NSA Paid French Hacker Company For Software Exploits, Contract Reveals

The Citizen's Guide to the Future
Sept. 17 2013 4:56 PM

NSA Paid French Hacker Company For Software Exploits, Contract Reveals

Member of European Parliament Marietje Schaake

Photo byy Sebastiaan ter Burg via Wikimedia Commons

France is one of several countries in Europe whose people have been outraged by revelations about the National Security Agency’s surveillance programs. But it turns out that a French company has quietly bolstered the NSA’s capabilities.

According to a contract newly released in response to a Freedom of Information request, last year the NSA purchased a 12-month subscription to a “binary analysis and exploits service” sold by Vupen, a company based in Montpelier, France. These exploits, sometimes described as “zero days,” are complex codes custom-written by hackers to target undisclosed security weaknesses in widely used operating systems like Windows and software programs like Google Chrome, Internet Explorer, Java, and Flash. A spy agency can use exploits to help infiltrate targets’ computers in espionage operations or to strengthen its own computer networks as part of cybersecurity efforts.

It is unclear how much money the NSA spent on the Vupen exploits package because the cost has been redacted in the released contract. Vupen CEO Chaouki Bekrar declined to answer questions about his deal with the NSA, but told me in an emailed statement that his company’s binary analysis and exploits service includes “highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” Bekrar added that the aim of the service was to “to allow customers protect their systems against sophisticated attacks.”


It seems possible that the NSA purchased the Vupen service for defensive reasons, with the purpose being to secure U.S. government infrastructure from adversaries. However, the NSA is believed to use zero days in offensive hacking operations, too. A Washington Post scoop in August detailed how the NSA has apparently turned to exploits as part of its covert attempts to spy on foreign computer networks. The Post reported that the NSA designs most of its own “implants” used for this purpose, but set aside $25.1 million in 2013 for “additional covert purchases of software vulnerabilities” from private providers.

Internationally, the zero-day marketplace is growing and largely unregulated. Many of the larger sellers are based in the United States, and reportedly include companies such as Raytheon, Endgame Systems, Harris Corp., and Northrop Grumman. But the market is also burgeoning in Europe, with Vupen leading the field. As I reported here back in January, Vupen’s latest financial accounts show that it generated revenue of about $1.2 million in 2011, 86 percent of which was earned from exports outside France.

Lawmakers in Europe, concerned about how the technology could be abused if in the wrong hands, are pushing for the introduction of new restrictions that would limit sales. Last week, Dutch Member of the European Parliament Marietje Schaake argued that Europe should take the lead in reining in the industry.  “We must end the export and proliferation of digital arms now,” Schaake said. “We have to close the regulatory vacuum, and that includes curbing the trade in zero-day exploits.”

Future Tense is a partnership of SlateNew America, and Arizona State University.

Ryan Gallagher is a journalist who reports on surveillance, security, and civil liberties.



The World’s Politest Protesters

The Occupy Central demonstrators are courteous. That’s actually what makes them so dangerous.

The Religious Right Is Not Happy With Republicans  

The XX Factor
Oct. 1 2014 4:58 PM The Religious Right Is Not Happy With Republicans  

How Did the Royals Win Despite Bunting So Many Times? Bunting Is a Terrible Strategy.

Catacombs Where You Can Stroll Down Hallways Lined With Corpses

Homeland Is Good Again! For Now.


Operation Backbone

How White Boy Rick, a legendary Detroit cocaine dealer, helped the FBI uncover brazen police corruption.


How Even an Old Hipster Can Age Gracefully

On their new albums, Leonard Cohen, Robert Plant, and Loudon Wainwright III show three ways.

The One Fact About Ebola That Should Calm You: It Spreads Slowly

Piper Kerman on Why She Dressed Like a Hitchcock Heroine for Her Prison Sentencing

Trending News Channel
Oct. 1 2014 1:25 PM Japanese Cheerleader Robots Balance and Roll Around on Balls
  News & Politics
Oct. 1 2014 6:41 PM The World’s Politest Protesters The Occupy Central demonstrators are courteous. That’s actually what makes them so dangerous.
Oct. 1 2014 2:16 PM Wall Street Tackles Chat Services, Shies Away From Diversity Issues 
Oct. 1 2014 6:02 PM Facebook Relaxes Its “Real Name” Policy; Drag Queens Celebrate
  Double X
The XX Factor
Oct. 1 2014 5:11 PM Celebrity Feminist Identification Has Reached Peak Meaninglessness
  Slate Plus
Behind the Scenes
Oct. 1 2014 3:24 PM Revelry (and Business) at Mohonk Photos and highlights from Slate’s annual retreat.
Brow Beat
Oct. 1 2014 6:39 PM Spoiler Special: Transparent
Future Tense
Oct. 1 2014 6:59 PM EU’s Next Digital Commissioner Thinks Keeping Nude Celeb Photos in the Cloud Is “Stupid”
  Health & Science
Oct. 1 2014 4:03 PM Does the Earth Really Have a “Hum”? Yes, but probably not the one you’re thinking.
Sports Nut
Oct. 1 2014 5:19 PM Bunt-a-Palooza! How bad was the Kansas City Royals’ bunt-all-the-time strategy in the American League wild-card game?