The Department of Justice (DOJ) announced on Tuesday that three former U.S. intelligence and military officers have admitted they worked as mercenary hackers for the government of the United Arab Emirates (UAE), violated U.S. laws against selling sensitive military technology, and conducted cyber-espionage against targets in America.
The admitted hackers entered into a deferred prosecution agreement (DPA) that “restricts their future activities and employment and requires the payment of $1,685,000 in penalties.”
Acting Assistant Attorney General Mark J. Lesko called the agreement a “first-of-its-kind resolution” for such an investigation.
“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Lesko said.
Unsealed court documents named the defendants as Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40. All were described as “former employees of the U.S. Intelligence Community (USIC) or the U.S. military,” and Gericke was identified as a “former U.S. citizen.”
Gericke is currently employed as the Chief Information Officer (CIO) of ExpressVPN, one of the world’s leading Virtual Private Network providers.
ExpressVPN stated on Tuesday that it was fully aware of Gericke’s work on behalf of the UAE when it hired him, and clarified that he was a former member of the U.S. military but not an officer of the USIC like the other two defendants.
The company called Gericke an “invaluable hire” thanks to his “history and expertise” in cyber-espionage, because he has a deep understanding of the “tools and techniques” employed by hackers, and insisted its trust in Gericke “remains strong” despite the DOJ announcement of a plea deal.
However, CyberNews noted that after the plea deal was announced, Gericke’s LinkedIn and Twitter accounts were apparently deleted without explanation.
According to CyberNews, one day before the DOJ announced the case against Gericke, ExpressVPN was acquired for $936 million by Kape Technologies, which previously purchased three other VPN providers.
DOJ said Baier, Adams, and Gericke became senior managers for a company in the UAE after leaving U.S. government service. They engaged in advanced cyber-espionage on behalf of their new employer, deploying “zero-click” hacking and spyware systems – that is, malware that can compromise a computer system without the users taking actions such as clicking on links or opening files to download virus code.
These zero-click attacks were employed to “illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”
According to Reuters, Baier, Adams, and Gericke were part of a massive UAE cyber-espionage operation called “Project Raven,” and were most likely employed by DarkMatter, the Emirates-based company at the heart of the project.
The New York Times on Tuesday stated all three men were indeed employed by DarkMatter, “a company that is effectively an arm of the Emirati government.” DarkMatter recruited highly skilled Americans with intelligence and cyberwar backgrounds using a U.S. firm called CyberPoint, which provided contract information security services to the UAE, but refused Emirati intelligence requests to hack American websites in violation of U.S. law.
Reuters first exposed Project Raven in January 2019 with information provided by another American who was recruited by the UAE, a former National Security Agency (NSA) analyst named Lori Stroud.
Stroud’s story was similar to the DOJ case against Baier, Adams, and Gericke; she said she was first hired by a U.S. company that did contract work for the Emiratis, and later moved to the UAE-based DarkMatter to become a mercenary hacker, along with at least a dozen other former U.S. intelligence operatives. Stroud says she and some of her fellow employees from the United States drew the line and blew the whistle when they were tasked with targeting Americans for surveillance.
“I am working for a foreign intelligence agency who is targeting U.S. persons. I am officially the bad kind of spy,” Stroud told Reuters in 2019.
Stroud and other Project Raven veterans who talked to Reuters said they brought techniques developed during their tenure with the U.S. intelligence community to their new employers in the UAE, which was also one of the charges leveled at Baier and company by DOJ.
DOJ said on Tuesday:
Despite being informed on several occasions that their work for [the UAE company] under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.
Reuters said the zero-click “superweapon” Baier and company deployed on behalf of the UAE was called “Karma,” and it allowed them to hack into Apple iPhones without any actions being taken by the smartphone users. DOJ also used the names “Karma” and “Karma2” to refer to systems provided to the UAE by the defendants.
According to Reuters’ investigation, “Project Raven used Karma to hack into thousands of targets including a Nobel Prize-winning Yemeni human rights activist and a BBC television show host.” Some targets of Project Raven surveillance were “later tortured by UAE security forces.”
DOJ said the deferred prosecution agreement against Baier, Adams, and Gericke included individual fines of up to $750,000, loss of security clearances, and restrictions on future employment.
Perhaps most crucially, all three agreed to “full cooperation with the relevant Department and FBI components,” suggesting a deeper investigation is underway.
The Washington Post on Tuesday quoted from a letter written earlier this year by CIA Assistant Director for Counterintelligence Sheetal Patel, lamenting an “uptick in the number of former officers who have disclosed sensitive information about CIA activities, personnel, and tradecraft” after taking jobs with foreign governments and corporations.
“We ask that you protect yourself and the CIA by safeguarding the classified tradecraft that underpins your enterprise,” Patel wrote to former CIA officers.