Back to September 2013, Belgacom (now Proximus), the largest telecommunications company in Belgium and primarily state-owned, announced its IT infrastructure had suffered a malware-based attack.
Here we are again to speak about this incident after the Belgian newspaper De Standaard provided more details from a Belgian judicial investigation that was investigating the alleged involvement of British GCHQ.
Many experts linked the Regin malware to the Five Eyes alliance, they found alleged references to the super spyware in a number of presentations leaked by Edward Snowden and according to malware researchers, it has been used in targeted attacks against government agencies in the EU and the Belgian telecoms company Belgacom.
According to Snowden, the UK’s signals intelligence have hacked into the Belgian telco to spy on private communications in transit into its infrastructure.
This week the Belgian newspaper De Standaard reported that investigators had found proof that the hack “was the work of the GCHQ, an intelligence service of ally Great Britain”.
“This can all be read in a confidential report from the federal prosecutor’s office that the National Security Council discussed at the beginning of this week,” reported De Standaard.
The newspaper also states that federal prosecutors found evidence for the involvement of the UK intelligence in the hack that is not related to Snowden revelations.
“Specifically, these are IP addresses of computers where the spyware software communicated from Belgacom. Three of those addresses were owned by a British company, indicating that the spy software manager is in Great Britain,” continues the newspaper.
The newspaper added that British Home Office refused to co-operate with the investigation.
If confirmed the situation is disconcerting, the UK was spying, along with other members of the FiveEyes, on a telco company belonging to a member of the NATO alliance.
The investigation revealed that the malware-based attack was powered by GCHQ and code-named Operation Socialist.
The attack between 2000 and early 2010, the hackers targeted company admins with spear-phishing attacks aimed at infecting their machines.
Attackers infected at least three Belgian techies’ machines and used them as entry points into the Belgacom’s networks, then they infected more than 5,000 machines.
“A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.” wrote The Intercept.
“The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”
GCHQ targeted the Belgacom International Carrier Services mainly because it handled a large amount of Middle Eastern roaming traffic.
(Security Affairs – Belgacom, GCHQ)