GCHQ cyber-attack cost 'several million euros', says Belgacom security head Fabrice Clément

GCHQ's Belgacom attack mainly compromised staff with technical profiles, says Clément, in wide-ranging interview

The alleged attack by Britain's security agency, GCHQ, on Belgium's national telecom operator, Belgacom, cost the company "several million euros" to clean-up - plus an investment of a further €15m beefing up the organisation's security response, according to the company's head of security and information management, Fabrice Clément.

Reportedly referred to as "Operation Socialist" by GCHQ, it involved a sophisticated man-in-the-middle attack on Belgacom International Carrier Services (Bics), which intercepted the web traffic of targets, redirecting them to a fake LinkedIn page. Their PCs were then infected with unnamed malware, enabling the GCHQ attackers to access Belgacom's internal corporate network.

The attack was revealed in a leaked document from the cache of US National Security Agency (NSA) whistleblower Edward Snowden, which was published in German newspaper Der Spiegel. LinkedIn denied any involvement in the attack and the disclosure caused a diplomatic incident in Europe.

But in a surprisingly candid interview with Belgium's Mondiaal News, Clément admitted that cleaning up after the attack had been exposed cost the company "several million euros", plus a further €15m investment beefing up security. He also said that the company had first identified the attack in June 2013, but only three months later realised the enormity and sophistication of the attack.

"We detected an abnormal process on one of our email servers. We did a quick analysis and discovered that it was malware. Then we immediately started a detailed investigation... [The attack] was extremely sophisticated. It was clearly a new generation of malware that previously had never been established. It was also very well hidden," he said.

He continued: "We found a dropper, the process by which the malware had been installed. This assembled the malware based on many small pieces of software hidden in dozens of databases. The dropper then installed the malware and erased its tracks. The malware was additionally encrypted, at different levels. The encryption was unique and specific for each infected system."

A total of 124 systems, including email and SharePoint servers, were infected out of some 26,000 PCs and workstations. A specialist forensic investigation, led by Netherlands company Fox-IT, was conducted, involving as many as 200 people - including lawyers and IT engineers - and even stretched into the company's supply-chain. The clean-up took two months.

"Everyone had to sign a document to ensure confidentiality. We also worked with the Federal Computer Crime Unit of the [Belgian] police, the Regional Computer Crime Unit, the military intelligence GISS and State Security," said Clément.

Internally, the investigation also engaged the IT department, as well as corporate communications and the legal department, and included daily "crisis management" meetings that involved the company's vice presidents.

However, although the Snowden leaks implicated GCHQ, Clément said that the company cannot be sure who was responsible. The criminal investigation is still ongoing.

Indeed, Clément said that very little data - as far as Belgacom's investigation could ascertain - was actually transferred.

"The volume of traffic was extremely low - only a few kilobytes. The malware was clearly not designed to intercept data in bulk. They were not out to copy databases. It was very specific information... But what exactly? We have no indication about that," he said.

Ironically, perhaps, Belgacom has had a team of "ethical hackers" working in-house for some five years, supposedly testing the telecom company's security, as well as an internal IT security team, called Cyber Security Incident Response Team (CSIRT), which monitors the company's networks round the clock. The company also seeks to educate staff in better cyber security.

In one of its initiatives, for example, it sent a phishing email to staff that promised the chance to win a Samsung Galaxy smartphone if they clicked a link - half of the company's staff clicked on the link, according to Clément.

Correction: Earlier, we stated that the attack had cost €15m. We are informed that it cost "several million euros" and that the €15m figure was the price of the extra security measures implemented, including taking on specialist staff, taken following the attack. We also erroneously suggested that 26,000 PCs and workstations had been affected. Belgacom tells us that it was 124 systems out of 26,000 that were affected.