In 2016, an iPhone exploit was purchased and deployed by the United Arab Emirates in a surveillance campaign targeting dissidents, activists, foreign leaders and other persons of interest. A new report claims an American company developed and sold the hack.
Citing sources familiar with the matter, the MIT Technology Review on Wednesday reports U.S. cybersecurity firm Accuvant developed and sold an iMessage exploit to American mercenaries working for the UAE. The vulnerability was the primary tool in Abu Dhabi’s “Karma” espionage program and was reportedly used against hundreds of targets.
How the iMessage attack vector worked is unclear, but Accuvant sold the same exploit to a number of companies, the report says. The firm marketed similar solutions to the U.S. government and other countries before being assimilated by Optiv, a cybersecurity firm that no longer focuses on the development of hacks.
More details in the “Karma” case were aired by the U.S. Justice Department on Tuesday, though Accuvant goes unmentioned in the release. According to the DOJ, the exploit sale involved former American intelligence community and military personnel who later assisted in the UAE’s hacking operation in violation of U.S. law. At least three members of the group continued to work for the sovereign nation after being notified that their actions were classified as a “defense service” and required a license from the State Department’s Directorate of Defense Trade Controls. The mercenaries were fined more than $1.68 million for providing hacking-related services to a foreign nation without State Department permission.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
“Karma” was run by DarkMatter, a private Emirati firm that grew to become the UAE’s go-to hacking operation in part through the assistance of U.S. entities. The group has reportedly carried out adversarial attacks on U.S. targets.
Today’s revelations come as Apple’s iOS becomes an increasingly fruitful target for state actors. Most recently, it was discovered that NSO Group’s Pegasus spyware was being used by authoritarian governments to spy on journalists, politicians, activists and other prominent public figures. Apple on Monday patched a vulnerability used by Pegasus to bypass the tech giant’s BlastDoor security sandbox for Messages.