On Tuesday, three former US intelligence operatives admitted to helping the United Arab Emirates spy on its enemies through hacking computer networks.
Marc Baier, Ryan Adams and Daniel Gericke were part of the secret unit named Project Raven. The three reportedly worked as cyber spies for the UAE, and admitted to "violating US hacking laws and prohibitions on selling sensitive military technology," according to Reuters.
Under the command of UAE's monarchy, "the Project Raven team hacked into the accounts of human rights activists, journalists and rival governments," Reuters reported.
Court documents released by the US federal court in Washington, DC on Tuesday reveal that the three men admitted to "hacking into computer networks in the United States and exporting sophisticated cyber intrusions tools without gaining required permission from the US government."
As part of a deal with federal authorities to avoid prosecution, including their admissions of their actions, the three have agreed to pay a combined $1.69 million, as well as give up their US and foreign security clearances. In addition, the three now will be unable to apply for any jobs wherein they would have to be cleared for US security secrets.
"Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct," said Acting Assistant Attorney General Mark J. Lesko for the Justice Department's National Security Division in a statement.
"This is a clear message to anybody, including former US government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company," said Assistant Director Bryan Vorndran of the FBI's Cyber Division in a statement. "There is risk, and there will be consequences."
A former US National Security Agency analyst who worked on Project Raven named Lori Stroud acted as a whistleblower on the case, and said she was pleased to see the charges.
"The most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice," she said.
The group admitted to using a cyberweapon named KARMA, which they used to gain access to specific individuals' "login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by US companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target's accounts to steal data, including from servers within the United States," according to court documents. This was done without authorization.
The program is a "sophisticated 'zero-click' computer hacking and intelligence gathering systems," which doesn't require a target to do any action, like click on a malicious link.
KARMA allowed unauthorized access to tens of millions of smart phones and mobile devices, according to the court documents. The ex-intelligence operatives did not have clearance or permission to sell this tool to the UAE.