How GCHQ faked LinkedIn and Slashdot to hack Belgacom, OPEC & others


Last September, Belgacom, one of the leading telecommunications providers in Belgium, reported that its systems had been infiltrated by a western intelligence agency. This was big news for a couple of reasons – one, because Belgacom provides internet access to dozens of key EU institutions based in its capital city Brussels; and two, because of its ‘global roaming exchange’ (known as a GRX), which acts as a hub for connections between various international mobile networks.

Few were surprised to learn that Britain’s GCHQ spy agency was the culprit behind this hack, given its extremely close relationship with the NSA. Now, in a new leak from Edward Snowden reported exclusively by Der Spiegel, we have learned exactly how the GCHQ pulled it off, using ‘fake’ LinkedIn and Slashdot websites to trick Belgacom’s employees and sneak its malware into their systems.

According to Der Spiegel, the first step for GCHQ was to identify employees at Belgacom working in its security and maintenance divisions, including finding out which ones use LinkedIn and Slashdot. Der Spiegel says that this work involved hugely extensive research on the part of Britain’s spooks, to the point that they even accessed cookies on target’s computers.

Once identified, the next step was to launch a variant of the “man-in-the-middle” attack. These attacks fool users into thinking that they’re communicating with a genuine web service, when in fact the service they’re talking to is an impersonator. In the case of Belgacom, the GCHQ used a sophisticated variant of the man-in-the-middle attack, known as a “quantum insert”, which Der Spiegel says could only be performed by a spy agency that’s able to insert its own boxes into the web. This way, when the target tries to access LinkedIn, GCHQ can serve them a spoofed version of the website instead of the real LinkedIn page.

But what’s so malicious about the spoofed LinkedIn? Well, it contains hidden malware – malicious software – and that’s how GCHQ worms its way into the networks its targeting.

According to Der Spiegel, GCHQ used the quantum insert technique to infiltrate OPEC, as well as a number of other international mobile billing clearinghouses, including European firm Comfone and Mach, in a larger operation known as “Wylekey”. The paper says that this network housed massive amounts of mobile connection data and gave GCHQ “knowledge of and access to encrypted links between the clearinghouses and various mobile network operators.”

The upshot of all this is that the GCHQ used Quantum hack-and-spy techniques to pave the way for more hacking and spying. In other words, the Quantum inserts described in this latest analysis of the Snowden papers are part of a larger program to build a digital panopticon. As to why spy agencies would target members of OPEC, that’s more in the realm of classical cloak-and-dagger practices: oil-producing nations simply have geopolitical power, and so they’ve long been considered fair game in the anarchical global order.