[ExI] Belgacom Hack (EN translation)

Eugen Leitl eugen at leitl.org
Tue Sep 24 09:03:56 UTC 2013

----- Forwarded message from coderman <coderman at gmail.com> -----

Date: Mon, 23 Sep 2013 19:46:35 -0700
From: coderman <coderman at gmail.com>
To: cpunks <cypherpunks at cpunks.org>
Subject: Belgacom Hack (EN translation)

http://cryptome.org/2013/09/belgacom-hack-en.htm /


On the brink of catastrophe (2013-09-21)

Ping. It's Friday the 13th. Around 11 o'clock in the morning, the IT
consultants that Belgacom employs at its largest customers in the
private and public sector receive a message. The message doesn't say
much, except for an urgent request to cancel all appointments of that
forenoon. An "emergency conference call" will take place instead.

The news that is brought in that call makes the IT consultants gasp
for breath.  A piece of malicious software has been found on the
network of BICS, a daughter company of Belgacom. It is hard to grasp
even for well-informed insiders. The BICS network is so wide and deep
that it is promptly clear to everybody that this is not just a Belgian
problem. This problem is at least of European proportions. Because
whoever controls BICS, controls the communication of a large part of
the world. "This could have been larger than 9/11", says one source
who closely followed the case. Without a grain of irony.

The pressure on the teams of the Dutch digital defender Fox-IT, that
started cleaning up together with an army of Belgacom employees last
weekend, was enormous.

It was their second attempt, various sources confirm. A first attempt
to remove the villainous software from the infected computers at
Belgacom in the last weekend of August was cancelled. "At the time,
not all conditions were met required to remove everything at once", it
was said. Some computers turned out to run the alternative operating
system Linux, known of the penguin logo, not Windows. "The risk was
too big that we could not remove everything at once.  In that case you
should not touch it. Or the adversary will know that the virus has
been found", states someone politically involved.

Strict conditions

The investigation of the hacking started on July 19th, when Belgacom
went to court. During their work, investigators at the intelligence
services, police and justice were very wary of a leak about the entire
operation. In early September they informed the Belgian cabinet on
strict conditions: the list of attendees of that meeting was kept
closely. If a politician would have wanted to reveal the news before
the malware was dealt with, the investigators would press charges for
breach of confidentiality of the investigation. "We could not risk
everything going wrong due to someone talking", it is said.

Belgacom was not infected with some common viruses, but with very
professional malware that costed lots of money to develop. "We had to
re-invent ourselves to do this", an investigator said. "In other
investigations there is a fixed idea of where you're going, but in in
this case it was continuously starting over because it was so
difficult to get a grasp of the malware".

Gradually it became clear that the hackers are not only interested in
the communications in the Middle-East, where BICS holds a solid
position via South-African minority shareholder MTN. "They have been
looking around and took what they could", state sources involved in
the investigation. They are clear about one thing: the attack
originated from the United States. "We determine that by the signature
of the malware, but especially by where the trails lead.  They
partially run through the UK. We think the US is the main destination.
And the past weeks at the US Embassy, you notice some embarrassment
when you request exchange of information." Yesterday, the German
weekly magazine Der Spiegel reported that the UK intelligence service
GCHQ (Government Communications Headquartes) are responsible for the
attacks. It based that claim on slides disclosed by whistleblower
Edward Snowden. The news that GCHQ is behind the Belgacom attack is a
surprise to at least the services working on the affair.

The malware could do anything

The malware at Belgacom actually consists of a complex system of
complementary viruses. They are all connected. If a problem is
imminent or if they are detected, they can signal each other. "It is
somewhat like a human virus, which also mutates continuously", states
someone involved who monitors the situation for his service.  "For
example, one part is responsible for searching and storing
information, while another part is continuously looks for pathways to
the internet to transfer information. Other pieces of code are
responsible for circumventing firewalls, or carry out surveillance.
If someone detects the hacking or attempts to remove a part of it, the
virus that is acting as a guard promptly signals the other parts.
Because you don't know what the malware is capable of, everything can
go horribly wrong at the last step."

The cost of the entire detection and cleaning operation is
correspondingly high. Fox-IT, the Dutch cyber security/defence company
that is commissioned by Belgacom to first make inventory of the
problems and then solve them, is a familiar name. "For the first two
weeks they estimated the costs to be one million euro", states a
well-placed source. And then adds that the entire operation lasted ten
weeks. Moreover, Fox-IT did not expect that, at a certain point, it
had to allocate all of its employees to this case. A price tag of over
five million euro, then? "It won't be far off."

But what was so terrifying about this cyber attack? And why the panic
that something would go wrong? Telephone data about conversations with
countries such as Afghanistan, Yemen and Syria that disappear, how
could that have such an impact? They are 'just' stolen phone data,
right? The involved expert sitting opposite us, looks dead serious.
There is drama in his voice, but considering the contents of what he
says, that is not unjustified. "This was highly performing malware and
it was present in the nerve centre of communications.  Anything that a
highly privileged network operator of Belgacom could do, this system
could do as well. I don't have to make a drawing of it? It had all the
keys, all the passwords and full control. We must dare to classify
this as a big crisis. This could have been a catastrophe. And people
don't seem to realize."

Sensitive customers

Perhaps it wouldn't hurt to make that drawing. BICS calls itself a
"wholesale carrier". Two words, four syllables, but behind it is a
network that spans the entire globe and the beating heart of which is
located in our capital, Brussels. BICS provides the hardware
infrastructure that carries internet traffic, phone conversations,
text messages and mobile data of telecom companies and government
institutions. And the more sensitive the customer, the more likely he
is the end up at BICS. The daughter company of Belgacom markets itself
with the argument that they never ever look at what travels over its
cables. "We provide the cables for you, and you just send whatever you
want over them", is what it basically boils down to.

A glance at the list of BICS' customers makes one dizzy. The financial
transport center Swift, Electrabel, bpost, Belgocontrol, they are all
connected to BICS.  The NATO in Evere, the European Commission and
Parliament, SHAPE, the Supreme Headquerters Allied Powers Europe, in
Bergen; BICS, BICS, BICS. Even the headquarters of the NATO Allied Air
Command, in Ramstein, Germany, from where the 2011 air attacks on
Libya where coordinated, depends on BICS. Among the military, it is
pointed out that military communications has an extra layer of
security; but that pointing-out happens with a degree of humility that
is very unusual to the military.  "Every organisation, not just the
government, must now begin to wonder whether it is dependent of one
single provider, of one single network. And specially how well it is
secured itself", states someone who was at the front row of the
affair. "Belgacom, that is critical infrastructure. How can Belgium
keep running without it? Those are the questions that we must ask now.
 Because the organisation responsible for the attack has in fact the
capability to completely disrupt Belgacom and BICS." A different
source confirms, reluctantly, the doom scenarios: "You can't think of
it. It would be larger than 9/11. The planes would pretty much fall
out of the sky." As a figure of speech?  "Hm, yeah."


A governmental source points out the consequences of even a limited
disruption of phone communications and internet. "If a crisis occurs,
what is the first thing a human does? Grasp their phone. Imagine that
that lifeline is lost.  Not just for you, but also for the emergency
services, hospital, the fire department...? And for the police? At
first glance it isn't, because they use the Astrid network [a Belgian
national radio communications network intended for emergency
services].  But that network only works apart from BICS for local
communications.  For interregional communications it is just as
dependent on BICS as the rest. Hence, it is no coincidence that police
chief Catherine De Bolle started looking for a backup for the
communications system of the federal police on that Friday the 13th,
just before the big cleaning operation would have started.

How long would it take before Belgacom was up and running again after
a destructive cyber attack, is unclear. "But it is clear that we are
not prepared to counter this type of attacks right now", states a
high-ranking source. "That awareness must finally start to grow. I am
very apprehensive for the feeling of relief that I already observe in
some people. 'Ah well, that has been nicely dealt with. It's over.'
It's not, mind you. Whoever doesn't realise, this week, that it is
urgent, will never get it. Playing things down now is dangerous."

After De Standaard brought the news of large-scale hacking at
Belgacom, it turned out that the Ministry of Foreign Affairs and the
cabinet of the prime minister had been hacked. "And this is merely the
top of the iceberg", states a source who was involved in the problems
at Belgacom.  Because telecom is one thing, but there are many other
critical sectors that are the fundament of a country. Transportation,
for example. Trains, trams, busses, highways, airplanes, everything
involves computer networks and everywhere one should be cautious for
cyber attacks. The energy supply is another critical fundament. And
last but not least: the banking sector of a country. Luxembourg has
already contacted the Belgian cyberservices [?] to obtain more
information about the malware that hit Belgacom.


Besides budgets and well-paid IT personnel, the remedy against the
growing cyberthreat will be found in improved awareness. "Belgium
wants to invest in knowledge and innovation, but if one sector is
vulnerable to espionage, it is that one. Just as many computers of the
global diplomatic network of Foreign Affairs have post-its one them
with the passwords, many small companies are slacking in their
security", a cyber specialist states. "And if you dare ask whether
their Chinese interns are thoroughly screened, they look at you as if
you're from another planet." Whether the gravity of the situation is
apparent to everyone, is doubtful. In official communications,
Belgacom states that it currently has no evidence of impact on its
customers or their data.  Understandly, the company does not want to
trigger hysteria, but it sounds like down-playing nonetheless. "What
should we write then?", states spokesman Jan Margot in his response.
"The infection was at dozens of computers in our own system. They have
been cleaned together with the entire network."

BICS too doesn't say much about it. "There are no indications of an
impact on the telecomnetwork of BICS", it states in a press release.
"A number of our IT systems are integrated in the infrastructure of
Belgacom and are affected in that way, but that remained outside the
network that carries customer traffic."

"That's all put rather euphemistically", according to the
investigators involved.  "But you cannot accuse them of lying. A lot
of thought went into every comma of the communication."


Did Belgium become the joke of de European mainland as a result of the
compromise of Belgacom? Intelligence services are continuously in
contact with each other and exchange information. For the image of our
country, the past week has been anything but stellar, but it is
emphasised nonetheless that in such contacts it is often also about
personal relations between people. "Moreover, all countries have
problems and everyone tries to rise above them."

What about ethics? Isn't it schizophrenic that our country, Belgium,
receives information about threats that the US or others have stolen
from us? "That is the eternal paradox", a recipient of such
information states. Diplomatically it is the hardest. But if you
receive information about a serious threat such as terrorism, you
cannot ignore it. Then you have different things on your mind.


----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20130924/7fc55bb7/attachment.bin>

More information about the extropy-chat mailing list