Quantum Spying GCHQ Used Fake LinkedIn Pages to Target Engineers
Elite GCHQ teams targeted employees of mobile communications companies and billing companies to gain access to their company networks. The spies used fake copies of LinkedIn profiles as one of their tools.
The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didn't take any longer than usual to load.
The victims didn't notice that what they were looking at wasn't the original site but a fake profile with one invisible added feature: a small piece of malware that turned their computers into tools for Britain's GCHQ intelligence service.
The British intelligence workers had already thoroughly researched the engineers. According to a "top secret" GCHQ presentation disclosed by NSA whistleblower Edward Snowden, they began by identifying employees who worked in network maintenance and security for the partly government-owned Belgian telecommunications company Belgacom.
Then they determined which of the potential targets used LinkedIn or Slashdot.org, a popular news website in the IT community.
The computers of these "candidates" were then infected with computer malware that had been placed using infiltration technology the intelligence agency refers to as "Quantum Insert," which enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system. This type of router is required when users make calls or go online with their mobile phones while abroad.
SPIEGEL's initial reporting on "Operation Socialist," a GCHQ program that targeted Belgacom, triggered an investigation by Belgian public prosecutors. In addition, two committees of the European Parliament are investigating an attack by a European Union country on the leading telecommunications provider in another EU member state.
The operation is not an isolated case, but in fact is only one of the signature projects of an elite British Internet intelligence hacking unit working under the auspices of a group called MyNOC, or "My Network Operations Centre." MyNOCs bring together employees from various GCHQ divisions to cooperate on especially tricky operations. In essence, a MyNOC is a unit that specializes in infiltrating foreign networks. Call it Her Majesty's hacking service, if you like.
When GCHQ Director Iain Lobban appeared before the British parliament last Thursday, he made an effort to reassure lawmakers alarmed by recent revelations. British intelligence couldn't exactly stand back and watch the United Kingdom be targeted for industrial espionage, Lobban said. But, he noted, only those whose activities pose a threat to the national or economic security of the United Kingdom could in fact be monitored by his agency.
A Visit from Charles and Camilla
Even members of the royal family occasionally stop by to see what British intelligence is up to. In one photo that appears in a secret document, Charles, the Prince of Wales, and his wife Camilla, the Duchess of Cornwall, are shown listening to a presentation at a MyNOC workstation called "A Space." The tongue-in-cheek caption reads "Interlopers in A Space."
The presentation does not indicate the extent to which the royal family is kept abreast of current espionage operations. Their last visit was reportedly about Afghanistan, not Belgium. But the visit had been to the same location where what the secret document described as the "very successful" operation against Belgacom as well as "Operation Wylekey," also run by a MyNOC unit, had been conducted.
This also relates to an issue that the British have made a focal point of their intelligence-gathering activities: the most comprehensive access possible to worldwide mobile networks, the critical infrastructures for the digital age.
Mobile networks are a blessing and a curse for spies worldwide. Because each major wireless communications company operates its own networks, tapping into them becomes more complex. On the other hand, the mobile multi-use devices in our pockets are a blessing, because they often reveal more personal information than stationary computers, such as the user's lifestyle habits and location. They can also be transformed into bugging devices that can be activated remotely at any time to listen in on the user's conversations.
Mobile Phones Become Monitoring Tools
"We can locate, collect, exploit (in real time where appropriate) high value mobile devices & services in a fully converged target centric manner," a GCHQ document from 2011 states. For years, the British spies have aspired to potentially transform every mobile phone on the planet into a monitoring tool that could be activated at any time.
But the government hackers apparently have to employ workarounds in order to infiltrate the relatively inaccessible mobile phone networks.
According to the presentation, in the case of Belgacom this involved the "exploitation of GRX routers," from which so-called man-in-the-middle attacks could be launched against the subjects' smartphones. "This way, an intelligence service could read the entire Internet communications of the target and even track their location or implant spying software on their device," mobile networks expert Philippe Langlois says of the development. It is an effective approach, Langlois explains, since there are several hundred wireless companies, but only about two dozen GRX providers worldwide.
But this isn't the only portal into the world of global mobile communications that GCHQ has exploited. Another MyNOC operation, "Wylekey," targets "international mobile billing clearinghouses."
These clearinghouses, which are relatively unknown to the general public, process international payment transactions among wireless companies, giving them access to massive amounts of connection data.
The GCHQ presentation, which SPIEGEL was able to view, contains a list of the billing companies that are on the radar of the British. At the top of the list are Comfone, a company based in Bern, Switzerland, and Mach, which has since been split into two companies, one owned by another firm called Syniverse and another called Starhome Mach. Syniverse was also on the list of companies to monitor. Together, these companies dominate the industry worldwide. In the case of Mach, the GCHQ personnel had "identified three network engineers" to target. Once again, the Quantum Insert method was deployed.
The spies first determine who works for a company identified as a target, using open source data like the LinkedIn professional social networking site. IT personnel and network administrators are apparently of particular interest to the GCHQ attackers, because their computers can provide extensive access privileges to protected corporate infrastructures.
Targeting an Innocent Employee
In the case of Mach, for example, the GCHQ spies came across a computer expert working for the company's branch in India. The top-secret document shows how extensively the British intelligence agents investigated the life of the innocent employee, who is listed as a "target" after that.
A complex graph of his digital life depicts the man's name in red crosshairs and lists his work computers and those he uses privately ("suspected tablet PC"). His Skype username is listed, as are his Gmail account and his profile on a social networking site. The British government hackers even gained access to the cookies on the unsuspecting victim's computers, as well as identifying the IP addresses he uses to surf the web for work or personal use.
In short, GCHQ knew everything about the man's digital life, making him an open book for its spies. SPIEGEL has contacted the man, but to protect his privacy is not publishing his name.
But that was only the preparatory stage. After mapping the man's personal data, now it was time for the attack department to take over. On the basis of this initial information, the spies developed digital attack weapons for six Mach employees, described in the document as "six targeting packs for key individuals," customized for the victims' computers.
- Part 1: GCHQ Used Fake LinkedIn Pages to Target Engineers
- Part 2: GCHQ Wants To Make Mobile Web an All-Seeing Surveillance Machine