Article Lead Image

NSA contracted to buy malware from French hacker company

Vupen, a French security company, sells offensive cyberweapons known as zero day exploits.


Curt Hopkins


Posted on Sep 18, 2013   Updated on Jun 1, 2021, 6:13 am CDT

It’s more than necessity that makes strange bedfellows, apparently. It’s also online surveillance. 

Despite France’s flourishes of outrage at the activities of the National Security Agency, the country’s hackers didn’t find the agency nearly so unpalatable as its politicians did. 

A contract that’s come to light with the recent release of documents from a successful Freedom of Information Act request shows that the NSA bought software exploits from a French hacking firm called Vupen, headquartered in Montpelier. 

The NSA contracted with Vupen for a year-long “subscription” to zero day exploits, previously unknown vulnerabilities in software and hardware. Knowledge of zero day exploits allows for both defense against their use and offensive use for the purposes of surveillance and data theft. 

In 2011, according to leaked documents, the U.S. launched 231 offensive cyber-operations.  Other leaks, reported last week, indicated that the country spends $4.3 billion on such operations.

Vupen CEO Chaouki Bekrar told Slate’s Ryan Gallagher that his company’s services include highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” 

The amount paid for this subscription was redacted on the document, and Bekrar did not divulge it, but the company pulled in $1.2 million in 2011—86 percent from non-French clients. 

French investigative hackers has had their eye on Vupen for some time, the publication’s Fabrice Epelboin told the Daily Dot. Hacker and Reflets journalist Kitetoa wrote about the group yesterday

Among his discoveries: Vupen has close ties with the French Army and is deeply involved in the French Army cyber-command’s offensive online initiatives

“The exploits sold by Vupen,” he said, “can and will backfire, just like Stuxnet, which ended up getting outside the Iranian nuclear project it was supposed to sabotage. This could have serious consequences.”

It may be tempting, with the prominence of Anonymous, the recent request by DEF CON that federal authorities not attend, and the heckling of NSA director Keith Alexander at another hacker con, Black Hat, to imagine hackers and governments as being inherently at odds. That is hardly the case. 

Just as some scientists are concerned with the pure science of their investigations, some hackers are captivated by the challenges of their craft. Still others, of course, are dazzled by gold. 

H/T Slate Photo by Alberto Gragara/Flickr 

Share this article
*First Published: Sep 18, 2013, 1:22 pm CDT