Today's top stories

3 former US intel officers turned cyber mercenaries plead guilty: An insider threat case study

Three U.S. nationals, working as cyber mercenaries on behalf of the United Arab Emirates, have pleaded guilty to exploiting U.S. entities using U.S.-controlled technologies.

CIO | Middle East  >  UAE / United Arab Emirates  >  Flag
BKindler / Getty Images

Today's top stories

Show More

The U.S. Department of Justice (DoJ) announced on 14 September a deferred prosecution agreement with two U.S. citizens and one former U.S. citizen who, on behalf of the United Arab Emirates (UAE), transferred protected information (ITAR/AECA) to the UAE; assisted the UAE in exploiting Apple’s operating system; and conducted network operations that compromised U.S. entities. All three individuals were former members of the U.S. Intelligence Community (believed to be the National Security Agency) or U.S. military, and were identified as Marc Baier, Ryan Adams, and Daniel Gericke.

Court documents reveal the three worked for a UAE-based company, identified as “UAE-CO” in court documents, and believed to be DarkMatter. This company provided computer network exploitation support to the UAE government’s National Electronic Security Authority (NESA) the UAE’s equivalent of the NSA. Of particular note, especially given the timing of the announcement, is the fact they provided “support, direction, and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems” for DarkMatter.

Raven

In January 2019, Reuters published an in-depth expose concerning DarkMatter’s recruitment of foreign cyber experts for the purpose of both defensive and offensive cyber weapon development. These experts ran project “Raven,” which in addition to supporting UAE’s targeting of terrorists and foes of the nation, also targeted those with dissenting opinions. The Reuters stories linked to above make it clear that Raven was created to support NESA’s objectives.

The court documents confirm much of the Reuters expose, specifically, multiple U.S. entities (unidentified beyond Apple) and persons were targeted by the NESA, including journalists.

While no mention is made of the Israeli cybersecurity firm NSO Group, the court documents indicate how the original zero click export was purchased from a foreign entity and then modified by the DarkMatter teams. The UAE being an identified customer of NSO Group makes it possible the NSO exploit, or its earlier versions, were used by the UAE cyber intelligence operations targeting Apple OS devices. This week, the NSO exploit, which compromised Apple devices via a zero-click exploit of iMessage, was mitigated by Apple in their emergency patch of 13 September.

Teachable moments

There are many teachable moments within the court documents and the exposure of the UAE operation for CISOs of all companies, especially those in the cybersecurity industry or those associated with entities charged with protecting controlled technology.  

The first charge to which the three pleaded guilty involves sharing information that fell within the ITAR/AECA protocols. The information was shared in an unauthorized manner with foreign nationals (their colleagues in the UAE), without proper authority.

These three individuals, and possibly others, had originally been protected by a Technical Assistance Agreement (TAA) issued by the U.S. Department of State when they shared with foreign nationals and entities in the UAE controlled technologies that were developed and utilized by their employer Cyberpoint International, a Baltimore, MD cybersecurity firm. It is important to note, Cyberpoint apparently played by the rules and obtained authorization from the U.S. government to share their know-how with the government of the UAE, specifically NESA. The previously identified project Raven fell firmly within the authority of the TAA.

TAA protection vaporizes

Once these three individuals left Cyberpoint and went to work for DarkMatter within the NESA cyber intelligence operations they were no longer operating under the protection and authority of the U.S. government. Indeed, some may argue that these individuals upon departure effectively transferred the technical knowledge and relationship goodwill from Cyberpoint to DarkMatter.

This begs the question, was there an off-boarding process to ensure the intellectual property of Cyberpoint was protected and that the individuals were aware of the delineation of what was permitted without a TAA in place?

While UAE’s project Raven shifted from one company to the other, when the music stopped, it was Cyberpoint that didn’t have a chair to sit in and soon after closed up shop in the UAE. DarkMatter controlled the chairs and the music and those who joined DarkMatter were expected to pocket their moral compass and to do what was asked of them on behalf of the UAE.

Crossing legal and moral boundaries

It was after these individuals assimilated into DarkMatter that their actions crossed the legal boundaries of conducting computer network exploitation operations and assisting the UAE in targeting identified entities. The court documents are unambiguous, the three used “illicit, fraudulent, and criminal means, including the use of advanced covert hacking systems that utilized computer exploits obtained from the United States and elsewhere, to gain unauthorized access to protected computers in the United States and elsewhere and to illicitly obtain information, material, documents, records, data and personal identifying information, including passwords, access devices, login credentials and authentication tokens, from victims from around the world.”

The trio’s efforts included surveillance of targets and successful attempts at social engineering personnel to extract needed information to allow unauthorized access of targeted entities. What the individuals did took them across many legal lines. They also crossed moral boundaries—they used knowledge acquired in the service of their nation against targets in their nation on behalf of a foreign power.

“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”

For their work they were paid handsomely—Baier-$750,000; Adams-$600,000; Gericke-$350,000—all of which is to be forfeited as part of their court agreement. Their deferred plea agreement is for three years, and is chock-a-block full of restrictions and prohibitions, but the salient point is that when the agreement expires in 2024, if the trio has completed all of the requirements within the agreement, they will not be prosecuted.

CISOs would be well served to ensure this case study wends its way into all insider threat/insider risk management briefings, especially the admonishment from Assistant Director FBI Cyber Division, Bryan Vorndran, “The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity. This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company—there is risk, and there will be consequences.”

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations