GCHQ used fake LinkedIn pages bearing malware to attack Belgacom

Spy agency used LinkedIn and Slashdot pages injected with malware to compromise Belgium's national telecoms operator

British spy agency GCHQ has been accused of using fake LinkedIn profiles injected with malware to compromise the security of Belgium's national telecoms operator Belgacom.

The revelations made over the weekend flesh out allegations last month that GCHQ breached the security of Belgacom as it sought to spy on the communications of the European Union and EU heads of state.

The profiles were targeted at Belgacom engineers working in network maintenance and, ironically, security. They were researched by GCHQ spies to find out whether they used LinkedIn or technical news and comment website Slashdot, and lured to fake web pages via emails purporting to come from those organisations.

Those web pages, though, contained malware, which was used to download "infiltration technology" GCHQ calls "Quantum Insert". In this way, GCHQ was able to infiltrate Belgacom's internal network and that of its subsidiary, BICS, which handles communications when mobile users make calls or go online while abroad.

The revelations were made in the German newspaper Der Spiegel, which is beyond the scope of government D-Notices, restricting the reporting by the UK's national press of the fall-out from the disclosures by whistleblower Edward Snowden.

"The operation is not an isolated case, but in fact is only one of the signature projects of an elite British internet intelligence hacking unit working under the auspices of a group called MyNOC, or 'My Network Operations Centre'," claimed Der Spiegel.

It continued: "MyNOCs bring together employees from various GCHQ divisions to cooperate on especially tricky operations. In essence, a MyNOC is a unit that specialises in infiltrating foreign networks. Call it Her Majesty's hacking service, if you like."

The report seems to contradict claims by GCHQ director Iain Lobban, appearing before Parliament's Intelligence and Security Committee, where he told MPs that GCHQ only sought to monitor people and organisations whose activities posed a threat to Britain's national or economic security.

The documents reveal the extent to which spy agencies are able to use mobile communications to track people down and for surveillance. "We can locate, collect, exploit (in real time where appropriate) high-value mobile devices and services in a fully converged target centric manner," states one GCHQ document from 2011.

"According to the presentation, in the case of Belgacom this involved the 'exploitation of GRX [global roaming exchange] routers', from which so-called man-in-the-middle attacks could be launched against the subjects' smartphones," explained Der Spiegel. This would enable GCHQ to tap the internet communications of their targets and, potentially, implant spying software on their device.

The GRX routers represent a single-point of access and compromise for cyber-attackers such as GCHQ because, according to Der Spiegel, there are only about two dozen worldwide.

"But this isn't the only portal into the world of global mobile communications that GCHQ has exploited. Another MyNOC operation, 'Wylekey', targets 'international mobile billing clearing houses'," it continues. These process the international payment transactions between mobile operators. GCHQ therefore also targeted these organisations to ascertain meta-data related to who has called who, and when.

Comfone, Syniverse and Starhome Mach were all targeted by GCHQ for this information.

The research into targets that worked at Belgacom and telecoms billing companies included not just LinkedIn profiles, but also Skype user names, home IP addresses, tablet computer use, Gmail addresses and any other social profiles that could be used to help compromise targets.