twitter that Gericke previously served as CIO of ExpressVPN, the largest VPN in the market.
Casey Ellis, CTO at Bugcrowd, said he believed $1.68 million was enough of a penalty to sting those involved and to act as a deterrent for others considering doing likewise.
"However, the fact that it was settled means we can only speculate on the equities that were weighed up here," Ellis said. "As the value and use of offensive cyber capability becomes more obvious, and as the lines of international relations continue to shift, I would expect to see more of these 'slightly oddball' outcomes in the future."
BreachQuest CTO Jake Williams added that while it is obvious Project Raven crossed a legal boundary, what is less clear is whether the US persons involved knew the project would be used to target other US persons and US organizations.
"Given that the original mission was slated as counter terrorism, a mission that is very loosely defined by its nature, it was foreseeable that might be the eventual outcome. The second US companies and US persons were targeted under the program, every US person involved likely knew it was only a matter of time before some legal action was taken," Williams said.
"As for the fines and restrictions, it's hard to evaluate whether those were appropriate without knowing the full situation. But taken at face value, they do appear sufficient to deter future behavior of this type and that's really the goal. The US government certainly wanted to avoid any trial, which would undoubtedly involve the use of the State Secrets Protection Act -- something that never sits well with the public."