23 September 2013
Belgacom Hack (EN)
Date: Mon, 23 Sep 2013 14:32:57 +0200
Subject: Re: Belgacom Hack
From: Matthijs Koot <mrkoot[at]gmail.com>
To: John Young <jya[at]pipeline.com>
I posted the below at
Use this content however you want.
Original Dutch source:
On the brink of catastrophe (2013-09-21)
Ping. It's Friday the 13th. Around 11 o'clock in the morning, the IT consultants
that Belgacom employs at its largest customers in the private and public
sector receive a message. The message doesn't say much, except for an urgent
request to cancel all appointments of that forenoon. An "emergency conference
call" will take place instead.
The news that is brought in that call makes the IT consultants gasp for
breath. A piece of malicious software has been found on the network
of BICS, a daughter company of Belgacom.
It is hard to grasp even for well-informed insiders. The BICS network is
so wide and deep that it is promptly clear to everybody that this is not
just a Belgian problem. This problem is at least of European proportions.
Because whoever controls BICS, controls the communication of a large part
of the world. "This could have been larger than 9/11", says one source who
closely followed the case. Without a grain of irony.
The pressure on the teams of the Dutch digital defender
Fox-IT, that started cleaning up
together with an army of Belgacom employees last weekend, was enormous.
It was their second attempt, various sources confirm. A first attempt to
remove the villainous software from the infected computers at Belgacom in
the last weekend of August was cancelled. "At the time, not all conditions
were met required to remove everything at once", it was said. Some computers
turned out to run the alternative operating system Linux, known of the penguin
logo, not Windows. "The risk was too big that we could not remove everything
at once. In that case you should not touch it. Or the adversary will
know that the virus has been found", states someone politically involved.
The investigation of the hacking started on July 19th, when Belgacom went
to court. During their work, investigators at the intelligence services,
police and justice were very wary of a leak about the entire operation. In
early September they informed the Belgian cabinet on strict conditions: the
list of attendees of that meeting was kept closely. If a politician would
have wanted to reveal the news before the malware was dealt with, the
investigators would press charges for breach of confidentiality of the
investigation. "We could not risk everything going wrong due to someone talking",
it is said.
Belgacom was not infected with some common viruses, but with very professional
malware that costed lots of money to develop. "We had to re-invent ourselves
to do this", an investigator said. "In other investigations there is a fixed
idea of where you're going, but in in this case it was continuously starting
over because it was so difficult to get a grasp of the malware".
Gradually it became clear that the hackers are not only interested in the
communications in the Middle-East, where BICS holds a solid position via
South-African minority shareholder MTN. "They have been looking around and
took what they could", state sources involved in the investigation. They
are clear about one thing: the attack originated from the United States.
"We determine that by the signature of the malware, but especially by where
the trails lead. They partially run through the UK. We think the US
is the main destination. And the past weeks at the US Embassy, you notice
some embarrassment when you request exchange of information." Yesterday,
the German weekly magazine Der Spiegel
that the UK intelligence service GCHQ (Government Communications Headquartes)
are responsible for the attacks. It based that claim on slides disclosed
by whistleblower Edward Snowden. The news that GCHQ is behind the Belgacom
attack is a surprise to at least the services working on the affair.
The malware could do anything
The malware at Belgacom actually consists of a complex system of complementary
viruses. They are all connected. If a problem is imminent or if they are
detected, they can signal each other. "It is somewhat like a human virus,
which also mutates continuously", states someone involved who monitors the
situation for his service. "For example, one part is responsible for
searching and storing information, while another part is continuously looks
for pathways to the internet to transfer information. Other pieces of code
are responsible for circumventing firewalls, or carry out surveillance.
If someone detects the hacking or attempts to remove a part of it, the virus
that is acting as a guard promptly signals the other parts. Because you don't
know what the malware is capable of, everything can go horribly wrong at
the last step."
The cost of the entire detection and cleaning operation is correspondingly
high. Fox-IT, the Dutch cyber security/defence company that is commissioned
by Belgacom to first make inventory of the problems and then solve them,
is a familiar name. "For the first two weeks they estimated the costs to
be one million euro", states a well-placed source. And then adds that the
entire operation lasted ten weeks. Moreover, Fox-IT did not expect that,
at a certain point, it had to allocate all of its employees to this case.
A price tag of over five million euro, then? "It won't be far off."
But what was so terrifying about this cyber attack? And why the panic that
something would go wrong? Telephone data about conversations with countries
such as Afghanistan, Yemen and Syria that disappear, how could that have
such an impact? They are 'just' stolen phone data, right? The involved expert
sitting opposite us, looks dead serious. There is drama in his voice,
but considering the contents of what he says, that is not unjustified. "This
was highly performing malware and it was present in the nerve centre of
communications. Anything that a highly privileged network operator
of Belgacom could do, this system could do as well. I don't have to make
a drawing of it? It had all the keys, all the passwords and full control.
We must dare to classify this as a big crisis. This could have been a
catastrophe. And people don't seem to realize."
Perhaps it wouldn't hurt to make that drawing. BICS calls itself a "wholesale
carrier". Two words, four syllables, but behind it is a network that spans
the entire globe and the beating heart of which is located in our capital,
Brussels. BICS provides the hardware infrastructure that carries internet
traffic, phone conversations, text messages and mobile data of telecom companies
and government institutions. And the more sensitive the customer, the more
likely he is the end up at BICS. The daughter company of Belgacom markets
itself with the argument that they never ever look at what travels over its
cables. "We provide the cables for you, and you just send whatever you want
over them", is what it basically boils down to.
A glance at the list of BICS' customers makes one dizzy. The financial transport
center Swift, Electrabel, bpost, Belgocontrol, they are all connected to
BICS. The NATO in Evere, the European Commission and Parliament, SHAPE,
the Supreme Headquerters Allied Powers Europe, in Bergen; BICS, BICS, BICS.
Even the headquarters of the NATO Allied Air Command, in Ramstein, Germany,
from where the 2011 air attacks on Libya where coordinated, depends on BICS.
Among the military, it is pointed out that military communications has an
extra layer of security; but that pointing-out happens with a degree of humility
that is very unusual to the military. "Every organisation, not just
the government, must now begin to wonder whether it is dependent of one single
provider, of one single network. And specially how well it is secured itself",
states someone who was at the front row of the affair. "Belgacom, that is
critical infrastructure. How can Belgium keep running without it? Those are
the questions that we must ask now. Because the organisation responsible
for the attack has in fact the capability to completely disrupt Belgacom
and BICS." A different source confirms, reluctantly, the doom scenarios:
"You can't think of it. It would be larger than 9/11. The planes would pretty
much fall out of the sky." As a figure of speech? "Hm, yeah."
A governmental source points out the consequences of even a limited disruption
of phone communications and internet. "If a crisis occurs, what is the first
thing a human does? Grasp their phone. Imagine that that lifeline is lost.
Not just for you, but also for the emergency services, hospital, the fire
department...? And for the police? At first glance it isn't, because they
network [a Belgian national radio communications network intended for
emergency services]. But that network only works apart from BICS for
local communications. For interregional communications it is just as
dependent on BICS as the rest. Hence, it is no coincidence that police chief
Catherine De Bolle started looking for a backup for the communications system
of the federal police on that Friday the 13th, just before the big cleaning
operation would have started.
How long would it take before Belgacom was up and running again after a
destructive cyber attack, is unclear. "But it is clear that we are not prepared
to counter this type of attacks right now", states a high-ranking source.
"That awareness must finally start to grow. I am very apprehensive for the
feeling of relief that I already observe in some people. 'Ah well, that has
been nicely dealt with. It's over.' It's not, mind you. Whoever doesn't realise,
this week, that it is urgent, will never get it. Playing things down now
After De Standaard brought the news of large-scale hacking at Belgacom, it
turned out that the Ministry of Foreign
Affairs and the cabinet of the prime minister had been hacked. "And this
is merely the top of the iceberg", states a source who was involved in the
problems at Belgacom. Because telecom is one thing, but there are many
other critical sectors that are the fundament of a country. Transportation,
for example. Trains, trams, busses, highways, airplanes, everything involves
computer networks and everywhere one should be cautious for cyber attacks.
The energy supply is another critical fundament. And last but not least:
the banking sector of a country. Luxembourg has already contacted the Belgian
cyberservices [?] to obtain more information about the malware that hit Belgacom.
Besides budgets and well-paid IT personnel, the remedy against the growing
cyberthreat will be found in improved awareness. "Belgium wants to invest
in knowledge and innovation, but if one sector is vulnerable to espionage,
it is that one. Just as many computers of the global diplomatic network of
Foreign Affairs have post-its one them with the passwords, many small companies
are slacking in their security", a cyber specialist states. "And if you dare
ask whether their Chinese interns are thoroughly screened, they look at you
as if you're from another planet." Whether the gravity of the situation is
apparent to everyone, is doubtful. In official communications, Belgacom states
that it currently has no evidence of impact on its customers or their
data. Understandly, the company does not want to trigger hysteria,
but it sounds like down-playing nonetheless. "What should we write then?",
states spokesman Jan Margot in his response. "The infection was at dozens
of computers in our own system. They have been cleaned together with the
BICS too doesn't say much about it. "There are no indications of an impact
on the telecomnetwork of BICS", it states in a press release. "A number
of our IT systems are integrated in the infrastructure of Belgacom and are
affected in that way, but that remained outside the network that carries
"That's all put rather euphemistically", according to the investigators
involved. "But you cannot accuse them of lying. A lot of thought went
into every comma of the communication."
Did Belgium become the joke of de European mainland as a result of the compromise
of Belgacom? Intelligence services are continuously in contact with each
other and exchange information. For the image of our country, the past week
has been anything but stellar, but it is emphasised nonetheless that in such
contacts it is often also about personal relations between people. "Moreover,
all countries have problems and everyone tries to rise above them."
What about ethics? Isn't it schizophrenic that our country, Belgium, receives
information about threats that the US or others have stolen from us? "That
is the eternal paradox", a recipient of such information states. Diplomatically
it is the hardest. But if you receive information about a serious threat
such as terrorism, you cannot ignore it. Then you have different things on