In September 2013, Belgacom was hit by a suspected Advanced Persistent Threat (APT) attack which, according to leaked documents from NSA whistle-blower Edward Snowden which were published by German newspaper Der Spiegel, was the work of the NSA and UK's own GCHQ.
The latter reportedly called the project ‘Operation Socialist' and the leaked slides revealed how the attack was used to target Belgacom subsidiary Bics, a joint venture between Swisscom and South Africa's MTN.
There still remains some mystery around the motive for attacking BICS, although as it provides wholesale carrier services to mobile and fixed-line telcos globally – including troubled areas like Syria, some have suggested that agencies could compromise their systems to spy on travelling phone users.
The agencies allegedly used an attack method called ‘quantum injection' - more commonly known as a Man-in-the-Middle (MiTM) attack - to intercept web traffic and redirect LinkedIn-using Belgacom engineers onto their own servers.
As documented at the time, GCHQ staff allegedly created spoof Belgacom staff LinkedIn pages which were hosted on agency servers. Their machines were then infected with unnamed malware, enabling hackers to gain access to the internal company network.
NSA called its own quantum injection servers ‘FoxAcid'. LinkedIn has continually denied any involvement since the information first came to light.
“The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn," reported Der Spiegel at the time. "The pages looked the way they always did, and they didn't take any longer than usual to load."
However, when visiting the FoxAcid server, the engineers' computers were infected with the malware and this, says the German newspaper, “enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system."
In a surprisingly candid interview published by Belgian website Mondiaal News on Wednesday, the company's head of security and information management, Fabrice Clement, detailed the nature of the attack and a clean-up operation which has cost just under £12 million (€15 million).
He revealed that the company first found the infection in September 2013 – three months after noting an ‘abnormal process on one of our servers' – and indicated how the APT was both ‘extremely sophisticated' and ‘very well hidden'.
The malware was installed by a dropper and was encrypted at various different levels. Belgacom hired Dutch firm Fox-IT to forensically investigate in a clean-up operation that involved up to 200 people – including lawyers, engineers and supply chain staff - on 14-15 September 2013. Local law enforcement was also consulted.
In the interview (which is in Dutch), Clement says that a total of 26,000 machines were infected across 124 different systems, including email and SharePoint servers, workstations and PCs. Nearly half of all infected systems were computers and mainly from staff with technical profiles, he added.
Despite this, he says that the perpetrators - who were apparently looking for information on the structure of Belgacom and its networks - only took a few kilobytes worth of data,
As part of the recovery operation, the firm installed new computers and restored servers. Clement was coy on who was behind the attack, despite Snowden's documents.
UK cyber security expert Alan Woodward, a visiting professor at the University of Surrey's computing department, admits that he's perplexed as to why NSA and GCHQ would want to compromise Belgacom and believes that organised cyber-criminals remain the more likely assailant. “Even if it was a government, why would it be the UK, and not the Chinese or Russians?” he asked when speaking to SCMagazineUK.com.