Three former U.S. intelligence operatives have admitted to selling their hacking talents, connections, and U.S. cyberweapons to the United Arab Emirates, federal officials announced Tuesday.
U.S. citizens Marc Baier, 49, and Ryan Adams, 34, as well as Daniel Gericke, 40, a former U.S. citizen, all were working for an unnamed American company that was developing intelligence capabilities for the United Arab Emirates. However, in January 2016, the three left for a UAE-based company "after receiving an offer for higher compensation and an expanded budget," according to federal officials. They were hired as senior managers of a team known as "Cyber Intelligence-Operations (CIO)," a Department of Justice statement said.
Once there, federal officials say the men provided "support, direction and supervision" in developing two "zero-click" computer hacking and intelligence gathering systems.
A zero-click exploit doesn't require its victims to click or open the malicious file for it to infect their devices.
The three men agreed to a deal with federal officials to cooperate in a continuing investigation, as well as accept restrictions on future jobs they can hold, and pay hefty fines while not refuting the Justice Department's description of their role in the scheme, in exchange for avoiding prosecution.
Reuters first wrote about Baier, a former National Security Agency employee, and the exploits of his company, Cyberpoint, in January 2019. The account was based on information provided by nine former operatives, including one who was named for the story. According to the report, the former U.S. government hackers used state-of-the-art cyber-espionage tools, some of which were developed on behalf of the Emiratis to spy on human rights activists, journalists and political rivals -- including U.S. citizens.
Reuters reported that those cyber tools helped the team hack into phones used by government officials including Qatar's Emir Sheikh Tamim bin Hamad al-Thani, as well as the devices of Turkey's former Deputy Prime Minister Mehmet Şimşek, and Oman's head of foreign affairs, Yusuf bin Alawi bin Abdullah. Human rights activists including Tawakkol Karman, known as the Iron Woman of Yemen, also were listed by the news agency as a hacking target.
Court documents allege that between 2015 and 2019, the three men "purchased and obtained numerous proprietary computer exploits" with the intent to use them against devices such as smartphones "using U.S. companies' software, services, and internet browsers."
The charges said that the three had worked "to deliver sophisticated hacking technology," exporting and then modifying U.S. cyberweapons and exploit tools as part of their effort to bolster the capabilities of the unnamed UAE company. In doing so, the men violated arms control laws and committed fraud as a result of their hacking activities, according to the Justice Department.
The result was that they were able "to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system."
Although court documents and federal officials do not reveal the identity of "U.S. Company Two," the Reuters report said that the hacking relied on an undisclosed vulnerability in Apple's iMessage text messaging software.
Instead of going to trial, Baier, Adams and Gericke have agreed to pay more than $1.68 million in fines, according to the Justice Department. All three faced charges of conspiracy and violating the Arms Export Control Act and the International Traffic in Arms regulations, as well as two computer fraud charges, according to court documents.
-- Konstantin Toropin can be reached at firstname.lastname@example.org. Follow him on Twitter @ktoropin.