Three US intelligence operatives have admitted to selling a “zero-click” exploit and other technology to the United Arab Emirates.
According to the Department of Justice, they have agreed to pay $1.7 million in restitution to defer prosecution. This agreement is novel to violations of U.S. export control, computer fraud, and access device fraud laws under the International Traffic in Arms Regulations.
This prosecution is thought to combat a growing trend, highlighted just months ago by the CIA, of foreign governments hiring former U.S. intelligence operatives to bolster their spycraft. The CIA has said that this practice risks exposing information about U.S. secrets.
According to prosecutors, between January 2016 and November 2019, the defendants “expanded the breadth and increased the sophistication” of operations available to the UAE government. According to the Justice Department, they bought exploits to break into computers and mobile devices from companies around the world, including those based in the U.S.
One example was a so-called “zero-click” exploit — which can break into mobile devices without any user interaction — that a defendant bought from an unnamed U.S. company in 2016. These charges were resolved only a day after Apple divulged that it acted to close a zero-day vulnerability (CVE-2021-30860) exploited by NSO Group’s Pegasus spyware to target Bahrain and Saudi Arabia activists.
CybelAngel Asset Discovery and Monitoring provides proactive defense against digital risks by locating vulnerable digital assets before hackers exploit them. Asset Discovery and Monitoring can identify if digital assets are vulnerable to CVEs such as known ‘zero-click” and “zero-day” threats.