Ex-US intelligence officers admit hacking for UAE

a tall building in a city: Prosecutors say the men carried out hacking for the UAE without obtaining the required US licences

© Reuters
Prosecutors say the men carried out hacking for the UAE without obtaining the required US licences

Three former US intelligence operatives have admitted to breaking US laws by carrying out hacking operations for the United Arab Emirates.

US prosecutors said the men had agreed to pay $1.7m (£1.2m) to resolve charges of computer fraud, access device fraud and violating export controls.

They worked for an unnamed UAE-based firm and allegedly hacked into servers, computers and phones around the world.

There was no immediate comment from the men or Emirati officials.

Earlier this year, the UAE was accused of using malware from the Israeli company NSO Group to spy on journalists, dissidents and rival governments.

The US justice department said the former intelligence officers – US citizens Marc Baier and Ryan Adams, and former US citizen Daniel Gericke – initially worked for a US company that provided cyber services to a UAE government agency in compliance with the International Traffic in Arms Regulations (ITAR).

The regulations require companies to obtain pre-approval from the US government prior to releasing information regarding a hacking operation and to agree not to target US citizens and permanent residents or US entities.

In 2016, the three men joined the UAE-based company as senior managers and began carrying out hacking operations for the benefit of the UAE government without obtaining the required licences from the US, according to the justice department.

Over the next three years, it alleged, they supervised the creation of two similar sophisticated “zero-click” computer hacking and intelligence gathering systems – “Karma” and “Karma 2” – that could compromise a device without any action by the target and allowed users to access tens of millions of devices made by a US technology company that was not identified.

The justice department said employees of the company had leveraged the systems to illegally obtain and use credentials for online accounts issued by US companies, and to obtain unauthorised access to computers and mobile phones around the world, including in the US.

“Hackers-for-hire and those who otherwise support such activities in violation of US law…