Posted on 09/15/2021 5:58:43 AM PDT by Mount Athos
On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”
“Today’s announcement shines a light on the unlawful activity of three former members of the U.S. Intelligence Community and military,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyber operations. These charges and the associated penalties make clear that the FBI will continue to investigate such violations.”
The Defendants’ Applicable Conduct
After leaving U.S. government employment, Baier, Adams and Gericke worked for a U.S. Company (U.S. Company One) that provided cyber services to a U.A.E. government agency in compliance with the ITAR pursuant to a DDTC-issued Technical Assistance Agreement (TAA) signed by U.S. Company One, the U.A.E. government, and its relevant intelligence agency. U.S. Company One’s TAA specifically required the parties to abide by U.S. export control laws; obtain preapproval from a U.S. government agency prior to releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and; not “target or exploit U.S. Persons (i.e., U.S. citizens, permanent resident aliens, or U.S. companies or entities, or other persons in the United States) . . .” While employed by U.S. Company One, the defendants received periodic ITAR and TAA training.
In January 2016, after receiving an offer for higher compensation and an expanded budget, the defendants joined U.A.E. CO as senior managers of a team known as Cyber Intelligence-Operations (CIO). Prior to their departure, U.S. Company One repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR, and that U.S. persons could not lawfully provide such services to U.A.E. CO without obtaining a separate TAA. After joining U.A.E. CO, the defendants sought continued access to U.S. Company One’s ITAR-controlled information, including from U.S. Company One employees, in violation of the TAA and the ITAR.
Between January 2016 and November 2019, the defendants and other U.A.E. CO CIO employees expanded the breadth and increased the sophistication of the CNE operations that CIO was providing to the U.A.E. government. For example, over an 18-month period, CIO employees, with defendants’ support, direction and supervision, created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the United States belonging to a U.S. technology company (U.S. Company Two) to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system. The defendants and other CIO employees colloquially referred to these two systems as “KARMA” and “KARMA 2.”
CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals’ login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by U.S. companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers within the United States.
U.S. Company Two updated the operating system for its smartphones and other mobile devices in September 2016, undercutting the usefulness of KARMA. Accordingly, CIO created KARMA 2, which relied on a different exploit. In the summer of 2017, the FBI informed U.S. Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality. However, both KARMA and KARMA 2 remained effective against U.S. Company Two devices that used older versions of its operating system.
The DPA’s Terms
Under the terms of the DPA, Baier, Adams and Gericke agreed to pay $750,000, $600,000, and $335,000 respectively, over a three-year term, which they may not be reimbursed for without the express approval of the U.S. government. In addition to the financial penalties, as part of the DPA, the defendants agreed to full cooperation with the relevant Department and FBI components; the immediate relinquishment of any foreign or U.S. security clearances; a lifetime ban on future U.S. security clearances; and certain future employment restrictions, including a prohibition on employment that involves CNE activity or exporting defense articles or providing defense services under the ITAR (e.g., CNE techniques), and restrictions on employment for certain U.A.E. organizations.
The investigation was conducted jointly by the U.S. Attorney’s Office for the District of Columbia, the Justice Department’s National Security Division (NSD), and the FBI’s Washington Field Office.
Assistant U.S. Attorneys Demian Ahn and Tejpal Chawla of the U.S. Attorney’s Office for the District of Columbia and Counsel for Cyber Investigations Ali Ahmad and Trial Attorney Scott Claffee of NSD’s Counterintelligence and Export Control Section led the investigation for the government.
Over $500,000 each, plus lawyer fees. Mmmmmm, wonder how they an accord that.
Probably the fines are about 1/4 of what they were paid by the UAE.
I guess Joe didn’t get his 10%.
Easy answer, they store far more and earn far more with stolen information. Why are we letting foreign contractors access our intelligence assets? I guess that the scum that lead us need to charge for things they don't own so they can make the vig.
Does anybody believe that the kind of hacking these guys were doing isn't also done by the US intelligence and defense community?
There are plenty of published reports of US intelligence organizations using friendly foreign governments to do surveillance work that would be illegal if the US government did it.
Our ENTIRE GOVERNMENT IS CORRUPT!!
Sounds plausible. A very effective way for our Deep State to violate US law is work with foreign intel services to hack into US systems and spy on Americans that way. These guys apparently horned in on the racket without kicking back enough cash.
Some US intel agency is sore it got cut out of ops money. These guys should serve hard time, but corrupt Justice is following orders.
Folks, we need to take a serious look at our culture.
Our fellow citizens are willing to sell us into slavery and slaughter for money.
Something is really wrong here.
And who did they take their orders from?
“No problem, just pay a fine”
________________________
Did you catch where IF approved by our government they MAY get reimbursed?
Let’s say after the 3 year period the fines are paid....then they quietly request to be reimbursed.....that could happen...
Matter of fact, I’d wager it would be a great way for the government to put these guys back to work under the deep dark of night..... “You want you money back? Well, we just might have a way...let’s talk about something.....”
In government parlance, if there’s a ‘MAY’ in the sentence it’s there for a reason.......
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.