In 2016, an iPhone exploit was purchased and deployed by the United Arab Emirates in a surveillance campaign targeting dissidents, activists, foreign leaders and other persons of interest. A new report claims an American company developed and sold the hack.
Citing sources familiar with the matter, the MIT Technology Review on Wednesday reports U.S. cybersecurity firm Accuvant developed and sold an iMessage exploit to American mercenaries working for the UAE. The vulnerability was the primary tool in Abu Dhabi’s “Karma” espionage program and was reportedly used against hundreds of targets.
How the iMessage attack vector worked is unclear, but Accuvant sold the same exploit to a number of companies, the report says. The firm marketed similar solutions to the U.S. government and other countries before being assimilated by Optiv, a cybersecurity firm that no longer focuses on the development of hacks.
Interestingly, two Accuvant alumni went on to found Grayshift, the firm responsible for the GrayKey iPhone forensics tool that was once a favorite of law enforcement agencies.
More details in the “Karma” case were aired by the U.S. Justice Department on Tuesday, though Accuvant goes unmentioned in the release. According to the DOJ, the exploit sale involved former American intelligence community and military personnel who later assisted in the UAE’s hacking operation in violation of U.S. law. At least three members of the group continued to work for the sovereign nation after being notified that their actions were classified as a “defense service” and required a license from the State Department’s Directorate of Defense Trade Controls. The mercenaries were fined more than $1.68 million for providing hacking-related services to a foreign nation without State Department permission.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United…