Under a settlement revealed on Tuesday, three former US intelligence agents who worked as cyberspies for the United Arab Emirates admitted to breaking US hacking laws and bans on selling classified military technologies.
Marc Baier, Ryan Adams, and Daniel Gericke were members of Project Raven, a covert team that assisted the UAE in spying on its adversaries. The Project Raven team hacked into the accounts of human rights activists, journalists, and other countries at the request of the UAE monarchy.
According to court papers filed in federal court in Washington, D.C. on Tuesday, the three individuals admitted to hacking into computer networks in the United States and exporting advanced cyber infiltration tools without first obtaining required approval from the US government.
A request for comment to the UAE embassy in Washington, D.C. was not immediately returned. To escape punishment, the three former intelligence officials agreed to pay a total of $1.69 million and never apply for a U.S. security clearance, which is required for jobs that need access to national security information.
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division said in a statement.
“This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “There is a risk, and there will be consequences.”
Former program operatives claimed they thought they were following the law because superiors assured them that the operation had been sanctioned by the US government. According to court documents, Baier, Adams, and Gericke admitted to using a sophisticated cyberweapon known as “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on harmful links.
Karma gave users access to tens of millions of devices and was classified as an intelligence collection technology by the US government. The operatives, however, did not receive the necessary clearance from the US government to sell the tool to the UAE, according to authorities.