In April, we revealed that the Drug Enforcement Administration had purchased spyware from the controversial Italian surveillance vendor Hacking Team, secretly signing a contract worth $2.4 million in 2012.
But as it turns out, the agency barely used it, and doesn't want it anymore.
Three months later, and after initially staying mum on its relationship with Hacking Team, the DEA finally revealed how it used the technology, which allows its operators to monitor a target's computer or cellphone data, intercepting emails, messages, or Skype calls.
In a in a letter to US Senator Chuck Grassley, who had asked the DEA to give some explanations on how it used Hacking Team's spyware after Motherboard's investigation, the anti-drug agency revealed that it "recently" chose to cancel its contract with the Italian company after spending $927,000 for the spyware and related training.
Despite the hefty sum, the DEA also admitted that it barely used Hacking Team's marquee product Remote Control System (RCS), also known as Galileo.
DEA deployed RCS on the devices of a total of 17 "foreign-based drug traffickers and money launderers."
In fact, since 2012, the DEA deployed RCS on the devices of a total of 17 "foreign-based drug traffickers and money launderers" with only "one successful instance of remote deployment," due to "technical difficulties with the software." In the other 16 cases, they infected the targets through "physical access."
The DEA said that it only used it in "one foreign country" with that country's government's permission—but didn't name the country. Thanks to the emails leaked after the massive breach of Hacking Team, however, we know that country is Colombia.
According to a leaked email, the DEA also bought another interception tool to "receive all the traffic for Colombian's" internet service providers.
Peter J. Kadzik, the assistant attorney general who wrote the letter, which was sent to Grassley on Tuesday, added that the DEA "is not aware of any instances of misconduct or misuse" in the deployment of RCS.
It's unclear exactly when and why the DEA decided to cancel its contract with Hacking Team, but the company tried to extend it in late April of 2015, sending a letter to DEA's contracting officer Lisa Taylor, promising that Hacking Team would "continue to fulfill" the contract until the end of the year. And it appears the contract was still standing in early June, judging from a series of emails sent at the time.
One issue, as hinted in this email, dated April 15, was likely that the DEA did not actually sign the contract directly with Hacking Team, but with its American reseller Cicom USA. And according to leaked emails, Hacking Team ceased working with Cicom earlier this year.
It's possible that now that the company's internal secrets and source code has been exposed, there will be more customers' defections.
The DEA did not respond to a request for comment, and neither did Hacking Team's spokesperson Eric Rabe.
On Friday, we also revealed that the FBI chose not to renew its contract with Hacking Team, leaving the company with no customers in the US. Both the DEA and the FBI severed ties with Hacking Team for reasons not connected to the breach, but it's possible that now that the company's internal secrets and source code has been exposed, there will be more customers' defections.