Tag Archive for: uae

US company tied to iPhone hacking tool deployed by UAE in 2016

/in


In 2016, an iPhone exploit was purchased and deployed by the United Arab Emirates in a surveillance campaign targeting dissidents, activists, foreign leaders and other persons of interest. A new report claims an American company developed and sold the hack.

Citing sources familiar with the matter, the MIT Technology Review on Wednesday reports U.S. cybersecurity firm Accuvant developed and sold an iMessage exploit to American mercenaries working for the UAE. The vulnerability was the primary tool in Abu Dhabi’s “Karma” espionage program and was reportedly used against hundreds of targets.

How the iMessage attack vector worked is unclear, but Accuvant sold the same exploit to a number of companies, the report says. The firm marketed similar solutions to the U.S. government and other countries before being assimilated by Optiv, a cybersecurity firm that no longer focuses on the development of hacks.

Interestingly, two Accuvant alumni went on to found Grayshift, the firm responsible for the GrayKey iPhone forensics tool that was once a favorite of law enforcement agencies.

More details in the “Karma” case were aired by the U.S. Justice Department on Tuesday, though Accuvant goes unmentioned in the release. According to the DOJ, the exploit sale involved former American intelligence community and military personnel who later assisted in the UAE’s hacking operation in violation of U.S. law. At least three members of the group continued to work for the sovereign nation after being notified that their actions were classified as a “defense service” and required a license from the State Department’s Directorate of Defense Trade Controls. The mercenaries were fined more than $1.68 million for providing hacking-related services to a foreign nation without State Department permission.

“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United…

Source…

ExpressVPN stands behind CIO named in UAE hacking scandal

/in


ExpressVPN said it plans to stand by its CIO after Daniel Gericke was named by the U.S. Department of Justice as one of three people who were fined for allegedly providing “hacking-related services” to the government of the United Arab Emirates.

In an announcement earlier this week, the DOJ said that Gericke, 40, Marc Baier, 49, and Ryan Adams, 34, would be paying out fines adding up to $1.68 million in a deferred prosecution agreement (DPA) that settles charges related to their work for an unnamed company that contracted with the UAE government to provide state-sponsored hacking services.

According to the DOJ’s complaint, the trio and their company had contracted with the UAE government between 2015 and 2019 to break into accounts owned by targeted individuals and companies under the brand name “DarkMatter.”

According to the complaint, the accounts were from an unnamed vendor of smartphones and operating systems. Some of those targeted were U.S. citizens or companies based in the U.S.

“These services included the provision of support, direction and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems — i.e., one that could compromise a device without any action by the target,” the DOJ said.

“[DarkMatter] employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”

As part of the deal, the three did not have to admit to any wrongdoing, but will have to pay the fines (Gericke’s share was $335,000) and agree to restrictions on “future activities and employment.”

We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.
ExpressVPNCorporate statement

In Gericke’s case, those restrictions do not…

Source…

3 ex-U.S. intelligence operatives admit to hacking for UAE

/in


Sept. 15 (UPI) — Three former U.S. intelligence and military operatives have admitted to being hired by the United Arab Emirates for whom they committed sophisticated cybercrimes for, the Justice Department said.

In a statement published Tuesday, the Justice Department said the three mercenary hackers Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, agreed to pay $1.685 million to resolve the department’s investigation into their alleged crimes of violating U.S. export control, computer fraud and access devices fraud laws.

According to court documents, the trio used “illicit, fraudulent and criminal means,” including hacking systems, to gain unauthorized access to protected computers in the United States and elsewhere to steal information, material, documents, records, data and personal identifying information for the UAE.

Prosecutors said the three men lacked the proper license from the U.S. government to conduct this sort of work, which they continued to do despite receiving repeated warnings.

According to the agreement to drop the charges, the men admit responsibility for their actions and agree to cooperate with the United States, accept employment restrictions and pay the monetary penalty. Baier is to pay $750,000, Adams $600,00 and Gericke $335,000, it said.

Court documents said that after leaving the military, the men began working for an unnamed U.S. company that provided cyber services to a UAE government agency in compliance with U.S. rules. However, in January 2016 the defendants joined an unnamed UAE company as senior managers of a team called Cyber Intelligence-Operations.

Between January 2016 and November 2019, the three men and other employees at the company “expanded the breadth and increased the sophistication” of the hacking operations they provided the UAE, including creating two zero-click hacks named KARMA and KARMA 2 to infect devices without the users interacting with the malware, according to prosecutors.

The operations “leveraged servers in the United States belonging to a U.S. technology company … to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing” a unnamed U.S. company’s…

Source…

Text Size – Zawya.com

/in

Dubai, October 18, 2009: The Emirates Institution for Advanced Science & Technology (EIAST) and the UAE Telecommunications Regulatory Authority (TRA) UAE Telecommunications Regulatory Authority (TRA) have signed a Memorandum of Understanding (MoU) to …

Read more