WASHINGTON – On September 7, US citizens Marc Baier, 49, and Ryan Adams, 34, and former US citizen Daniel Gericke, 40, all former employees of the US Intelligence Community (USIC) or the United States Army, have entered into a Deferred Prosecution Agreement (DPA) that restricts their future activities and employment and requires the payment of $ 1,685,000 in penalties to resolve a Department of Justice investigation into violations of U.S. lawsuits. export controls, computer fraud and access device fraud. The department filed the DPA today, along with a criminal brief alleging that the defendants conspired to violate these laws.
According to court documents, the defendants worked as senior executives at a United Arab Emirates (UAE) -based company (UAE CO) that supported and conducted computer network operations (CNE) (that is to say, “Piracy”) for the benefit of the UAE government between 2016 and 2019. Despite being informed on several occasions that their work for UAE CO, under the International Traffic in Arms Regulations (ITAR), constituted a “Defense service” requiring a license from the Department of State’s Defense Trade Controls Directorate (DDTC), the defendants provided these services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero click” hacking and intelligence systems – that is to say, one that could compromise a device without any action from the target. UAE CO employees whose activities were supervised by and known to the defendants subsequently exploited these clickless exploits to illegally obtain and use credentials to access online accounts issued by US companies, and to gain unauthorized access. licensed to computers, such as cell phones, worldwide. , including in the United States.
“This agreement is the first of its kind to resolve an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network operations, and a trading company creating , supporting and operating systems specifically designed to allow others to access unauthorized data from computers around the world, including the United States, ”said Acting Deputy Attorney General Mark J. Lesko for the National Security Division of the Ministry of Justice. “Hackers and those who otherwise support such activity in violation of US law should be expected to be prosecuted for their criminal conduct.”
“Unregulated, the proliferation of offensive cyber capabilities undermines privacy and security around the world. Under our International Arms Trafficking Regulations, the United States will ensure that U.S. nationals provide defense services in support of these capabilities only in accordance with appropriate licensing and oversight, ”the Minister said. Acting United States Attorney Channing D. Phillips of the District of Columbia. “An American’s status as a former US government employee certainly does not give him a free pass in this regard. “
“The FBI will thoroughly investigate individuals and businesses who profit from illegal cybercrime activity,” said Deputy Director Bryan Vorndran of the Cyber Division of the FBI. “This is a clear message to anyone, including former U.S. government employees, who had considered using cyberspace to mine controlled export information for the benefit of a foreign government or a trading company. foreign – there is a risk, and there will be consequences. “
“Today’s announcement highlights the illegal activities of three former members of the intelligence community and the United States military,” said deputy director in charge Steven M. D’Antuono of the FBI field office in Washington. “These individuals have chosen to ignore the warnings and use their years of experience to support and enhance the offensive cyber operations of a foreign government. These charges and the associated sanctions make it clear that the FBI will continue to investigate such violations. “
Applicable conduct of defendants
After leaving US government employment, Baier, Adams, and Gericke worked for a US company (US Company One) that provided e-services to a UAE government agency in accordance with ITAR under an assistance agreement. technical document (TAA) issued by the DDTC and signed by the United States. Company One, the government of the United Arab Emirates and its relevant intelligence agency. US Company One’s TAA specifically required parties to comply with US export control laws; obtain the prior approval of a US government agency before disclosing information regarding “cryptographic analysis and / or operation or attack of a computer network”, and; not to “target or exploit persons from the United States (that is to say, U.S. citizens, permanent resident aliens, or U.S. corporations or entities, or other persons in the United States). . . “While employed by US Company One, the defendants received recurrent ITAR and TAA training.
In January 2016, after receiving an offer for higher compensation and an expanded budget, the defendants joined UAE CO as senior managers of a team known as Cyber Intelligence-Operations (CIO). Prior to their departure, US Company One repeatedly informed its employees, including the defendants, that the services they provided constituted “defense services” under the ITAR, and that American persons could not legally provide. such services to UAE CO without obtaining a separate TAA. . After joining UAE CO, the defendants requested continued access to the US company’s ITAR-controlled information, including from the US company’s employees, in violation of the TAA and ITAR.
Between January 2016 and November 2019, the defendants and other employees of the UAE IOC CO expanded the scope and sophistication of CNE operations that the IOC provided to the UAE government. For example, over an 18-month period, DSI employees, with the support, direction and supervision of the accused, created two similar “zero-click” hacking and intelligence-gathering systems that operated servers in the States. United owned by an American technology company (US Company Two) to gain unauthorized remote access to one of the tens of millions of smartphones and mobile devices using an operating system provided by US Company Two. The defendants and other IOC employees colloquially referred to these two systems as “KARMA” and “KARMA 2”.
DSI employees whose activities were supervised by and / or known to the defendants used KARMA systems to obtain, without authorization, the login credentials of the targeted persons and other authentication tokens (that is to say., unique digital codes issued to authorized users) issued by U.S. companies, including email providers, cloud storage providers, and social media companies. DSI employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers in the United States.
US Company Two updated the operating system of its smartphones and other mobile devices in September 2016, reducing the usefulness of KARMA. As a result, CIO created KARMA 2, which relied on a different feat. In the summer of 2017, the FBI informed US Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, US Company Two updated the operating system of its smartphones and other mobile devices. , limiting the functionality of KARMA 2. However, KARMA and KARMA 2 remained effective against the two American company’s devices that used older versions of its operating system.
The conditions of the DPA
Under the DPA, Baier, Adams and Gericke agreed to pay $ 750,000, $ 600,000 and $ 335,000, respectively, over a three-year period, an amount they cannot repay without the express approval of the US government. In addition to financial sanctions, under the DPA, the defendants agreed to cooperate fully with the relevant department and components of the FBI; the immediate abandonment of any foreign or US security clearances; a lifetime ban on future US security clearances; and certain future employment restrictions, including an employment ban involving CNE activity or the export of defense articles or the provision of defense services under the ITAR (for example, CNE techniques) and employment restrictions for some organizations in the United Arab Emirates.
The investigation was conducted jointly by the District of Columbia’s United States Attorney’s Office, the Department of Justice’s National Security Division (NSD), and the FBI’s Washington Field Office.
Assistant U.S. Prosecutors Demian Ahn and Tejpal Chawla of the U.S. Attorney’s Office for the District of Columbia and Cyber Investigations Board Ali Ahmad and Attorney Scott Claffee of the NSD Counterintelligence and Export Control Section led the investigation for the government.