GCHQ faces new Belgacom hack allegations

News by Doug Drinkwater

New leaks from NSA whistle-blower Edward Snowden reveal that the alleged GCHQ cyber-attack on Belgacom used Regin malware and was undiscovered for two years before it was detected. Plus, there are now concerns that the clean-up operation was not successful.

Back in September 2013, Snowden revealed that Belgacom, the largest telecommunications company in Belgium, had been hit by an advanced persistent threat (APT) attack which - he says - was the work of the UK's GCHQ (Government Communications Headquarters) intelligence agency.

The agency has never confirmed or denied its involvement but the attack started with the threat actor tricking three Belgacom engineers into using spoofed LinkedIn and Slashdot pages, at which point their computers were infected with malware using the ‘Quantum Insert' infiltration technology.

This enabled the attackers to deeply infiltrate the Belgacom internal network and that of Belgacom subsidiary BICS, which co-operates a GRX router system that is required when a user makes a telephone call or goes online with their mobile phones when abroad. This supposedly included access to communications of Belgacom customers such as NATO, the European Parliament and the European Council.

Belgacom – through the help of Dutch cyber-security firm Fox-IT – only detected the attack late last year and the firm's head of information security, Fabrice Clement, admitted this November that the remediation costs were around £12 million.

However, according to new leaks from NSA whistle-blower Edward Snowden which were published on The Intercept and Dutch and Belgian newspapers NRC Handelsblad and De Standaard over the weekend, the attack may have been even more wide-spread than first thought.

The malware was reportedly hidden in the Belgacom networks for two years (since at least 2011) before it was detected, while it is believed that the attack – which involved the use of the highly-sophisticated Regin malware – may have grabbed both encrypted and unencrypted streams of private communications handled by the firm.

In addition, unidentified sources told The Intercept that they were ‘deeply uncomfortable' with how the clean-up operation was handled, believing the malware 'were never fully removed'.

Snowden himself said in an interview with the newswire that the revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber-attack against critical infrastructure.” He added that it was a “breath-taking example of the scale of the state-sponsored hacking problem.”

A federal prosecutor in Belgium is currently carrying out a criminal investigation into the attack which – if was the work of GCHQ – would represent a “violation of a public company's integrity” according to Belgian prime minister Elio di Rupo (when speaking in September 2013).

Responding to these latest allegations, independent security consultant Graham Cluley told SCMagazineUK.com that it would be a ‘disgrace' if the UK government was behind the cyber-attack.

“It's a disgrace that GCHQ chose to break the law, rather than following legal channels to access data from a firm based in another EU country.  Presumably they felt such approaches would end in failure, so they resorted to an illegal hack instead,” he said via email.

“Belgacom, let's not forget, did nothing wrong and was never suspected of any wrongdoing.  And yet the British authorities decided to hack the company anyway. It's difficult to speculate on how much information GCHQ may have retrieved from Belgacom, or the scale of the intrusion, but it's clear that they would be entirely justified in demanding compensation from the British government for any damage done to their systems and to their corporate reputation.

“If the British government has any decency, it would conduct a full enquiry into what occurred rather than try to sweep the incident under the carpet.”

Brian Honan, managing director and consultant at BH Consulting, cautioned that it is ‘very difficult to  assign attribution 100 percent', especially when sophisticated malware is involved, but said that attackers could have targeted Belgacom to access the communications of their chosen target.

“The attack against Belgacom could provide the attackers with access to the communications data of many organisations that would be of interest to the attackers. Firstly, many EU institutions may be using Belgacom for their communications and hence would be an interesting target. Belgacom also provides communication links to other nations, particularly those in the continent of Africa which would also be of interest to certain nation states,” he said in an email to SC.

Questioned on whether this attack had undermined encryption, he said that this should serve as a warning to enterprises to ensure such solutions are correctly secure and implemented.

“Most attacks against encryption have not been directly against the encryption algorithms but rather at the inclusion of backdoors into the encryption solution, at the implementation of the encryption system or the end-points where the data would pass in the clear. What this attack has highlighted is that companies should ensure that all aspects of their encryption solution are secured and implemented properly.”

He added: “Given the sophistication of the malware used and the lack of information available on how all the components worked together it would be good security practise to assume that not all instances of the malware have been identified and dealt with but rather to operate the network as if it is compromised and secure your data and communications accordingly."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews