UPDATE 2018-09-20: according to Belgian news paper De Tijd, a new confidential report by the Belgian public prosecutor delivered to the Belgian government contains new clues pointing to GCHQ’s involvement in the Belgacom hack. The public prosecutor investigated a link to a computer in Indonesia, and when asking for information about its IP address, had learned that the British government had also asked questions about it. Furthermore, computers traced to other countries could be linked to the U.K., because some had been paid using anonymous prepaid payment cards that had been bought in the U.K. And lastly, when computer specialists were able to secure a copy of the malware back in 2013, it was found to contain names like `Daredevil’ and `Warriorpride’; from documents leaked via Snowden it is apparent that these names can be linked to CNE activities by GCHQ and the NSA.

UPDATE 2014-12-13: 10 new documents released. Three new stories. latter two in Dutch. 1) The Inside Story of How British Spies Hacked Belgium’s Largest Telco (The Intercept), 2) Lees hier hoe de Britse geheime dienst GCHQ Belgacom aanviel (in Dutch, NRC Handelsblad), 3) Britse spionage bij Belgacom ging veel verder dan bekend (in Dutch, NRC Handelsblad)

UPDATE 2014-11-24: Secret Malware in European Union Attack Linked to U.S. and British Intelligence (The Intercept)

UPDATE 2014-10-26: GCHQ cyber-attack cost €15m, says Belgacom security head Fabrice Clement (Computing.co.uk)

UPDATE 2014-05-30: Slides from Hack in the Box 2014 Amsterdam: HITB2014AMS – Day 2 – On Her Majesty’s Secret Service: GRX & A Spy Agency

UPDATE 2013-12-04: Flemish newspaper De Tijd reports (in Dutch) that Belgacom is still struggling to control the remains of the malicious spyware at BICS. The remaining malware is said to be “so complex” that it baffles experts.

UPDATE 2013-11-10: here are a few Snowden-slides from GCHQ that mention Belgacom (click to enlarge). Der Spiegel reported (in English) that GCHQ used fake, malicious LinkedIn and Slashdot sites to lure Belgacom engineers and get malware on their computers to obtain access to a GPRS roaming exchange (GRX) router system operated by Belgacom-subsidiary BICS.



UPDATE 2013-09-27: The Belgacom compromise reinforces the correctness of the “Two Axioms for the Information Age” (I don’t know who first coined these): 1) Any device with software-defined behaviour can be tricked into doing things its creators did not intend; 2) Any device connected to a network of any sort, in any way, can be compromised by an external party.

Here is a careful English translation of this original article by Peter De Lobel and Nikolas Vanhecke in Belgian news paper De Standaard. Hyperlinks and parts in [] are mine.

On the brink of catastrophe (2013-09-21)

Ping. It’s Friday the 13th. Around 11 o’clock in the morning, the IT consultants that Belgacom employs at its largest customers in the private and public sector receive a message. The message doesn’t say much, except for an urgent request to cancel all appointments of that forenoon. An “emergency conference call” will take place instead.

The news that is brought in that call makes the IT consultants gasp for breath. A piece of malicious software has been found on the network of BICS, a daughter company of Belgacom. It is hard to grasp even for well-informed insiders. The BICS network is so wide and deep that it is promptly clear to everybody that this is not just a Belgian problem. This problem is at least of European proportions. Because whoever controls BICS, controls the communication of a large part of the world. “This could have been larger than 9/11”, says one source who closely followed the case. Without a grain of irony.

The pressure on the teams of the Dutch digital defender Fox-IT, that started cleaning up together with an army of Belgacom employees last weekend, was enormous.

It was their second attempt, various sources confirm. A first attempt to remove the villainous software from the infected computers at Belgacom in the last weekend of August was cancelled. “At the time, not all conditions were met required to remove everything at once”, it was said. Some computers turned out to run the alternative operating system Linux, known of the penguin logo, not Windows. “The risk was too big that we could not remove everything at once. In that case you should not touch it. Or the adversary will know that the virus has been found”, states someone politically involved.

Strict conditions

The investigation of the hacking started on July 19th, when Belgacom went to court. During their work, investigators at the intelligence services, police and justice were very wary of a leak about the entire operation. In early September they informed the Belgian cabinet on strict conditions: the list of attendees of that meeting was kept closely. If a politician would have wanted to reveal the news before the malware was dealt with, the investigators would press charges for breach of confidentiality of the investigation. “We could not risk everything going wrong due to someone talking”, it is said.

Belgacom was not infected with some common viruses, but with very professional malware that costed lots of money to develop. “We had to re-invent ourselves to do this”, an investigator said. “In other investigations there is a fixed idea of where you’re going, but in in this case it was continuously starting over because it was so difficult to get a grasp of the malware”.

Gradually it became clear that the hackers are not only interested in the communications in the Middle-East, where BICS holds a solid position via South-African minority shareholder MTN. “They have been looking around and took what they could”, state sources involved in the investigation. They are clear about one thing: the attack originated from the United States. “We determine that by the signature of the malware, but especially by where the trails lead. They partially run through the UK. We think the US is the main destination. And the past weeks at the US Embassy, you notice some embarrassment when you request exchange of information.” Yesterday, the German weekly magazine Der Spiegel reported that the UK intelligence service GCHQ (Government Communications Headquartes) are responsible for the attacks. It based that claim on slides disclosed by whistleblower Edward Snowden. The news that GCHQ is behind the Belgacom attack is a surprise to at least the services working on the affair.

The malware could do anything

The malware at Belgacom actually consists of a complex system of complementary viruses. They are all connected. If a problem is imminent or if they are detected, they can signal each other. “It is somewhat like a human virus, which also mutates continuously”, states someone involved who monitors the situation for his service. “For example, one part is responsible for searching and storing information, while another part is continuously looks for pathways to the internet to transfer information. Other pieces of code are responsible for circumventing firewalls, or carry out surveillance. If someone detects the hacking or attempts to remove a part of it, the virus that is acting as a guard promptly signals the other parts. Because you don’t know what the malware is capable of, everything can go horribly wrong at the last step.”

The cost of the entire detection and cleaning operation is correspondingly high. Fox-IT, the Dutch cyber security/defence company that is commissioned by Belgacom to first make inventory of the problems and then solve them, is a familiar name. “For the first two weeks they estimated the costs to be one million euro”, states a well-placed source. And then adds that the entire operation lasted ten weeks. Moreover, Fox-IT did not expect that, at a certain point, it had to allocate all of its employees to this case. A price tag of over five million euro, then? “It won’t be far off.”

But what was so terrifying about this cyber attack? And why the panic that something would go wrong? Telephone data about conversations with countries such as Afghanistan, Yemen and Syria that disappear, how could that have such an impact? They are ‘just’ stolen phone data, right? The involved expert sitting opposite us, looks dead serious. There is drama in his voice, but considering the contents of what he says, that is not unjustified. “This was highly performing malware and it was present in the nerve centre of communications. Anything that a highly privileged network operator of Belgacom could do, this system could do as well. I don’t have to make a drawing of it? It had all the keys, all the passwords and full control. We must dare to classify this as a big crisis. This could have been a catastrophe. And people don’t seem to realize.”

Sensitive customers

Perhaps it wouldn’t hurt to make that drawing. BICS calls itself a “wholesale carrier”. Two words, four syllables, but behind it is a network that spans the entire globe and the beating heart of which is located in our capital, Brussels. BICS provides the hardware infrastructure that carries internet traffic, phone conversations, text messages and mobile data of telecom companies and government institutions. And the more sensitive the customer, the more likely he is the end up at BICS. The daughter company of Belgacom markets itself with the argument that they never ever look at what travels over its cables. “We provide the cables for you, and you just send whatever you want over them”, is what it basically boils down to.

A glance at the list of BICS’ customers makes one dizzy. The financial transport center Swift, Electrabel, bpost, Belgocontrol, they are all connected to BICS. The NATO in Evere, the European Commission and Parliament, SHAPE, the Supreme Headquerters Allied Powers Europe, in Bergen; BICS, BICS, BICS. Even the headquarters of the NATO Allied Air Command, in Ramstein, Germany, from where the 2011 air attacks on Libya where coordinated, depends on BICS. Among the military, it is pointed out that military communications has an extra layer of security; but that pointing-out happens with a degree of humility that is very unusual to the military. “Every organisation, not just the government, must now begin to wonder whether it is dependent of one single provider, of one single network. And specially how well it is secured itself”, states someone who was at the front row of the affair. “Belgacom, that is critical infrastructure. How can Belgium keep running without it? Those are the questions that we must ask now. Because the organisation responsible for the attack has in fact the capability to completely disrupt Belgacom and BICS.” A different source confirms, reluctantly, the doom scenarios: “You can’t think of it. It would be larger than 9/11. The planes would pretty much fall out of the sky.” As a figure of speech? “Hm, yeah.”

Lifeline

A governmental source points out the consequences of even a limited disruption of phone communications and internet. “If a crisis occurs, what is the first thing a human does? Grasp their phone. Imagine that that lifeline is lost. Not just for you, but also for the emergency services, hospital, the fire department…? And for the police? At first glance it isn’t, because they use the Astrid network [a Belgian national radio communications network intended for emergency services]. But that network only works apart from BICS for local communications. For interregional communications it is just as dependent on BICS as the rest. Hence, it is no coincidence that police chief Catherine De Bolle started looking for a backup for the communications system of the federal police on that Friday the 13th, just before the big cleaning operation would have started.

How long would it take before Belgacom was up and running again after a destructive cyber attack, is unclear. “But it is clear that we are not prepared to counter this type of attacks right now”, states a high-ranking source. “That awareness must finally start to grow. I am very apprehensive for the feeling of relief that I already observe in some people. ‘Ah well, that has been nicely dealt with. It’s over.’ It’s not, mind you. Whoever doesn’t realise, this week, that it is urgent, will never get it. Playing things down now is dangerous.”

After De Standaard brought the news of large-scale hacking at Belgacom, it turned out that the Ministry of Foreign Affairs and the cabinet of the prime minister had been hacked. “And this is merely the top of the iceberg”, states a source who was involved in the problems at Belgacom. Because telecom is one thing, but there are many other critical sectors that are the fundament of a country. Transportation, for example. Trains, trams, busses, highways, airplanes, everything involves computer networks and everywhere one should be cautious for cyber attacks. The energy supply is another critical fundament. And last but not least: the banking sector of a country. Luxembourg has already contacted the Belgian cyberservices [?] to obtain more information about the malware that hit Belgacom.

Awareness

Besides budgets and well-paid IT personnel, the remedy against the growing cyberthreat will be found in improved awareness. “Belgium wants to invest in knowledge and innovation, but if one sector is vulnerable to espionage, it is that one. Just as many computers of the global diplomatic network of Foreign Affairs have post-its one them with the passwords, many small companies are slacking in their security”, a cyber specialist states. “And if you dare ask whether their Chinese interns are thoroughly screened, they look at you as if you’re from another planet.” Whether the gravity of the situation is apparent to everyone, is doubtful. In official communications, Belgacom states that it currently has no evidence of impact on its customers or their data. Understandly, the company does not want to trigger hysteria, but it sounds like down-playing nonetheless. “What should we write then?”, states spokesman Jan Margot in his response. “The infection was at dozens of computers in our own system. They have been cleaned together with the entire network.”

BICS too doesn’t say much about it. “There are no indications of an impact on the telecomnetwork of BICS”, it states in a press release. “A number of our IT systems are integrated in the infrastructure of Belgacom and are affected in that way, but that remained outside the network that carries customer traffic.”

“That’s all put rather euphemistically”, according to the investigators involved. “But you cannot accuse them of lying. A lot of thought went into every comma of the communication.”

Joke

Did Belgium become the joke of de European mainland as a result of the compromise of Belgacom? Intelligence services are continuously in contact with each other and exchange information. For the image of our country, the past week has been anything but stellar, but it is emphasised nonetheless that in such contacts it is often also about personal relations between people. “Moreover, all countries have problems and everyone tries to rise above them.”

What about ethics? Isn’t it schizophrenic that our country, Belgium, receives information about threats that the US or others have stolen from us? “That is the eternal paradox”, a recipient of such information states. Diplomatically it is the hardest. But if you receive information about a serious threat such as terrorism, you cannot ignore it. Then you have different things on your mind.