Three former US intelligence operatives who worked as cyberspies for the United Arab Emirates admitted to violating US hacking laws and prohibitions on selling sensitive military technology, under a deal to avoid prosecution announced on Tuesday.
The operatives — Marc Baier, Ryan Adams and Daniel Gericke — were part of a clandestine unit named Project Raven, first reported by Reuters, which helped the UAE spy on its enemies.
At the behest of the UAE’s monarchy, the Project Raven team hacked into the accounts of human rights activists, journalists and rival governments, Reuters reported.
The three men admitted to hacking into computer networks in the United States and exporting sophisticated cyber intrusions tools without gaining required permission from the US government, according to court papers released in US federal court in Washington, DC, on Tuesday.
The operatives and their attorneys did not respond to requests for comment.
The UAE embassy in Washington, DC, did not immediately respond to a request for comment.
As part of the deal with federal authorities to avoid prosecution, the three former intelligence officials agreed to pay a combined $1.69 million and never again seek a US security clearance, a requirement for jobs that entail access to national security secrets.
“Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” Acting Assistant Attorney General Mark J Lesko for the Justice Department’s National Security Division said in a statement.
Revelations of Project Raven in 2019 by Reuters highlighted the growing practice of former intelligence operatives selling their spycraft overseas with little oversight or accountability.
“This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “There is risk, and there will be consequences.”
Lori Stroud, a former US National Security Agency analyst who worked on Project Raven and then acted as a whistleblower, said she was pleased to see the charges.
“The most significant catalyst to bringing this issue to light was investigative journalism — the timely, technical information reported created the awareness and momentum to ensure justice," she said.
The Reuters investigation found that Project Raven spied on numerous human rights activists, some of whom were later tortured by UAE security forces.
Former programme operatives said they believed they were following the law because superiors promised them the US government had approved the work.
Baier, Adams and Gericke admitted to deploying a sophisticated cyberweapon called “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on malicious links, according to court papers.
Karma allowed users to access tens of millions of devices and qualified as an intelligence-gathering system under federal export control rules. But the operatives did not obtain the required US government permission to sell the tool to the UAE, authorities said.
Project Raven used Karma to hack into thousands of targets including a Nobel Prize-winning Yemeni human rights activist and a BBC television show host, Reuters reported.