Saturday, September 22, 2018

UK Spied on Allies

Russian spying never seems to be out of the news. Yet the British media seems to be under-reporting the British spying - on our own allies. In 2013 European investigators were looking into an unprecedented breach of Belgium’s telecommunications infrastructure. They believed they were on the trail of the people responsible. But it would soon become clear that they were chasing ghosts – fake names that had been invented by British spies. The hack had targeted Belgacom, Belgium’s largest telecommunications provider, which serves millions of people across Europe. The company’s employees had noticed their email accounts were not receiving messages. On closer inspection, they made a startling discovery: Belgacom’s internal computer systems had been infected with one of the most advanced pieces of malware security experts had ever seen.

The hacking turned out to have been perpetrated by U.K. surveillance agency Government Communications Headquarters, better known as GCHQ. The British spies hacked into Belgacom employees’ computers and then penetrated the company’s internal systems. In an eavesdropping mission called “Operation Socialist,” GCHQ planted bugs inside the most sensitive parts of Belgacom’s networks and tapped into communications processed by the company. The covert operation was the first documented example of a European Union member state hacking the critical infrastructure of another. British spies tried to destroy the evidence. 

Elio di Rupo, Belgium’s then-prime minister, was furious, calling the hack a “violation.” Meanwhile, one of the country’s top federal prosecutors opened a criminal investigation into the intrusion.

The British spies appear to have targeted Belgacom due to its role as one of Europe’s most important telecommunications hubs. Through a subsidiary company called Belgacom International Carrier Services, it maintains data links across the continent and also processes phone calls and emails passing to and from the Middle East, North Africa, and South America. But tapping into a broad range of global communications is only one possible motive. GCHQ may also have sought access to Belgacom’s networks to snoop on NATO and key European institutions, such as the European Commission, the European Parliament, and the European Council. All of those organizations have large offices and thousands of employees in Belgium. And all were Belgacom customers at the time of the intrusion.

GCHQ has broken into the computer systems of the oil production organization OPEC; the Netherlands-based security company Gemalto; and organizations that process international cellphone billing records, including Switzerland’s Comfone. The agency has also hacked several governments and companies from countries including Ireland, South Africa, Pakistan, India, Turkey, Iran, Argentina, Russia, North Korea, the United Arab Emirates, and Zimbabwe. All of GCHQ’s hacking activities “must be U.K. deniable,” the document says, meaning it should be impossible for those targeted by the hacks to trace them back to GCHQ’s computers. The agency’s hackers use what they call “intermediary machines” and “covert infrastructure” to disguise themselves before they steal information from hacked computers or phones. In the Belgacom case, these protections failed and GCHQ’s biggest fear was realized. Its operation was discovered and its identity as the perpetrator was publicly exposed.

The UK government has never publicly acknowledged any role in the Belgacom hack. Any GCHQ hack that targets foreign organizations must be approved at a senior level within the agency, and particularly sensitive operations sometimes require the sign-off of the government’s foreign secretary, who at the time of the Belgacom intrusion was William Hague. That GCHQ was responsible is beyond doubt, but the agency will face no consequences, say sources with knowledge of the case. There will be no sanctions for the U.K., no compensation to cover the damage caused, no arrests, no interrogations, no apology, and no admission of guilt.

No comments: