​DEA spending millions on spyware from foreign cyber vendors – report

Reuters / Eduardo Muno
Drug cops in the United States have been spent over $2 million on sophisticated surveillance equipment sold to authorities through a front company secretly acting on behalf of infamous Italian cyber vendors, a new report reveals.

The results of an investigation published on Wednesday this week links the US Drug Enforcement Agency, as well as the US Army, to spyware from the Milan-based Hacking Team—a 12-year-old “offensive security” firm that has sold surveillance tools to countries with the worst human rights records on the planet. Together, contracts for the technology between the agencies and a mysterious contractor in Maryland amount to roughly $2.6 million.

According to journalists at Vice’s Motherboard and investigators at Privacy International, a UK-based human rights watchdog, public records and sources familiar with the deal confirm that Hacking Team sold its hallmark surveillance tools to the DEA and the Pentagon through Cicom USA of Annapolis, MD.

The spyware that was sold to the US government is Hacking Team’s Remote Control System, or RCS, which is marketed by its manufactures as an “effective, easy-to-use offensive technology” that it provides to “worldwide law enforcement and intelligence communities.” Leaked operational manuals published last year by the Intercept revealed the systems exploit vulnerabilities in desktop and mobile operating systems in order to covertly take control of a target’s computer, and discreetly eavesdrop on web clicks and key strokes. The malware infects a computer’s machine either through physical implantation or an online attack, and if successfully deployed it can intercept the likes of supposedly encrypted Skype chats and browsing history.

The company claims that their product not only relays what is happening on a target’s computer, but also enables surveillance of anything occurring within the range of the computer’s internal camera or microphone,” said Privacy International.

Experts say Hacking Team’s high-tech spyware has been sold to Uzbekistan, Saudi Arabia and Sudan – “the worst of the worst” in terms of freedom and liberty, according to Freedom House's 2015 Freedom in the World index. Despite the company’s systems having been tied to deployments in at least 21 countries, according to security experts, Hacking Team has consistently chosen to “neither confirm nor deny” allegations about the identity of its clients. Nevertheless, CEO David Vincenzetti told an Italian newspaper in 2011 that his products were sold throughout “All of Europe, but also the Middle East, Asia, United States of America.”

We don’t identify our clients. I’m certainly not going to comment whether the DEA or anyone else has purchased Hacking Team software,” Eric Rabe, a spokesperson for Hacking Team, told Motherboard for this week’s report.

Cicom’s general manager didn’t respond to requests for comments from Motherboard, but the outlet noted the firm shares the same mailing address of Hacking Team’s US office. A phone number previously listed on the Hacking Team official website now belongs to Cicom, Motherboard added, and those same digits also appear on DEA contracts for the surveillance devices.

“I don’t know about why that would be a coincidence,” Rabe told Motherboard when asked about the connection.

While neither Cicom nor Hacking Team would confirm or deny the latest allegations, a six-month investigation that culminates in this week’s reports add new credence to previous claims about the cyber vendor’s contracts with the US, including Vincenzetti’s rare 2011 admission. At the same time, though, it also raises questions about the decisions of the Army and DEA to indirectly purchase spy tools linked to surveillance operations abroad, where activists and journalists are routinely targeted.

“You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain,” reads an Hacking Team-produced brochure for its RCS.

Documents unearthed by Motherboard and published this week in tandem with the release of Privacy International’s 60-page report shows that the US Army purchased an RCS from Italy through Cicom in March 2011 in a deal involving $350,000 worth of software. One year later, the DEA said it was going to “solicit and negotiate” a contract with Cicom for at least four years after announcing weeks earlier that the agency would be searching for new surveillance tools. According to Motherboard, the DEA contract is valued at $2.4 million.

A division of the US Department of Justice, the DEA has jurisdiction internationally in anti-drug trafficking operations waged by the US abroad. The details don’t point to the use of any surveillance tools by the Army or DEA on US soil. However, the revelations come soon after recent disclosures concerning the drug agency’s vast, previously unreported surveillance programs, including those functioning domestically. In January, the Wall Street Journal reported the DEA has been using license plate reader technology to build a database for federal and local authorities containing the real-time movements of potentially millions of vehicles on American roads. According to that investigation, the DEA has spent years expanding the database to include vehicles traveling “throughout the United States.”

This month, USA Today reported the DEA has been secretly collecting the phones records of millions of Americans since 1992—well before the terrorist attacks of September 11, 2001 and the subsequent approval of national security provisions, which later legalized some of those surveillance operations.

“Hacking software is yet another example of a technology created for the intelligence community that has secretly trickled down to law enforcement,” Christopher Soghoian, the principal technologist at the American Civil Liberties Union, told Motherboard about the latest revelations. “And given how powerful this spyware can be,” Soghoian added, “we need a public debate over this invasive surveillance technology.”

Motherboard said that the section chief of the DEA Office of Investigative Technology did not respond to a message requesting comment.