Optiv’s spokesperson, Jeremy Jones, wrote in an email that his company “fully cooperated with the Department of Justice” and that Optiv “is not the subject of this investigation.” That’s right: the subject of the investigation are three former US intelligence and military personnel who worked illegally with the UAE. However, Accuvant’s role as exploit developer and vendor was significant enough to be detailed in the Department of Justice court filings.
The iMessage exploit was the primary weapon in an Emirati program called Karma, which was run by DarkMatter, an organization that presented itself as a private company but actually served as a de facto spy agency for the United Arab Emirates.
Reuters mentioned Exploiting the presence of Karma and iMessage in 2019. But on Tuesday, the United States fined Three former US intelligence and military personnel $1.68 million for their unauthorized work as mercenary hackers in the UAE. This activity involved purchasing the Accuvant tool and then directing UAE-funded hacking campaigns.
US court documents indicated that the exploits were developed and sold by US companies, but did not name the hacking companies. Accuvant’s role has not yet been reported.
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” Brian Forendran, assistant director of the FBI’s Internet division, said in a statement. “This is a clear message to anyone, including former US government employees, who has considered using cyberspace to take advantage of export-controlled information for the benefit of a foreign government or foreign trading company — there are risks, and there will be consequences.”
Prolific exploit developer
with help American Partnership, Experience and MoneyOver the course of several years, DarkMatter has built the offensive hacking capabilities of the UAE from virtually nothing to a massive and active operation. The group has spent huge sums hiring American and Western hackers to develop and sometimes direct the country’s cyber operations.
At the time of the sale, Accuvant was a small research and development lab based in Denver, Colorado, specializing in and selling iOS exploits.
“The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity. This is a clear message to anyone…there are risks, and there will be consequences.”
Brandon Forendran, FBI
A decade ago, Accuvant earned a reputation as a prolific exploit developer working with the largest US military contractors and selling bugs to government clients. In an industry that usually values the symbol of silence, the company has caught the attention of the public from time to time.
Journalist David Kushner wrote in 2013 Company Profile In Rolling Stone. He said it was the kind of company, “capable of creating custom software that can go into external systems and gather intelligence or even shut down a server, where they can get up to a million dollars.”
Optiv has largely exited the hacking industry after a series of mergers and acquisitions, but the Accuvant alumni network is strong – and it’s still working to exploit the vulnerabilities. Two high-profile employees went to Grayshift, an iPhone hacking company He is known for his skills in unlocking devices.
Accuvant has sold hacking exploits to numerous clients in both governments and the private sector, including the US and its allies — and this exact iMessage exploit was also simultaneously sold to several other clients, MIT Technology Review has learned.
Disadvantages of iMessage
The iMessage exploit is just one of the many serious flaws in the messaging app that have been discovered and exploited over the recent years. iPhone 2020 Update Shipped With Complete Package rebuild from iMessage security in an effort to make targeting more difficult.