The Drug Enforcement Administration is in the hacking business. As a Motherboard investigation previously found, the DEA purchased malware from Italian surveillance vendor Hacking Team as early as 2012.
Newly released documents show the DEA was invoiced for another Hacking Team service too though: access to a cache of zero-day exploits.
"Exploit Portal Full Access (Zero-Day level)," an item in an October 2012 invoice from Cicom USA, Hacking Team's US subsidiary, to the DEA, reads. Motherboard obtained the document via the Freedom of Information Act.
So-called zero-day exploits are attacks that rely on vulnerabilities unknown to the vendor of the affected software; that is, the vendor has had zero days to fix them. Hacking Team offered these sorts of exploits to be used in conjunction with its Remote Control System (RCS) malware, theoretically making infection of a target that much easier.
Judging by the DEA invoice, these exploits included zero-days present in common file formats. A 2011 Hacking Team document describing the company's portal points to formats such as Adobe PDFs, and Microsoft Powerpoint and Word documents. The portal allegedly always contains at least three zero-day exploits, the document adds.
As Motherboard previously reported, Hacking Team sourced its zero-day exploits from a variety of companies and individuals.
The October 2012 invoice, which includes access to the zero-day portal, was for a total of $575,000. Public records show the DEA signed a definitive contract with Cicom USA, Hacking Team's US subsidiary, for $575,000 in August 2012.
But it's not clear whether the DEA tried to take advantage of any zero-day exploits, and the agency implied it was not particularly successful with Hacking Team's solution.
Since 2012, the DEA deployed RCS on 17 targets, with only "one successful instance of remote deployment," according to a 2015 letter from the DEA to US Senator Chuck Grassley.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.