December 26, 2019
Three former U.S. Intelligence and Military agents who have been linked with the deployment of the “KARMA” spyware in the United Arab Emirates have been offered a resolution for the charges of providing hacking-related services to a foreign government, and it’s a hefty payment of $1.68 million. The three men are Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, all former employees of the USIC, who have agreed to pay the financial penalties, as well as to never engage in similar activities in the future. The amounts to be paid are $750,000, $600,000, and $335,000 respectively.
The first time the particular operation surfaced in the media was back in January 2019, when unnamed U.S. government intelligence operatives agreed to give a series of interviews where they revealed “KARMA” and its ability to spy on iPhone users through click-less and interaction-less attacks targeting iMessage. The anonymous sources claimed that the U.A.E. government was using the particular spyware with the help of U.S. agents to track hundreds of devices belonging to diplomats, activists, foreign agents, and politicians. “KARMA” was presented as capable of transmitting location data, SMS, emails, and even photos stored in the device.
From what has been confirmed now thanks to the DoJ announcement, the involvement of U.S. operatives in the deployment of “KARMA” for the account of the U.A.E. government was true. However, the state puts the whole blame on the intelligence officers for the unlawful activity, confirming that there was no official involvement in the operation. It is noteworthy that the two countries have been enjoying a healthy relationship, and their armed forces have repeatedly engaged in counter-terrorism co-operations in the Middle East. The “KARMA” operation, though, is presented as irrelevant to all that and something that the three agents undertook as a side hustle for personal profit.
In fact, the agents are accused of offering their services to their U.A.E. employers by abusing their access to systems and tools of their previous employer in the U.S., exporting software without obtaining the required license, and even stealthily leveraging U.S.-based servers for the exfiltration of the victim data.
An interesting detail given about “KARMA” is that it worked well against target devices from January 2016 until September 2016. At that point, the vendor updated their OS and plugged the exploited flaw, so “KARMA 2” was created relying on a different exploit. The vendor again fixed the security hole in August 2017, and so the spying operation continued in crippled form as it could only target older devices that weren’t updated to the latest OS version.