Belgacom says alleged GCHQ APT attack cost firm £12 million

News by Doug Drinkwater

One year on from a nation-state APT which 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the clean-up operation.

In September 2013, Belgacom was hit by a suspected Advanced Persistent Threat (APT) attack which, according to leaked documents from NSA whistle-blower Edward Snowden which were published by German newspaper Der Spiegel, was the work of the NSA and UK's own GCHQ. 

The latter reportedly called the project ‘Operation Socialist' and the leaked slides revealed how the attack was used to target Belgacom subsidiary Bics, a joint venture between Swisscom and South Africa's MTN.

There still remains some mystery around the motive for attacking BICS, although as it provides wholesale carrier services to mobile and fixed-line telcos globally – including troubled areas like Syria, some have suggested that agencies could compromise their systems to spy on travelling phone users.

The agencies allegedly used an attack method called ‘quantum injection' - more commonly known as a Man-in-the-Middle (MiTM) attack - to intercept web traffic and redirect LinkedIn-using Belgacom engineers onto their own servers.

As documented at the time, GCHQ staff allegedly created spoof Belgacom staff LinkedIn pages which were hosted on agency servers. Their machines were then infected with unnamed malware, enabling hackers to gain access to the internal company network.

NSA called its own quantum injection servers ‘FoxAcid'. LinkedIn has continually denied any involvement since the information first came to light.

“The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn," reported Der Spiegel at the time. "The pages looked the way they always did, and they didn't take any longer than usual to load." 

However, when visiting the FoxAcid server, the engineers' computers were infected with the malware and this, says the German newspaper, “enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system."

In a surprisingly candid interview published by Belgian website Mondiaal News on Wednesday, the company's head of security and information management, Fabrice Clement, detailed the nature of the attack and a clean-up operation which has cost just under £12 million (€15 million).

He revealed that the company first found the infection in September 2013 – three months after noting an ‘abnormal process on one of our servers' – and indicated how the APT was both ‘extremely sophisticated' and ‘very well hidden'.

The malware was installed by a dropper and was encrypted at various different levels. Belgacom hired Dutch firm Fox-IT to forensically investigate in a clean-up operation that involved up to 200 people – including lawyers, engineers and supply chain staff - on 14-15 September 2013. Local law enforcement was also consulted.

In the interview (which is in Dutch), Clement says that a total of 26,000 machines were infected across 124 different systems, including email and SharePoint servers, workstations and PCs. Nearly half of all infected systems were computers and mainly from staff with technical profiles, he added.

Despite this, he says that the perpetrators - who were apparently looking for information on the structure of Belgacom and its networks - only took a few kilobytes worth of data,

As part of the recovery operation, the firm installed new computers and restored servers. Clement was coy on who was behind the attack, despite Snowden's documents.

UK cyber security expert Alan Woodward, a visiting professor at the University of Surrey's computing department, admits that he's perplexed as to why NSA and GCHQ would want to compromise Belgacom and believes that organised cyber-criminals remain the more likely assailant. “Even if it was a government, why would it be the UK, and not the Chinese or Russians?” he asked when speaking to

Fortunately, Woodward believes that the firm has limited its reputational and financial damage by a multiple of factors, chief among them a fast response time and that it essentially acts as part of a ‘pseudo-monopoly' in Belgium's telecommunications market.

Woodward says that the ‘lack of trust' would have hit the company the hardest with secure communications essential for all telcos. Nonetheless, he believes that people will not leave the service in their numbers and adds that the close relationship between US technology companies and government on NSA surveillance would have had a bigger impact.

“Are people going to leave in their droves? I suspect not – I think that most people have relatively short memories.”

Adding on the millions lost: “I think they lost less than they might have done, and I think the loss of trust was seen by the technology giant cooperating with national governments on surveillance was a lot more.”

“In Europe, most big companies are in pseudo monopolies so I don't think people are going to suddenly leave in their droves.”

He went onto praise the company for their response and security awareness programme saying that it couldn't do too much more in response.

IOActive futurologist David Lacey, meanwhile, said that the attack proved that security is a ‘leap of faith' which often is driven by perception rather than cold hard facts.

“It's an interesting example of how perception, not reality, drives security," he told SC. "They say there was no business damage and have no idea who did it, why it was done, or what was taken, except that the amount of data involved was small. They've spent a lot of money on security so at least they're better protected now. It reflects the reality that investment in security is a leap of faith rather than a solid business case."

But Amar Singh – interim CISO and founder of the GiveADay charity – took a different view and expressed disappointment that the firm's internal phishing exercise, which sent out 14,000 emails, was successful enough to ensure half clicked on the malicious links.

“Although everyone (supposedly) knows that phishing emails are rampant and to be avoided, it always surprises me how many actually fall prey - the 50 percent figure is in-line with what I have seen. In fact sometimes I think the IT crowd is more susceptible to these kinds of emails - maybe because they wrongly think they are smarter because they know IT.” 

He added: “What is very interesting here is that the malware was not actually transferring large amounts of data. A fallacy I often see and see hear repeated in many places is – ‘oh, don't worry, we are monitoring for bandwidth spikes'. The smart actor is surely not going to cause any bandwidth anomalies.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews