
How GCHQ Spies Hacked Belgium’s Largest Telco - sergeant3
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story
======
derf_
To me, by far the most interesting bit is this:

 _GCHQ developed a system called NOCTURNAL SURGE to search for particular
engineers and system administrators by finding their IP addresses..._

 _The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,”
tiny unique files that are automatically placed on computers to identify and
sometimes track people browsing the Internet, often for advertising purposes.
GCHQ maintains a huge repository named MUTANT BROTH that stores billions of
these intercepted cookies, which it uses to correlate with IP addresses to
determine the identity of a person._

Hope you aren't sending cookies to an http site. Ever.

~~~
acqq
Also note "GCHQ developed a system called NOCTURNAL SURGE to search for
particular engineers and system administrators by finding their IP addresses,
unique identifiers that are allocated to computers when they connect to the
internet."

Then the screenshot shows some queries of TELNET / SSH connections, which can
mean: whoever uses SSH stands out from the crowd.

Wow.

Ever used SSH?

~~~
mcintyre1994
Do companies using Git tend to use it over SSH like personal github/Bitbucket
works? If so, that's presumably a lot of noise in this genius detection
scheme.

~~~
forgottenpass
There would be very different traffic patterns. Git over SSH would be a
shortlived session with high data speeds, an interactive shell is longer with
lower throughput changing in fits and starts. The popularity and hostnames of
ssh servers also give some hints. Noise in detection would all depends on how
intricate the monitoring is and how well it can be queried.

------
jacquesm
What would be the appropriate sanctions for a breach of this magnitude? The EU
is pretty spineless and I suspect the answer to the question will be 'none'.
Just don't do it again and if you do don't get caught or something like that.

Belgacom seems to have been more than happy to see this swept under the
carpet, the gag on Fox-IT and their partial answers in the investigation are
most telling.

~~~
DrJokepu
I really don't think regulating espionage between member states is within the
scope of the EU's objectives. Presumably, the Belgian government could make a
complaint to the British government through the usual diplomatic channels.
Introducing any sort of international sanctions would be a bit of an
overreaction.

~~~
jacquesm
Spying on other memberstates in the EU parliament (indirectly in this case)
violates the neutrality of the body governing the EU. It's a pretty big deal
imho, but we'll see what the eventual fall-out will be.

Here is a good article (in Dutch) about the whole thing:

[http://www.nrc.nl/nieuws/2014/12/13/verantwoording-en-
docume...](http://www.nrc.nl/nieuws/2014/12/13/verantwoording-en-documenten/)

It's getting quite a bit of media coverage here.

One key bit is that this is not just GHCQ working in isolation, the NSA also
had a hand in it:

"Ze maken gebruik van een Amerikaanse techniek (Quantum Insert), ontwikkeld
door een speciale afdeling van de NSA, om computers te hacken. Als iemand
online gaat, wordt zijn internetverkeer vliegensvlug omgeleid naar een
netwerkcomputer (of server) die de Amerikaanse geheime dienst stiekem
controleert."

Which roughly translates to "They use a special American technique (Quantum
Insert), developed by a special department of the NSA, to hack computers. If
someone goes online their internettraffic is redirected lightningfast to a
network computer (or server) controlled by the American secret services."

~~~
tedunangst
Does GCHQ rely on NSA QI facilities, or can they run the attack on their own?
The Intercept makes a weaker claim than the above about NSA direct
involvement. Certainly, I believe NSA QI redirects traffic to NSA controlled
servers, but I'd imagine when GCHQ is running the op they would prefer to
redirect to their own servers.

~~~
AlyssaRowan
Both GCHQ and NSA have separate QUANTUM rollouts, with slightly different
capabilities. They can each more-or-less freely use the other (the NSA reaches
GCHQ's directly over the gchq.nsa.ic.gov gateway, and there's a similar one on
the other side).

~~~
breakingcups
Very interesting. Would you happen to have a source that goes into more
detail?

------
tedunangst
> one of the most advanced spy tools ever identified by security researchers

It's interesting to watch the apparently monotonically advancing capabilities
of malware. Every piece of spyware discovered is far more advanced than
anything that came before. (With the occasional exception, "complete amateur
hour shite" malware.) Nobody ever seems to use spyware that's just good
enough.

~~~
7952
Does "advanced spy tools" just mean "stockpile of unpatched vulnerabilities"?
And if so why are "responsible" governments leaving those vulnerabilities
extant when they could be used to harm their own citizens. Are we not a target
worth protecting?

~~~
tedunangst
Cynically, I believe "advanced spy tools" means "I want this story to sound
exciting". You hardly need 0-days to pwn most targets. A combination of
7-days, "check out this draft of next week's roadmap", and weak/reused
passwords is more than enough.

From The Intercept's analysis:
[https://firstlook.org/theintercept/2014/11/24/secret-
regin-m...](https://firstlook.org/theintercept/2014/11/24/secret-regin-
malware-belgacom-nsa-gchq/)

Malware isn't really my specialty, but this mostly sounds like malware 101
stuff.

> This Regin driver recurrently checks that the current IRQL (Interrupt
> Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function
> in many parts of the code, probably in order to operate as silently as
> possible and to prevent possible IRQL confusion. This technique is another
> example of the level of precaution the developers took while designing this
> malware framework.

Or in other words, they read the documentation for writing a kernel driver?

Yeah, I can definitely believe this came from GCHQ/NSA/whoever, but the
breathless reporting makes it sound like Fox Mulder recovered it from an alien
crash.

~~~
droopyEyelids
Think of how precious responsible employees that have read the documentation
are to any company. Having teams of dedicated, capable, honest people who are
working for a government on malware is absolutely a new development.

------
chippy
Of particular interest is how they used the MITM attack using LinkedIn. Was
LinkedIn running https back then? Does it imply that company or certificates
have been compromised also?

2012 saw a very large password leak for LinkedIn....

~~~
tedunangst
As of last month, I was still receiving emails from linkedin that contained
http links.

------
dkarapetyan
As long as networks continue to be centralized at large hubs like Google,
Facebook, Belgacom, etc. this will continue to be a problem. Break things up
and make them less centralized and all of a sudden it is much harder to do all
this.

------
pan69
Could it be, and I just thinking out loud and speculating here, that the
Belgium government or secret service knew about this and that the UK was
simply using Belgacom as "target practise"?

I mean, I would assume that GCHQ would would want to test the effectiveness of
their systems that using an EU member state and partner would make sense but
you obviously don't want them to generally know about it because it wouldn't
make the target practise legit.

Again, just speculating..

~~~
jacquesm
The Belgian government has a lot to lose in all this. They host the EU
parliament which was a top target for this exercise. If the Belgian government
would be found to be complicit in this then the fall-out might include such
things as a relocation of the EU parliament to a country that would not
readily bend over to aid another country in spying on the EU parliament
members.

That alone I think is sufficient to highly doubt Belgian government
involvement in this.

~~~
charlesdm
The Belgian government is highly incompetent in all matters related to cyber
security (amongst many other things).

There was a case a few years back, where apparently some of their more
important systems were infected by an unknown trojan or a piece of spyware -
can't exactly remember what it was.

I believe, at the time, they assumed that it came from the NSA. Guess who they
called to fix it? The NSA.

What a disgrace.

~~~
happyscrappy
>Guess who they called to fix it? The NSA. What a disgrace.

Europeans love to believe they are fighting evil America without realizing
they are a collection of vassal states.

~~~
charlesdm
Personally, I believe they should've been able to fix it themselves. Then
again, I'm also the kind of person who believes that you don't spy on your
friends.

~~~
mschuster91
> Personally, I believe they should've been able to fix it themselves.

Difficult to fix stuff when you don't have both access to the source code AND
verifiable builds. And we know that no one can trust Cisco in any case - if
Cisco themselves do not cooperate, NSA will intercept the parcel en route
anyway.

------
ThinkBeat
Glad the Sony hack get all the attention for spilling some internal memos.

~~~
junto
I'd certainly expect worldwide sales of Cisco routers to decrease as a result
of this. Furthermore I'd expect a large number of Belgacom customers to walk
too.

