Late last year, documents from Edward Snowden’s NSA trove have revealed that Britain’s GCHQ has allegedly mounted a successful attack against primarily state-owned Belgacom, the largest telecom in Belgium, and its subsidiary Belgacom International Carrier Services (BICS), a Global Roaming Exchange (GRX) provider.
Belgacom has, in mid-September 2013, announced that it has found evidence of it and that the technology used for it points towards an espionage effort mounted by a foreign state, but have not said which state they think it was.
It is widely believed that the ultimate goal of this “Operation Socialist” was to gain access to BICS’ central roaming router that processes international traffic so that the attackers could gain the ability to mount MITM attacks targeting specific smartphone users.
Last week the company’s head of security and information management Fabrice Clement has been interviewed (translation via Google Translate) by Mondiaal News’ Kristof Clerix, and shared some more technical details about the attack, about the company’s concentrated efforts to clean up their compromised systems, and about the economic consequences of the breach.
The public confirmation of the hack came in September 2013, but according to Clement, they detected “an abnormal process” on one of their email servers three months earlier.
The discovery spurred an detailed investigation. Dutch infosec consultancy Fox IT was called and sent a team of forensic specialists a few days later. In the next two weeks, they discovered that the malware they found was not your run-of-the-mill malware, but was a type of malicious software usually associated with APT actors.
“It was clearly a new generation of malware that previously had never been established,” he noted. “It was also very well hidden.”
The malware was delivered onto the system via a dropper that “assembled the malware based on many small pieces of software hidden in dozens of databases,” and then deleted itself. The malware was encrypted with a key unique for every infected system.
26,000 systems were found to be infected: email and share point servers, as well as the technical staff’s workstations.
It took a group of some 200 people two months to clean up all the mess, and they created custom scanning software to identify infected systems. PCs were reinstalled, servers reconstructed. The investigation and the cleanup operation were performed simultaneously.
It’s still unknown how long the malware was active before they detected it. It’s also not known who was behing the attack. Clement is hoping the Belgian federal prosecutor will find out – the criminal investigation is still ongoing. He says that they have no indication that the Americans or British were involved.
The attackers apparently exfiltrated very little information, but it was encrypted and it’s impossible to know what it was. They believe it might have been technical information about Belgacom’s and BICS’ networks.
In the end, it cost the company 15 million Euros to resolve the incident and up their cyber defenses to prevent new ones. They have in-house ethical hackers and a CyberSecurity Incident Response Team. They have implemented a security awareness program and testing.
Clement says they have not lost any customers over this thing, and that their stock price hasn’t taken a dive.