On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”
“Today’s announcement shines a light on the unlawful activity of three former members of the U.S. Intelligence Community and military,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyber operations. These charges and the associated penalties make clear that the FBI will continue to investigate such violations.”
The Defendants’ Applicable Conduct
After leaving U.S. government employment, Baier, Adams and Gericke worked for a U.S. Company (U.S. Company One) that provided cyber services to a U.A.E. government agency in compliance with the ITAR pursuant to a DDTC-issued Technical Assistance Agreement (TAA) signed by U.S. Company One, the U.A.E. government, and its relevant intelligence agency. U.S. Company One’s TAA specifically required the parties to abide by U.S. export control laws; obtain preapproval from a U.S. government agency prior to releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and; not “target or exploit U.S. Persons (i.e., U.S. citizens, permanent resident aliens, or U.S. companies or entities, or other persons in the United States) . . .” While employed by U.S. Company One, the defendants received periodic ITAR and TAA training.
In January 2016, after receiving an offer for higher compensation and an expanded budget, the defendants joined U.A.E. CO as senior managers of a team known as Cyber Intelligence-Operations (CIO). Prior to their departure, U.S. Company One repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR, and that U.S. persons could not lawfully provide such services to U.A.E. CO without obtaining a separate TAA. After joining U.A.E. CO, the defendants sought continued access to U.S. Company One’s ITAR-controlled information, including from U.S. Company One employees, in violation of the TAA and the ITAR.
Between January 2016 and November 2019, the defendants and other U.A.E. CO CIO employees expanded the breadth and increased the sophistication of the CNE operations that CIO was providing to the U.A.E. government. For example, over an 18-month period, CIO employees, with defendants’ support, direction and supervision, created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the United States belonging to a U.S. technology company (U.S. Company Two) to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system. The defendants and other CIO employees colloquially referred to these two systems as “KARMA” and “KARMA 2.”
CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals’ login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by U.S. companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers within the United States.
U.S. Company Two updated the operating system for its smartphones and other mobile devices in September 2016, undercutting the usefulness of KARMA. Accordingly, CIO created KARMA 2, which relied on a different exploit. In the summer of 2017, the FBI informed U.S. Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality. However, both KARMA and KARMA 2 remained effective against U.S. Company Two devices that used older versions of its operating system.