Lauren Moye, FISM NEWS
[elfsight_social_share_buttons id=”1”]
On Sept. 7, three United States citizens with connections to the intelligence community admitted that they provided advanced hacking technologies to the United Arab Emirates. This technology was then used to target United States companies and citizens.
As part of an agreement made with the Department of Justice, defendants Marc Baier, Ryan Adams, and Daniel Gericke will pay $1,685,000 in penalties. They will also immediately forfeit all national and foreign security clearances and face restrictions on future employment.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Mark J. Lesko, Acting Assistant Attorney General for the National Security Division of the Department of Justice.
All three men were former US intelligence or military operatives who, after entering the private sector for an undisclosed US-based company, continued to have access to sensitive information controlled under the International Traffic in Arms Regulation (ITAR).
In 2016, Baier, Adams, and Gericke accepted employment as senior managers in a Cyber Intelligence Operations division of a UAE-based company. As the providers of “defense services” as defined by ITAR, the men were required to obtain a license from the State Department’s Directorate of Defense Trade Controls. Instead, they ignored warnings to continue operating illegally.
Over the next few years, they developed and supervised the use of advanced hacking technology. Not only did they use their existing knowledge to provide this service, but they continued to illegally gain access to ITAR-controlled info from their previous company and former coworkers.
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” said Lesko.
The zero-click hacking systems that they provided information on enabled unauthorized access to devices without the knowledge or need to trick a user into giving access away with the click of a button. They called these systems KARMA and KARMA 2.
With the defendants’ knowledge, the UAE company then used this technology to gain access to the servers of an undisclosed United States company. According to the DOJ, this allowed them “to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices” along with the data, account information, and cloud storage.
Assistant Director of FBI’s Cyber Division Bryan Vorndran said, “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”
According to the terms of their agreement with the DOJ, Baier, Adams, and Gericke have a lifetime ban against holding US security clearances. They are also prohibited from employment involving hacking services or providing future defense services. The $1,685,000 penalty fees will be paid over a three years.