Belgium: Oi, Brits, explain why Belgacom hack IPs pointed at you and your GCHQ

GCHQ’s rumoured hacking operation against Belgacom came back into the spotlight yesterday after a local newspaper revealed more tantalising snippets from a Belgian judicial investigation into the attack.

Originally having come to light thanks to whistleblower Edward Snowden’s disclosures from American spy agency files he swiped from the NSA, the UK's signals intelligence bods are said to have hacked into the Belgian telco in order to monitor private communications flowing over its networks.

Belgian newspaper De Standaard reported yesterday that a judicial investigation had found proof that the hack, traces of which were found by Belgacom, “was the work of the GCHQ, an intelligence service of ally Great Britain”.

“This can all be read in a confidential report from the federal prosecutor's office that the National Security Council discussed at the beginning of this week,” said De Standaard, which reported (in Dutch) that it had seen the report.

It also wrote that during the federal prosecutor’s investigation, concrete proof was found linking the hackers to the UK – proof that did not come from the Snowden revelations, as previous evidence has.

“Specifically, these are IP addresses of computers where the spyware software communicated from Belgacom. Three of those addresses were owned by a British company, indicating that the spy software manager is in Great Britain,” said the newspaper, which quoted the “British department of the interior” [Home Office] as refusing to co-operate with the investigation.

The refusal to co-operate is unsurprising. For all manner of obvious diplomatic reasons, the UK is not going to confess to hacking one of its supposedly closest allies; an ally which hosts the key institutions of the EU as well as NATO.

What happened here?

GCHQ’s Belgacom attack, code-named Operation Socialist, took place over the late 2000s and early 2010s. It consisted of tricking admin-level techies into visiting fake websites made to look like Linkedin and which were laden with malware, as The Intercept reported at the time. Once infected, the three Belgian techies’ machines were the ultimate gateway for the British spies into Belgacom’s networks, with the telco eventually confessing to 5,000 machines being infected.

Having man-in-the-middle'd Belgacom's core routers, GCHQ was also, according to the Intercept, able to break into private VPN sessions as well as pinpointing phones using the 2G GPRS protocol. At the time, smartphone penetration in the Middle East and Africa region was much lower than it is today.

GCHQ's believed main aim was to compromise Belgacom International Carrier Services, which handled a large amount of Middle Eastern roaming traffic. Secondary to the operation was mapping Belgacom’s networks and identifying further hacking opportunities.

Belgacom first publicly admitted that something was awry in late 2013, rather optimistically stating: “At no point in time has the delivery of our telecommunication services been compromised.” Later revelations went on to show that this was almost certainly not true.

These days Belgacom is called Proximus, having rebranded in September 2014.

The Home Office ignored our request for comment. GCHQ has a long-standing policy of refusing to comment on its actions, though a sample of the meaningless boilerplate it issues on all such occasions can be read towards the end of this 2014 article. ®