GCHQ Scans Entire Countries for Flaws to Exploit – Report

British spy agency GCHQ has since 2009 been port scanning every available IP address in 27 countries across the globe for vulnerable systems to exploit, according to a new report.

The HACIENDA program was exposed in secret documents obtained by reporters writing for German publisher Heise.

Its purpose is to allow GCHQ spooks to discover vulnerable network infrastructure to exploit, with the database resulting from the port scans also shared with intelligence agencies in the other “Five Eyes” states.

Given that every target could theoretically be used to attack another target, no device or machine is safe from the program, the report claimed.

“The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of ‘Mastering the Internet’, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems,” it added.

“Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.”

HACIENDA scans all common public services like HTTP and FTP as well as admin protocols like SSH and SNMP. It also downloads 'banners' – information sent by apps when they connect to a port which can also be useful in helping identify which software version is on a target system.

The report argues that GCHQ, the NSA and other agencies in the Five Eyes group are effectively using the same attack methodology of organized cyber criminals: reconnaissance, infection, command and control and exfiltration.

HACIENDA is being used by these agencies, at least in part, to locate vulnerable machines which they can then turn into Operational Relay Boxes (ORBs) – covert infrastructure used by the spies to hide their location when attacking a target to steal data or launch other exploits, Heise said. 

“Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state adversaries indiscriminately attacking network infrastructure and breaking into services," it continued.

"As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level.”

In a bid to help network admins, the article also suggests some potential protections against HACIENDA, including “TCP Stealth” – “an easily-deployed and stealthy port knocking variant” which is currently an IETF draft.

Mark James, a security specialist at ESET, argued that port scanning has been around for a long time and used “for good and bad since the birth of TCP”.

"It’s nothing new to be worried about, but it’s certainly something that any company or user that has a public server 'should' worry about, the same way they worry about any other type of security,” he told Infosecurity by email.

“Good network practices should be routinely maintained. Only allow ports to be opened that you’re going to use (you don’t always have to use the ‘standard’ ports to achieve a goal). Some administrative services can be moved to non-standard ports in an attempt to thwart these types of attacks.”

Admins should also routinely check network logs for unusual activity, he added.

“Regular checks are a must. It may be only be a few open ports today, but if you’re compromised the attackers may well open more ports remotely to make their life easier,” James argued.

What’s Hot on Infosecurity Magazine?