Belgian telco Belgacom - which operates vital undersea communications cables - says its internal network was compromised, possibly by foreign spooks.
Phone and data connections from international hot spots, such as Syria and Yemen, pass through submarine fibre lines handled by Belgacom International Carrier Services (BICS).
Security experts suspect the Belgian biz was infiltrated by state-backed hackers - and NSA and GCHQ have emerged as the prime suspects. Journalists in Belgium - writing here, here, here, and here - cite sources who reckon Belgacom’s systems may have been compromised for two years by a foreign intelligence agency.
Well-known security researcher Eddy Willems of antivirus biz G Data told El Reg that Belgacom admitted on TV that 5,000 of its internal machines were infected with sophisticated malware, which may have cyber-espionage purposes.
"I don't have a sample of the malware but am hoping to acquire it," Willems explained. "The circumstances look that it might be cyber-espionage but it might be something completely unrelated."
BICS - a joint venture between Belgacom, Swisscom and South Africa’s MTN - provides wholesale carrier services to mobile and fixed-line telcos around the world. It is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, UK, Europe, North Africa, the Middle East and Singapore to the rest of the world.
Blighty's eavesdroppers at GCHQ run a programme called Tempora which taps data flowing through undersea fibre-optic lines of major telecommunications corporations - and BICS's cables may be a target. Stuffing malware into the telco's network could allow spooks to monitor the submarine communications, but how exactly that would happen is unclear.
In a statement issued yesterday Belgacom admitted its internal systems were invaded, but sought to reassure its customers that their records and other information stored in the systems were not affected. It said the intrusion, which did not compromise the "delivery" of communications, is under investigation by law enforcement:
This weekend, Belgacom successfully performed an operation in the light of its continuous action plan to protect the security of its customers and their data and to assure the continuity of its services.
Previous security checks by Belgacom experts revealed traces of a digital intrusion in the company’s internal IT system. Belgacom has taken all appropriate actions to protect the integrity of its IT system and to further reinforce the prevention against possible incidents.
For Belgacom, the protection of the customers and their data is a key priority. At this stage there is no indication of any impact on the customers or their data. At no point in time has the delivery of our telecommunication services been compromised.
Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor.
Security experts - such as Costin Raiu, a senior security researcher at Kaspersky Lab - have drawn parallels between the breach within Belgacom and the compromise of systems at Norwegian carrier Telenor. Analysis about the Telenor attack by infosec firm Norman pointed the finger of blame towards India.
In the case of Belgacom, the GCHQ and NSA is suspected given this year's revelations of the two agencies' global internet surveillance operations. "It's still too early to make conclusions that NSA is involved, however the likelihood is high if you look at the monitoring opportunities," G Data's Willems told El Reg. ®