On September 7, US citizens Marc Baier, 49, and Ryan Adams, 34, and former US citizen Daniel Gericke, 40, all former employees of the US Intelligence Community (USIC) or the military United States, have entered into a Deferred Prosecution Agreement (DPA) that restricts their future business and employment and requires the payment of $ 1,685,000 in penalties to resolve a Department of Justice investigation into violations of U.S. oversight laws. exports, computer fraud and access device fraud. The department filed the DPA today, along with a criminal brief alleging that the defendants conspired to violate these laws.
According to court documents, the defendants worked as senior executives at a United Arab Emirates (UAE) -based company (UAE CO) that supported and conducted computer network operations (CNE) operations (that is to say, âPiracyâ) for the benefit of the UAE government between 2016 and 2019. Despite being informed on several occasions that their work for UAE CO, under the International Traffic in Arms Regulations (ITAR), constituted a “Defense service” requiring a license from the Department of State’s Defense Trade Controls Directorate (DDTC), the defendants provided these services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero click” hacking and intelligence systems – that is to say, one that could compromise a device without any action from the target. UAE CO employees whose activities were supervised by and known to the defendants subsequently exploited these clickless exploits to illegally obtain and use credentials for online accounts issued by US companies, and to gain access. not allowed to computers, such as cell phones, worldwide. , including in the United States.
âThis agreement is the first resolution of its kind to investigate two distinct types of criminal activity: the provision of unlicensed export-controlled defense services in support of the operation of computer networks, and a commercial company creating, supporting and operating systems specially designed to allow others to access data without authorization from computers around the world, including the United States, âsaid the Deputy Attorney General Acting Mark J. Lesko for the National Security Division of the Department of Justice. “Hackers and those who otherwise support such activity in violation of US law should be expected to be prosecuted for their criminal conduct.”
âUnregulated, the proliferation of offensive cyber capabilities undermines privacy and security around the world. Under our International Arms Trafficking Regulations, the United States will ensure that U.S. nationals only provide defense services in support of these capabilities in accordance with appropriate licensing and oversight, âthe Minister said. Acting United States Attorney Channing D. Phillips of the District of Columbia. âAn American’s status as a former US government employee certainly does not give him a free pass in this regard. “
âThe FBI will thoroughly investigate individuals and businesses who profit from illegal cybercrime activity,â said Deputy Director Bryan Vorndran of the Cyber ââDivision of the FBI. “This is a clear message to anyone, including former U.S. government employees, who had considered using cyberspace to mine controlled export information for the benefit of a foreign government or a trading company. foreign – there is a risk, and there will be consequences. “
“Today’s announcement highlights the illegal activities of three former members of the intelligence community and the United States military,” said deputy director in charge Steven M. D’Antuono of the FBI field office in Washington. âThese individuals have chosen to ignore the warnings and use their years of experience to support and enhance the offensive cyber operations of a foreign government. These charges and the associated sanctions make it clear that the FBI will continue to investigate such violations. “
Applicable conduct of defendants
After leaving US government employment, Baier, Adams, and Gericke worked for a US company (US Company One) that provided e-services to a UAE government agency in accordance with ITAR under an assistance agreement. technical document (TAA) issued by the DDTC and signed by the United States. Company One, the government of the United Arab Emirates and its relevant intelligence agency. US Company One’s TAA specifically required parties to comply with US export control laws; obtain the prior approval of a US government agency before disclosing information regarding “cryptographic analysis and / or operation or attack of a computer network”, and; not “target or exploit persons from the United States (that is to say, U.S. citizens, permanent resident aliens, or U.S. corporations or entities, or other persons in the United States). . . âWhile employed by US Company One, the defendants received recurrent ITAR and TAA training.
In January 2016, after receiving an offer for higher compensation and an expanded budget, the defendants joined UAE CO as senior managers of a team known as Cyber ââIntelligence-Operations (CIO). Prior to their departure, US Company One repeatedly informed its employees, including the defendants, that the services they provided constituted “defense services” under the ITAR, and that American persons could not legally provide. such services to UAE CO without obtaining a separate TAA. . After joining UAE CO, the defendants requested continued access to the US company’s ITAR-controlled information, including from the US company’s employees, in violation of the TAA and ITAR.
Between January 2016 and November 2019, the defendants and other employees of the UAE CIO CO expanded the scope and sophistication of CNE operations that the IOC provided to the UAE government. For example, over an 18-month period, DSI employees, with the support, direction and supervision of the accused, created two similar “zero-click” hacking and intelligence-gathering systems that operated servers in the States. – United owned by an American technology company (US Company Two) to gain unauthorized remote access to one of the tens of millions of smartphones and mobile devices using an operating system provided by US Company Two. The defendants and other IOC employees colloquially referred to these two systems as âKARMAâ and âKARMA 2â.
DSI employees whose activities were supervised by and / or known to the defendants used KARMA systems to obtain, without authorization, the login credentials of the targeted persons and other authentication tokens (that is to say., unique digital codes issued to authorized users) issued by U.S. companies, including email providers, cloud storage providers, and social media companies. DSI employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers in the United States.
US Company Two updated the operating system of its smartphones and other mobile devices in September 2016, reducing the usefulness of KARMA. As a result, CIO created KARMA 2, which relied on a different feat. In the summer of 2017, the FBI informed US Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, US Company Two updated the operating system of its smartphones and other mobile devices. , limiting the functionality of KARMA 2. However, KARMA and KARMA 2 remained effective against devices from the US company 2 that used older versions of its operating system.
Find out more at the Ministry of Justice