U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation

A newly unsealed court filing reveals more links between the UAE's Project Raven hacking operation and U.S. companies.
September 14, 2021, 9:21pm
UAE
Image: Buena Vista Images via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A U.S. company sold a powerful exploit to a United Arab Emirates company which was involved in the country's hacking operations, including targeting people based in the U.S., according to a newly unsealed court filing.

The news provides more insight into the sale and transfer of hacking tools, and is likely to raise questions of how a U.S. company sold an exploit to another company linked to the targeting of Americans. The filing also provides more context around the UAE's hacking operation. Dubbed Project Raven, the operation included the hiring of former U.S. intelligence hackers who then worked on behalf of the UAE government.

Advertisement

"Between in or around January 2016 and in or around May 2016, defendant BAIER obtained an agreement from U.S. COMPANY FOUR in the United States to provide EXPLOIT ONE (an exploit which provided 'zero-click' remote access to smartphones and mobile devices using certain versions of U.S. COMPANY TWO's operating system) and other computer exploits to U.A.E. CO in exchange for approximately $750,000, and thereafter caused U.A.E. CO to send approximately $1,300,000 via wire transfers from a company controlled by U.A.E. CO," the court filing reads. The court document comes from charges filed against Marc Baier, Ryan Adams, and Daniel Gericke, who worked on Project Raven.

Do you know anything else about the U.S. companies that sold these exploits? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

A zero-click exploit is one that requires no user interaction to infect a device. These exploits are particularly sought after because a victim is typically less likely to be aware that they have been targeted. On Tuesday, Apple patched a zero-click vulnerability in iMessage that was being used by clients of government malware vendor NSO Group.

The court filing adds that the defendants implemented the exploit into the UAE's hacking tool, called Karma. After the first exploit was patched, Baier contacted another U.S. company to obtain a second exploit, the filing reads. U.A.E. CO then paid $1,300,000 for this and another computer exploit, the court document adds.

Advertisement

Project Raven's existence and scope was first reported by Reuters in 2019.

Baier, Adams, and Gericke are alleged to have violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses. In another filing, prosecutors added that they will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment, Reuters reported.

As Reuters reported, Project Raven involved the targeting of the Emir of Qatar, a Nobel Peace laureate human-rights activist in Yemen, and Americans.

Subscribe to our cybersecurity podcast, CYBER.