The alleged attack by Britain’s security agency, GCHQ, on Belgium’s national telecom operator, Belgacom, cost the company €15m, according to the company’s head of security and information management, Fabrice Clement.
Reportedly referred to as “Operation Socialist” by GCHQ, it involved a sophisticated man-in-the-middle attack on Belgacom International Carrier Services (Bics), which intercepted the web traffic of targets, redirecting them to a fake LinkedIn page. Their PCs were then infected with unnamed malware, enabling the GCHQ attackers to access Belgacom’s internet corporate network.
The attack was revealed in a leaked document from the cache of US National Security Agency (NSA) whistleblower Edward Snowden, which was published in German newspaper Der Spiegel. LinkedIn denied any involvement in the attack and the disclosure caused a diplomatic incident in Europe.
But in a surprisingly candid interview this week with Belgium’s Mondiaal News, Clement admitted that cleaning up after the attack had been exposed cost the company some €15m – although he also said that the company had first identified the attack in June 2013, but only three months realised the enormity and sophistication of the attack.
“We detected an abnormal process on one of our email servers. We did a quick analysis and discovered that it was malware. Then we immediately started a detailed investigation… [The attack] was extremely sophisticated. It was clearly a new generation of malware that previously had never been established. It was also very well hidden,” he said.
He continued: “We found a dropper, the process by which the malware had been installed. This assembled the malware based on many small pieces of software hidden in dozens of databases. The dropper then installed the malware and erased its tracks. The malware was additionally encrypted, at different levels. The encryption was unique and specific for each infected system.”
A total of 124 systems, including email and SharePoint servers, were infected and some 26,000 PCs and workstations. A specialist forensic investigation, led by Netherlands’ company Fox-IT, was conducted, involving as many as 200 people – including lawyers and IT engineers, and even stretched into the company’s supply-chain. The clean-up took two months.
“Everyone had to sign a document to ensure confidentiality. We also worked with the Federal Computer Crime Unit of the [Belgian] police, the Regional Computer Crime Unit, the military intelligence GISS and State Security,” said Clement. Internally, the investigation also engaged the IT department (of course), as well as corporate communications and the legal department, and included daily “crisis management” meetings that involved the company’s vice presidents.
However, although the Edward Snowden leaks implicated GCHQ, Clement said that the company cannot be sure who was responsible. The criminal investigation is still ongoing.
Indeed, Clement said that very little data transfer – as far as their investigation could ascertain – was actually transferred. “The volume of traffic was extremely low – only a few kilobytes. The malware was clearly not designed to intercept data in bulk. They were not out to copy databases. It was very specific information… But what exactly? We have no indication about that,” he said.
Ironically, perhaps, Belgacom has had a team of “ethical hackers” working in-house for some five years, supposedly testing the telecom company’s security, as well as an internal IT security team, called Cyber Security Incident Response Team (CSIRT), which monitors the company’s networks round the clock. The company also seeks to educate staff better in cyber security.
In one of its initiatives, for example, it sent a phishing email to staff that promised the chance to win a Samsung Galaxy smartphone if they clicked a link – half of the company’s staff clicked on the link, according to Clement.