The U.S. Drug Enforcement Administration (DEA) did not buy hacking tools from malware company NSO Group because the product was too expensive, according to emails between the two organizations obtained by Motherboard.
The emails show how NSO aggressively tried to work with the DEA several years ago after meeting with the agency and having several conversations. NSO is a highly controversial company, with clients in Mexico and the United Arab Emirates using the tools against journalists, dissidents, and political opponents.
"Thank you for your continued interest in establishing a relationship with our agency," an August 2014 email from an unnamed DEA employee to representatives for NSO reads. "Unfortunately, due to the high cost associated with the initial test and the approximate cost of the overall system I don't think that it is within our current budgetary parameters to pursue," the email continued. Motherboard obtained the emails through a Freedom of Information Act (FOIA) request with the DEA.
The email came after employees of the DEA met with NSO and received a presentation of the product, which senior DEA staff seemed impressed by.
Do you have documents related to NSO Group, or other information about the company? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Thank you […] for the presentation yesterday. The product is exciting and I see significant potential," W. Bond Wells, Jr., who was the deputy assistant administrator, director, office of special intelligence at the DEA at the time, wrote in an email.
NSO's offering includes powerful exploits for remotely breaking into iPhone and Android devices. The product then installs malware on the target phone, which can extract the content of messages before they are encrypted, track a phone's location, and much more. Recently, WhatsApp patched a vulnerability that NSO exploited to install malware on devices just by phoning a target. Motherboard previously reported on a demo of NSO's product that infected an at-the-time up-to-date iPhone without needing the target to click a link.
NSO was keen to get these sorts of capabilities into the hands of the DEA, according to the emails.
"Thank you for taking the time to attend the meeting," one email from NSO to the DEA reads. "Having been in many meeting [sic] worldwide, I can tell we made the right choice coming to USA last as the level of sophistication needed by your organization requires only a battle tested product," the email continues before the next section being redacted.
According to internal NSO documents obtained by the New York Times, Mexico paid NSO over $15 million for three projects over three years.
"The product is exciting and I see significant potential."
Many of the communications are not coming from NSO directly, but through Westbridge Technologies, the U.S. sales arm of NSO. As Motherboard previously reported, at one point Westbridge was trying to acquire at least one U.S. company because of its sales team's connections to the U.S. government.
"I wanted to circle back and ask you if you could connect us with your colleagues as you've mentioned, as we would like to meet with them and get a better understanding of your requirements so we can send you a POC [proof of concept]," a July 2014 NSO email to the DEA reads.
Mary Brandenberger, chief of the DEA's National Media Affairs Section, wrote in an email "I cannot address our internal contracting process."
In 2012, the DEA signed a contract worth $2.4 million with Hacking Team, a company in the same industry as NSO. As Motherboard previously reported, the DEA used Hacking Team’s malware in only 17 occasions in Colombia, as the agency itself disclosed in a letter to Senator Chuck Grassley.
Omri Lavie, co-founder of NSO, told Motherboard "I know the document and I can’t comment" when asked about the DEA email turning down NSO.
"Good luck with another story about nothing," he added.
Motherboard has uploaded the DEA emails here.
Lorenzo Franceschi-Bicchierai contributed reporting.
Update: This piece has been updated with comment from the DEA.
Subscribe to our new cybersecurity podcast, CYBER.