Documents show the Canadian military paid thousands of dollars to one of the world's most infamous cyber security firms at least twice.
Although the military says the money is merely a subscription fee for emailed reports, online security specialists believe that money may have given Canada's military hackers access to backdoors and security flaws in commercial software and hardware.
Two contracts between Canada's Department of National Defense and VUPEN Security, one for $6,300 and the other for $7,600, were published onto a Canadian government website. The deals with VUPEN, a now-defunct vendor of "zero-day vulnerabilities," date back to 2009 and 2010, but DND confirmed its dealings with the company ended in August 2011. The contracts are described on the government tendering website as "software" acquisitions.
DND confirmed it signed the contracts that bought them access to VUPEN's exploit and vulnerability reports.
"The contract was setup as an email based subscription vulnerability reporting service to receive timely and collated threat, vulnerability and exploit advisories addressing information technology vulnerabilities," said DND spokesperson Matthew Lacroix.
Canada's Department of Defense also oversees Communications Security Establishment — Canada's signals intelligence agency, which is also the lead agency on cyber security — although it denies that the CSE was given access to VUPEN's intelligence products.
CSE refused to comment.
"CSE can neither confirm nor deny any details about security information sources or reporting," said an unnamed spokesperson in an emailed statement.
The NSA was also a customer of the company, according to documents obtained by transparency site MuckRock.
The company — founded in Montpellier, France, with but which opened offices in Maryland — dissolved in 2015.
VUPEN, according to the company's website which has since been taken offline, was "the world leader in vulnerability research, VUPEN provides extremely sophisticated and government-grade 0-day exploits specifically designed for the Intelligence and [law enforcement agency] community to help them achieve their offensive cyber operations using tailored and exclusive codes created in-house by VUPEN researchers."
One of the company's co-founders, Chaouki Bekrar, began Zerodium shortly thereafter, which continues much of the same work. The new company has quickly earned a reputation in the online security world, most notably for paying ="" $1 million bounty for hacking an iPhone.
Bekrar has embraced the company's image as the bad guys of cyberwarfare, even using a Darth Vader image as his social media display picture. In the past, privacy activist and academic Chris Soghoian labelled VUPEN a "modern-day merchant of death," making sales to intelligence agencies for "the bullets for cyberwar."
The Canadian-purchased security reports were destined for the Leitrim military base, according to the documents. Leitrim is the top secret signals intelligence gathering station on the outskirts of Ottawa. According to the contract, DND was also given "exclusive rights" to the product, significant given the exclusivity associated with the selling of software to intelligence agencies.
But this may not be as simple as the Canadian government trying to stay up-to-date on the latest trends. VUPEN is known for very specific services.
"VUPEN [sold] subscriptions and in those subscriptions they may have the availability of zero-day exploits," one hacker and cyber security consultant, who goes by the moniker Darknet J, told VICE News.
Zero-day vulnerabilities are unpatched software bugs, unknown to vendors or consumers, that can make it easy to compromise the hardware or software of a target device.
Exploiting a zero-day, for example, could allow a hacker to access an iPhone or a laptop and install malware to steal information, or surveil the user. Experts and privacy hawks argue that zero-days should be disclosed to companies rather than weaponized by spy agencies, especially for widely-used technology.
VUPEN was particularly known for offering zero-days, while Zerodium is now exclusively a purchaser of zero-day exploits from security researchers, which it then deals to customers.
The type of information these firms sell to clients could include everything from lists of recently discovered software vulnerabilities like the famous Heartbleed bug, or newly minted exploits for infiltrating computer systems.
And while the $14,000 price tag might not seem like much, it can buy a lot of information. A list published last year by Zerodium shows how prices range for exploits — the more significant the software, the pricier the bug. Browser exploits for things like Chrome or Safari draw as much as $100,000, whereas a WordPress exploit could cost up to $5,000.
The exploits are highly valuable to nation-state intelligence agencies looking for intrusion tools against high value targets. The sophisticated malware known as Stuxnet used up to five zero-day exploits as it took out an Iranian nuclear reactor. The hack is considered a watershed moment in cyberwarfare, when digital weapons finally hit real critical infrastructure.
Computer security company Trend Micro has lead the way by creating a system of responsible disclosure called the Zero Day Initiative, allowing cybersecurity researchers to profit from and expose zero-day vulnerabilities to affected companies.
Follow Ben Makuch on Twitter: @BMakuch