8/31/2013, "The NSA hacks other countries by buying millions of dollars' worth of computer vulnerabilities," Washington Post, Brian Fung
"Like any government agency, the NSA hires outside companies to help
it do the work it's supposed to do. But an analysis of the intelligence
community's black budget reveals that unlike most of its peers, the
agency's top hackers are also funneling money to firms of dubious origin
in exchange for computer malware that's used to spy on foreign
This year alone, the NSA secretly spent more than
$25 million to procure "'software vulnerabilities' from private malware
vendors," according to a wide-ranging report on the NSA's offensive work
by the Post's Barton Gellman and Ellen Nakashima.
as Microsoft already tell the government about gaps in their product
security before issuing software updates, reportedly to give the NSA a chance
to exploit those bugs first. But the NSA is also reaching into the
Web's shadier crevices to procure bugs the big software vendors don't
even know about — vulnerabilities that are known as "zero-days."
Just who might the NSA be paying in this covert marketplace?
One of the most famous players in the arena is Vupen, a French company that specializes in selling zero-day exploits. A 2011 brochure
made public on WikiLeaks showed Vupen boasting that it could "deliver
exclusive exploit codes for undisclosed vulnerabilities discovered
in-house by Vupen security researchers.
"This is a reliable
and secure approach to help [law enforcement agencies] and
investigators in covertly attacking and gaining access to remote
computer systems," the brochure continued. To take
advantage of the service, governments can purchase an annual
subscription. The subscription comes with a number of "credits" that are
spent on buying zero-day exploits; more sophisticated bugs require more
In 2012, Vupen researchers who discovered a bug
in Google Chrome turned down the chance to win a $60,000 bounty from
the search giant, presumably in order to sell the vulnerability to a
higher bidder. The company announced earlier this month that it would be
opening an office in the same state as the NSA's headquarters in Fort
Expanding the team, the biz, the pwn: VUPEN to open a US office in Maryland soon. We'll be hiring researchers (TS/SCI-cleared) #CNO #CNA— VUPEN Security (@VUPEN) August 6, 2013"
WikiLeaks identified a total of nearly 100 companies participating in
the electronic surveillance industry worldwide, though not all of them
are involved in the sale of software vulnerabilities.
Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars each.
market for these exists in a legal gray area. Beyond that, it's still
unclear whether the NSA is actually drawing on black-market sources to
bolster its network intrusion capabilities. But would it really surprise
any of us if it were?"