How GCHQ hacked Belgacom

Photo credit: Ministry of Defence
Photo credit: Ministry of Defence

The method was apparently the 'quantum injection' described in earlier leaks concerning the NSA, Google and the Brazilain petrochemical company Petrobras. This involves diverting traffic to a superfast server holding a spoof of the real destination – essentially a MITM attack. The implication, but with no direct accusation, is that GCHQ and the NSA co-operated in the Belgacom operation.

GCHQ apparently first located Belgacom engineers with LinkedIn accounts or used Slashdot. It then created spoof pages of the Belgacom staff LinkedIn accounts, and diverted the targets to the spoof pages on their own (or NSA) servers. NSA calls its own quantum injection servers 'FoxAcid.' LinkedIn has denied any knowledge of or involvement in the process.

"The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn," reported Der Spiegel. "The pages looked the way they always did, and they didn't take any longer than usual to load." But while visiting the FoxAcid server, the engineers' computers were infected with unnamed malware "which enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system."

Der Spiegel claims that the operation was run by a GCHQ unit called MyNOC, or 'My Network Operations Center' – an elite group focused on infiltrating foreign networks. "Call it Her Majesty's hacking service, if you like," suggests the newspaper.

The purpose seems to be part of GCHQ's attempts to turn all mobile phones into potential surveillance devices. "'We can locate, collect, exploit (in real time where appropriate) high value mobile devices & services in a fully converged target centric manner,' a GCHQ document from 2011 states," according to Der Spiegal

Belgacom seems to have been targeted because of its GRX service. GRX acts as a hub interfacing different mobile networks, and is therefore particularly useful at targeting traveling phone users (such as a European citizen traveling to an Arab country). Philippe Langlois, who heads up French telecom security company P1 Security, told Der Spiegel that it was an efficient approach since there are hundreds of wireless companies but only about two dozen GRX providers. "This way," he explained, "an intelligence service could read the entire Internet communications of the target and even track their location or implant spying software on their device."

Last week the head of GCHQ, Sir Iain Lobban, appeared before a British parliamentary committee along with the heads of MI5 and MI6. Lobban told the committee, "If I have that haystack [the sum total of potential interceptions], I am looking for needles and fragments of needles. That is what my queries pull out. I do not look at the surrounding hay. It may have been intercepted. A small portion of that may apply to British citizens. We will not look at it without a specific authorization."

This defense can still be applied: capturing data does not necessarily mean that data is examined; and that when data is examined it is done so in accordance with UK law. This does not, however, alter the fact that in order to capture the data, GCHQ has, according to the Snowden documents, hacked a company that is majority-owned by a fellow European government.

What’s Hot on Infosecurity Magazine?