The DEA Spent $575,000 of Your Tax Dollars on Zero-Day Exploits
The Drug Enforcement Agency (DEA) has been purchasing spyware from the Milan-based Hacking Team and its US subsidiary Cicom USA since 2012. Public records reveal invoices between Cicom USA and the DEA that have ranged between $22,000 to $575,000 from 2012 to 2015.
Hacking Team is known for providing hacking tools to government agencies. In 2015, for example, it was uncovered that the FBI spent $775,000 on Hacking Team's spy tools. The US Army has also purchased around $400,000 worth of spyware from the agency.
Now, newly released documents reveal that the DEA has been spending quite a number of your tax dollars on zero-day exploits.
According to Hacking Team's documents on the RCS Exploit Portal, a zero-day exploit is defined as:
[A] vulnerability not even known by the vendor of the application itself, and no exploit code is available. The latest version of the software is almost always vulnerable, thus making this exploit very effective even against users that update their installed applications frequently.
Hacking Team notes that its Exploit Portal, which the DEA paid $575,000 for full access to, as noted above on page 89 of the 2012 invoice, contains at least three zero-day level exploits. The DEA initiated payment for access to Cicom USA's hacking tools on August 20, 2012.
Since 2012, the DEA has sporadically paid out a number of different invoices to Cicom USA.
In 2015, the DEA ended its contract with Hacking Team and Cicom USA. The agency noted that after signing a contract worth $2.4 million, the DEA had only deployed RCS on the devices of "17 foreign-based drug traffickers and money launderers," according to a 2015 letter where the DEA responded to an inquiry from US Senator Chuck Grassley.
So to recap: The DEA hardly used the exploits, had only one successful instance of actually hacking someone remotely, and had technical difficulties with Hacking Team's software.
That's a whole lot of tax dollars wasted on just one successful hack.