WEBVTT

00:00:01.097 --> 00:00:06.480
JACK: [MUSIC] It’s naïve to think that nations aren’t spying on each other, like deploying

00:00:06.480 --> 00:00:11.460
secret agents in each other countries. But in the modern times we live in, when nations rely

00:00:11.460 --> 00:00:18.720
so heavily on computers to store communications and data, that spying is now done online.

00:00:18.720 --> 00:00:23.760
Governments train people to become elite hackers, to break into networks of other countries and

00:00:23.760 --> 00:00:29.040
snoop on their e-mails and databases. You see, in cyberspace, the rules are unclear

00:00:29.040 --> 00:00:34.260
on what one nation can do to another. The geographical boundaries are unseen and the

00:00:34.260 --> 00:00:40.260
attacks go undetected. Even if you see an attack, it’s almost impossible to know who did it. Nation

00:00:40.260 --> 00:00:45.960
state cyber-attacks intent on spying are covert and silent. The malware they use can be sitting

00:00:45.960 --> 00:00:52.320
inside the network of targeted industries and organizations for years before they’re found.

00:00:52.320 --> 00:00:56.400
That’s if they’re ever found at all; in that time, they are collecting data,

00:00:56.400 --> 00:01:02.400
spying on their targets before quietly leaving with their surveillance gear intact.

00:01:02.400 --> 00:01:08.220
Or at least, that’s what’s supposed to happen. This is the story about one of the most advanced

00:01:08.220 --> 00:01:14.100
malware toolkits ever found and how one country used it to break into a global telecom provider.

00:01:14.100 --> 00:01:19.740
It’s a story that attackers didn’t ever want you to know about. This attack and the malware and

00:01:19.740 --> 00:01:25.800
mission required a ton of resources to carry out, resources that only a nation state could provide,

00:01:25.800 --> 00:01:30.960
such as a team of extremely talented hackers, access to exploits that no one else had,

00:01:30.960 --> 00:01:37.320
and the motivation to infiltrate a company to steal secret information. This is the story of

00:01:37.320 --> 00:01:43.320
Operation Socialist. JACK (INTRO): [INTRO MUSIC]

00:01:43.320 --> 00:01:54.300
These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet

00:01:54.300 --> 00:02:09.660
Diaries. [INTRO MUSIC ENDS] JACK:

00:02:09.660 --> 00:02:13.920
This story begins with Belgacom. It’s actually now called Proximus Group now,

00:02:13.920 --> 00:02:19.020
but the story takes place when it was known as Belgacom. Belgacom is an international telecoms

00:02:19.020 --> 00:02:24.180
company based in Belgium. It provides mobile and internet connections and solutions for consumers

00:02:24.180 --> 00:02:30.180
and other mobile networks internationally. Over 15,000 staff, over five million mobile customers,

00:02:30.180 --> 00:02:35.760
and 1.5 million internet clients. Belgacom is a big player in the world of telecommunications.

00:02:35.760 --> 00:02:41.580
In fact, it’s the largest telecom company in Belgium. [MUSIC] With Brussels being

00:02:41.580 --> 00:02:45.780
the primary location of Europe’s political bodies and Belgacom headquartered in Brussels,

00:02:45.780 --> 00:02:49.440
you start putting two and two together pretty quickly. Chances are, a lot of

00:02:49.440 --> 00:02:53.460
Belgium’s top political leaders use Belgacom for their internet and mobile services.

00:02:53.460 --> 00:02:58.800
The client list of Belgacom includes the European Parliament, the European Council,

00:02:58.800 --> 00:03:03.840
the European Commission, but Belgacom didn’t just provide mobile and internet connections;

00:03:03.840 --> 00:03:09.960
their services also include wholescale solutions for voice and mobile data services worldwide. In

00:03:09.960 --> 00:03:14.040
fact, they have another company called BICS which is the Belgacom International Carrier

00:03:14.040 --> 00:03:20.880
Services and it provides data for 1,000 networks including 370 mobile network providers. Basically,

00:03:20.880 --> 00:03:25.500
telecom companies in other countries can use Belgacom’s network to rebrand it and sell it

00:03:25.500 --> 00:03:29.880
as their own network. If you think about how many text messages, phone calls, and all the internet

00:03:29.880 --> 00:03:37.080
usage that go over Belgacom’s network, that becomes kind of an attractive target for hackers.

00:03:37.080 --> 00:03:43.080
On June 21st, 2013, the IT security team at Belgacom headquarters in Brussels noticed their

00:03:43.080 --> 00:03:48.060
e-mail server was malfunctioning. Staff weren’t getting their e-mails. This

00:03:48.060 --> 00:03:52.140
had happened a year before; a short period of instability that they put down as a technical

00:03:52.140 --> 00:03:56.940
fault. Probably the same again, they thought. Still, they needed to check it out to be sure

00:03:56.940 --> 00:04:01.920
but there was no technical fault on their mail servers. What they found were traces

00:04:01.920 --> 00:04:10.020
of malware. [MUSIC] A malware attack that had infiltrated their networks is a disaster for a

00:04:10.020 --> 00:04:14.580
company like Belgacom, one [00:05:00] which could cost them millions of dollars, never mind their

00:04:14.580 --> 00:04:19.740
reputation. The head of security immediately called Fox-IT which is a security company in

00:04:19.740 --> 00:04:24.540
the Netherlands which has the reputation of doing incident response. Within a few days, the team at

00:04:24.540 --> 00:04:30.540
Fox-IT were there at Belgacom investigating the malware. They realized this wasn’t your

00:04:30.540 --> 00:04:34.380
ordinary, run-of-the-mill malware. You see, there are three main categories

00:04:34.380 --> 00:04:38.280
of attacks; first you’ve got your typical spray-and-pray kind of attack. This is where

00:04:38.280 --> 00:04:42.480
someone scans the whole internet looking for any vulnerability to exploit and not really caring

00:04:42.480 --> 00:04:46.740
who the target is; just see if they can get into anything. Then you’ve got your targeted attacks.

00:04:46.740 --> 00:04:51.360
These are people who want to gain access to a specific company or person and they’ll try to

00:04:51.360 --> 00:04:56.160
craft exploits that work specifically for that target. But if they can’t get in, they sometimes

00:04:56.160 --> 00:05:04.800
run out of resources and stop. But then there are the APTs, or Advanced Persistent Threats. This is

00:05:04.800 --> 00:05:10.140
an attacker who is much more sophisticated. They have better malware, a vast amount of knowledge,

00:05:10.140 --> 00:05:16.080
a lot of motivation, and a specific objective in mind, and also considerable resources.

00:05:16.080 --> 00:05:20.520
They might have a team of coders and electrical engineers to all assist with the attack.

00:05:20.520 --> 00:05:27.240
When Fox-IT investigated this malware, they thought they had an APT on their hands. This

00:05:27.240 --> 00:05:31.920
was a very sophisticated attack which required years of research to conduct and carry out,

00:05:31.920 --> 00:05:36.060
something that not many hacker groups in the world could accomplish.

00:05:36.060 --> 00:05:40.680
What’s worse for Belgacom is that this malware was not like anything the security teams had

00:05:40.680 --> 00:05:47.580
ever seen before. They were baffled; what is this? How did it get in? What was it trying to do? Over

00:05:47.580 --> 00:05:52.800
the next two weeks, they worked together to try to find out exactly what was going on. Belgacom

00:05:52.800 --> 00:06:00.600
had been hacked. They knew that, but how bad were they hacked, and for how long, and by who?

00:06:00.600 --> 00:06:04.560
Initial investigations found a program that installed the malware on their networks;

00:06:04.560 --> 00:06:09.420
a dropper. A dropper is sort of like sticking your shoe in the door of a building. If you

00:06:09.420 --> 00:06:13.740
can get just your toe in the door, then you can get your whole foot in and open

00:06:13.740 --> 00:06:18.120
the door and get in yourself. A dropper lets the malware into the

00:06:18.120 --> 00:06:22.800
computer. What’s weird though is that this was done in stages, a little bit at a time,

00:06:22.800 --> 00:06:28.500
hiding the evidence across multiple data files. Once it was all there and installed,

00:06:28.500 --> 00:06:32.880
it deleted itself and left no bread crumbs behind which would give the hackers away.

00:06:32.880 --> 00:06:38.400
This process of hiding evidence is scary to me. It essentially wipes the logs that indicated

00:06:38.400 --> 00:06:43.320
anything was ever installed, so investigators would have a really hard time detecting this

00:06:43.320 --> 00:06:48.660
and looking back to see what was done. Like, who does this? Someone who doesn’t want to be caught,

00:06:48.660 --> 00:06:57.960
that’s who. Amateurs leave tracks behind, but professionals, they don’t leave anything. [MUSIC]

00:06:57.960 --> 00:07:05.700
Analysis found the malware had started to install at the end of 2010 to early 2011. Out of the

00:07:05.700 --> 00:07:10.260
26,000 systems that were in Belgacom, only 124 were infected with this.

00:07:10.260 --> 00:07:14.940
These include their e-mail servers, some network devices, a few SharePoint servers,

00:07:14.940 --> 00:07:19.920
and about seventy individual employees’ workstations; like, their sysadmins who

00:07:19.920 --> 00:07:24.720
had pretty much access to everything. It was looking like this malware was brand-new, not

00:07:24.720 --> 00:07:30.060
known by any antivirus company, and was exploiting fully up-to-date software. It meant that the bugs

00:07:30.060 --> 00:07:35.040
weren’t even known to the software companies themselves. Thoughts were quickly turning as

00:07:35.040 --> 00:07:41.160
to who might be behind this attack. Who’s capable of designing such a sophisticated malware? Among

00:07:41.160 --> 00:07:45.540
the many known hacker groups, even individual hackers who are skilled in coding, this malware

00:07:45.540 --> 00:07:52.140
was on another level. They concluded it was most likely designed and implemented by a nation state

00:07:52.140 --> 00:08:00.600
actor either from within another government itself or from a group that was funded by a government.

00:08:00.600 --> 00:08:04.920
Highly-advanced coding, very advanced installation, technically skilled operations,

00:08:04.920 --> 00:08:07.560
and stealth-like ability to hide for long periods of time.

00:08:07.560 --> 00:08:12.660
On June 19th, they filed a complaint with the Federal Public Prosecutor in Belgium.

00:08:12.660 --> 00:08:17.880
They told them they had been a victim of an advanced malware cyber-attack. The attack,

00:08:17.880 --> 00:08:24.540
they said, was using malware, they believed, that might be nation state-sponsored.

00:08:24.540 --> 00:08:27.660
When a company discovers they have been the victim of a cyber-attack,

00:08:27.660 --> 00:08:32.640
they need to go in their networks and clean it up as soon as possible but part of that process

00:08:32.640 --> 00:08:37.140
is the analysis and investigation of the malware to identify what it is and what it’s been doing.

00:08:37.140 --> 00:08:43.140
This has to be done properly which can sometimes mean not letting the hackers know you found them.

00:08:43.140 --> 00:08:46.500
The internal clean-up of Belgacom’s systems had to be done in secret,

00:08:46.500 --> 00:08:51.600
strictly on a need-to-know basis to find out just how extensive this attack was and

00:08:51.600 --> 00:08:56.040
make sure their clean-up operation got it all. What they were doing could not get out.

00:08:56.040 --> 00:09:02.160
For two long months a select team of two hundred Belgacom staff worked around the clock to address

00:09:02.160 --> 00:09:07.080
the multiple issues this attack had created. They had technical staff, lawyers, supply

00:09:07.080 --> 00:09:12.120
chain specialists, and they all came together to formulate a plan of action. [MUSIC] [00:10:00]

00:09:12.120 --> 00:09:18.660
There was an internal crisis team to manage the investigation into the attack. Coordinating with

00:09:18.660 --> 00:09:23.400
outside agencies included state security and federal and regional computer crimes units.

00:09:23.400 --> 00:09:27.900
Legal advisors were needed to advise on the legal ramifications of the attack and potential

00:09:27.900 --> 00:09:32.580
options open in finding those responsible and holding them accountable. They wanted to kick

00:09:32.580 --> 00:09:35.940
these hackers out of the network once and for all and if the world knew about this plan,

00:09:35.940 --> 00:09:40.920
then the hackers might change their tactics entirely. For forty-eight hours across the

00:09:40.920 --> 00:09:46.080
weekend of September 14th and 15th in 2013, their clean-up plan was put into action.

00:09:46.080 --> 00:09:51.420
Because this attack had infected their network to the very core, they replaced a ton of Belgacom’s

00:09:51.420 --> 00:09:55.380
network devices and their systems and they reconstructed their servers and installed

00:09:55.380 --> 00:09:59.340
all-new computers. I mean, after all, one of the safest ways to know a hacker’s gone

00:09:59.340 --> 00:10:03.600
completely is to get a new computer, right? At that time the investigation and security

00:10:03.600 --> 00:10:09.540
teams were still trying to identify how many systems were infected and what the malware did.

00:10:09.540 --> 00:10:15.180
Two days after this mammoth clean-up weekend, security detected another attempt to hack into

00:10:15.180 --> 00:10:20.220
their system. A router within their international division started malfunctioning and throwing

00:10:20.220 --> 00:10:25.020
alerts. Analysis indicated this was another attack but it seemed this time they were able

00:10:25.020 --> 00:10:29.880
to prevent it and block it from getting any further access. Only then, once they were

00:10:29.880 --> 00:10:33.720
confident that the networks were clean, could Belgacom publically release this information

00:10:33.720 --> 00:10:38.820
that they were victim of a cyber-attack. On September 16th they issued a press release.

00:10:38.820 --> 00:10:44.040
They kept it very brief; they played down the attack. Routine checks had detected a digital

00:10:44.040 --> 00:10:48.660
intrusion in the internal IT systems via an unknown virus but this has been fixed after

00:10:48.660 --> 00:10:52.620
cleaning up the entire system with no indication of a breach affecting their customers or their

00:10:52.620 --> 00:10:56.340
customers’ data. They wanted to reassure their clients that their data was safe and the company

00:10:56.340 --> 00:11:01.800
was adequately protected from cyber-threats. Unknown to them, just days later after the attack,

00:11:01.800 --> 00:11:09.900
an explosive allegation of who was behind this was about to hit the world’s press. [MUSIC]

00:11:09.900 --> 00:11:16.860
There’s another character in this story, someone you may have heard of. His name is Edward Snowden.

00:11:16.860 --> 00:11:21.780
He was a CIA analyst and then an NSA contractor. With his inside access,

00:11:21.780 --> 00:11:27.780
he downloaded over one million files from the NSA databases in late 2012.

00:11:27.780 --> 00:11:34.740
He flew to Hong Kong and then to Russia in June 2013 which was the same time Belgacom found out

00:11:34.740 --> 00:11:41.220
they were attacked. Snowden was releasing some top-secret documents to journalists. This Snowden

00:11:41.220 --> 00:11:46.920
leak became a big deal. Some of the documents that Snowden leaked talked about the operations going

00:11:46.920 --> 00:11:54.360
on in GCHQ. GCHQ, or the Government Communication Headquarters, is like the NSA but in England.

00:11:54.360 --> 00:11:58.920
Just think about how advanced the code-breaking capabilities were for England in World War II,

00:11:58.920 --> 00:12:03.600
right? I mean, they broke the Enigma Code. Yeah, well, the GCHQ has been involved in code-breaking

00:12:03.600 --> 00:12:07.800
and deciphering covert signals all the way back to World War I. They have generations

00:12:07.800 --> 00:12:13.200
of expertise all at collecting transmissions and deciphering them. Of course, being in the modern

00:12:13.200 --> 00:12:20.520
world we are in now, that expertise carried over into the online world so GCHQ naturally is a very

00:12:20.520 --> 00:12:25.200
capable hacking group in the world. In June of that year, when Edward Snowden

00:12:25.200 --> 00:12:31.020
leaked information, in that leak it said that GCHQ allegedly was tapping fiberoptic

00:12:31.020 --> 00:12:36.420
cables to collect and store e-mails, social media posts, and internet search histories,

00:12:36.420 --> 00:12:43.140
and sharing this data with the NSA. This doesn’t exactly say GCHQ hacked into Belgacom,

00:12:43.140 --> 00:12:48.480
just that they were tapping going on a general. Snowden’s leaks also said the US government spied

00:12:48.480 --> 00:12:53.520
on thirty-eight foreign embassies using electronic surveillance and they bugged European Union

00:12:53.520 --> 00:13:00.360
offices in New York, Washington, and Brussels. As the Belgacom team read these reports and was

00:13:00.360 --> 00:13:07.260
learning more about the capabilities of the GCHQ, they started to put in the back of their head;

00:13:07.260 --> 00:13:16.920
is it possible that the GCHQ is who hacked into Belgacom? Five days after Belgacom’s weekend

00:13:16.920 --> 00:13:22.440
clean-up and three days after their press release, the fortieth leak from the Snowden archive was

00:13:22.440 --> 00:13:30.360
published. It centered on Belgacom. [MUSIC] German online magazine Der Spiegel

00:13:30.360 --> 00:13:34.620
published that they had seen the documents from Snowden. They said the cyber-attack on

00:13:34.620 --> 00:13:45.960
Belgacom was carried out by Britain’s GCHQ using technology from the NSA called Quantum Insert.

00:13:45.960 --> 00:13:51.480
For Belgacom to see this Snowden leak which not only says that GCHQ was targeting Belgacom,

00:13:51.480 --> 00:13:58.920
but also to learn that they used Quantum Insert to do it with? This was a very shocking revelation.

00:13:58.920 --> 00:14:04.320
I’ll get to what Quantum Insert is in a little bit but Belgium and Britain are friendly nation

00:14:04.320 --> 00:14:11.460
states. They’re both members of the European Union. What was one doing spying on the other?

00:14:11.460 --> 00:14:15.720
This wasn’t [00:15:00] government spying on government; it was one government spying on

00:14:15.720 --> 00:14:21.120
a company in another government. I mean, this is equivalent to having secret agents deployed

00:14:21.120 --> 00:14:25.620
into Belgium, break into the Belgacom offices, and steal a ton of documents on users.

00:14:25.620 --> 00:14:33.120
This was not right. The documents that Der Spiegel posted showed an internal classified

00:14:33.120 --> 00:14:37.800
GCHQ presentation, like a PowerPoint presentation. In this presentation,

00:14:37.800 --> 00:14:46.800
it talked about the attack on Belgacom and the GCHQ called this attack Operation Socialist.

00:14:46.800 --> 00:14:51.120
With an objective to increase exploitation of Belgacom and

00:14:51.120 --> 00:14:56.040
understanding of their infrastructure, the British spies had logged it as a success.

00:14:56.040 --> 00:15:04.860
Whatever it was they went in to do, they did it, but they were caught on the way out.

00:15:04.860 --> 00:15:08.580
Telecom companies are used to threats and attackers trying to break into their network

00:15:08.580 --> 00:15:12.120
all the time. They’re high-profile targets because getting into one of these gets you

00:15:12.120 --> 00:15:17.040
access to a lot of people’s data. They manage extensive communications, infrastructures,

00:15:17.040 --> 00:15:21.900
and hold huge amounts of sensitive user data. They have a highly-secured environment with

00:15:21.900 --> 00:15:26.280
skilled IT teams to defend their network and respond to any vulnerability.

00:15:26.280 --> 00:15:30.240
They’re pretty tuned into the many ways cyber-criminals might try to get into their

00:15:30.240 --> 00:15:36.660
systems. But trying to defend against the GCHQ or NSA, they really need to be on another level for

00:15:36.660 --> 00:15:41.700
that. Apparently, they weren’t ready for such an attack and I don’t blame them; trying to

00:15:41.700 --> 00:15:47.580
defend against attackers like this is extremely difficult, if not impossible. For the hackers,

00:15:47.580 --> 00:15:53.040
when standard phishing attacks aren’t effective, another method needs to be done in order for the

00:15:53.040 --> 00:15:58.380
malicious software to get onto those systems. The GCHQ had to first think of a way to get this

00:15:58.380 --> 00:16:03.120
malware onto Belgacom’s network. There are two big steps to any attack; first is getting the malware

00:16:03.120 --> 00:16:08.160
onto the network and then taking action on it once it’s in. To get the malware onto the network, they

00:16:08.160 --> 00:16:13.980
decided to use a tried-and-true tactic which I call the old switcheroo, but this was a switcheroo

00:16:13.980 --> 00:16:20.100
unlike anything I’ve ever seen before. [MUSIC] Now, I should say all this is how GCHQ

00:16:20.100 --> 00:16:24.540
allegedly hacked into Belgacom’s network. See, there’s different sides to this story. There’s

00:16:24.540 --> 00:16:29.640
the Belgacom side and what they published and then there’s the Snowden side and what he published,

00:16:29.640 --> 00:16:33.060
and then there’s also a bunch of security researchers that tried to figure out what

00:16:33.060 --> 00:16:37.860
was going on here, too. We only know about this part because of what Snowden leaked and

00:16:37.860 --> 00:16:42.480
I don’t think any other documents back this up. The GCHQ knew the system administrators

00:16:42.480 --> 00:16:47.760
at Belgacom would visit LinkedIn sometimes so they decided to pull the old switcheroo on

00:16:47.760 --> 00:16:52.200
their LinkedIn. They built a fake LinkedIn site, an exact replica of the real one,

00:16:52.200 --> 00:16:56.520
and they wanted to get the system administrator to visit it. Yeah, they could have sent

00:16:56.520 --> 00:17:00.300
a phishing e-mail saying something like hey, we met at this conference last week;

00:17:00.300 --> 00:17:04.440
can we connect on LinkedIn? Then there’s a link that takes them to the fake LinkedIn site.

00:17:04.440 --> 00:17:09.600
But that wasn’t going to be good enough because if the system administrator saw this was a fake

00:17:09.600 --> 00:17:14.640
LinkedIn site, the whole plan would have been ruined. They needed something much, much more

00:17:14.640 --> 00:17:22.200
clever and what they used was a technology that the NSA developed called Quantum Insert.

00:17:22.200 --> 00:17:26.880
This Quantum Insert is amazing. Allow me to geek out on it for a moment. First step is to

00:17:26.880 --> 00:17:29.700
clone the LinkedIn website and that’s not so hard; with the right software,

00:17:29.700 --> 00:17:34.320
it’s a few keystroke commands and you’re done. Then you need to put malicious software on this

00:17:34.320 --> 00:17:38.820
cloned website so if someone visited it, they would be infected. The only complicated part

00:17:38.820 --> 00:17:42.300
about this step is to know what version of software your target is running so you can

00:17:42.300 --> 00:17:46.500
exploit their machine if they visit the link. But once you know that, this step is easy, too.

00:17:46.500 --> 00:17:52.500
But here’s where things get crazy; if the hackers had access to a router in between the victim and

00:17:52.500 --> 00:17:57.540
LinkedIn, then the hackers could then see that web traffic between the victim and LinkedIn.

00:17:57.540 --> 00:18:03.600
What Quantum Insert does, is it uses that router to split the request to LinkedIn into two separate

00:18:03.600 --> 00:18:09.180
requests; one going to the real LinkedIn site and the other going to this fake LinkedIn site

00:18:09.180 --> 00:18:14.760
that the hackers own. What has to happen for the attack to work is that the fake LinkedIn site has

00:18:14.760 --> 00:18:19.740
to respond quicker than the real one which then delivers the malicious software to the victim’s

00:18:19.740 --> 00:18:25.080
machine who’s none the wiser because there’s literally no way they can tell it’s not the real

00:18:25.080 --> 00:18:31.020
LinkedIn site. The URL says LinkedIn, the SSL cert is signed, the site looks like LinkedIn. Even all

00:18:31.020 --> 00:18:35.940
their friends and posts are there. It’s just, this rogue website injected some malicious software

00:18:35.940 --> 00:18:41.040
into the real one by splitting the traffic at the router. It’s really quite incredible.

00:18:41.040 --> 00:18:46.800
This is sort of like a man-in-the-middle attack but it’s also a timing attack because the fake

00:18:46.800 --> 00:18:52.860
LinkedIn site has to respond quicker than the real one and then rejoin the data in the data stream as

00:18:52.860 --> 00:18:57.840
the user requested it. The malware had to have taken at least a year to create and this is on

00:18:57.840 --> 00:19:02.580
such another level that I can barely understand how it’s physically possible. But again, in order

00:19:02.580 --> 00:19:07.320
for this to work, the attackers need access to a router between the victim and LinkedIn, so you

00:19:07.320 --> 00:19:12.420
might be wondering how does the GCHQ control any router between an admin at [00:20:00] Belgacom

00:19:12.420 --> 00:19:17.340
and LinkedIn? Well, they might not, but the NSA probably does. See, LinkedIn is

00:19:17.340 --> 00:19:21.540
an American company so probably, the traffic has to travel through the US, right?

00:19:21.540 --> 00:19:26.520
The leaked documents from Snowden show the NSA does control some internet backbones and routers

00:19:26.520 --> 00:19:32.220
so it’s possible that the NSA helped the GCHQ conduct these attacks to get the initial access.

00:19:32.220 --> 00:19:38.040
Or maybe it’s possible that Belgacom first hops over to UK before going undersea to the

00:19:38.040 --> 00:19:43.500
US to get to LinkedIn. If that’s possible, then GCHQ might be controlling a backbone router in

00:19:43.500 --> 00:19:47.700
the UK somewhere. Like I said, this is sort of a man-in-the-middle attack but actually,

00:19:47.700 --> 00:19:53.100
some call it a man-on-the-side attack, where the attackers can read and add new messages into the

00:19:53.100 --> 00:19:58.620
communications between the user and the legitimate web server. For this to work, they use something

00:19:58.620 --> 00:20:03.720
called a Quantum Server which is just a web server that has an extremely fast response time so that

00:20:03.720 --> 00:20:08.400
it can get the web traffic there before the legitimate server does. This is what I mean by

00:20:08.400 --> 00:20:13.620
how sophisticated of an attack this was. You need to have control of a backbone of the internet to

00:20:13.620 --> 00:20:19.200
carry this out and that’s just to phish the user; we haven’t even gotten to the malware yet.

00:20:19.200 --> 00:20:29.340
[MUSIC] Belgacom is a company that’s 53% owned by the Belgium government. This made them

00:20:29.340 --> 00:20:33.540
extra-keen to find out who had targeted the country’s biggest telecoms company.

00:20:33.540 --> 00:20:38.760
Belgacom had informed the authorities as soon as they found the malicious software on their

00:20:38.760 --> 00:20:43.980
systems. Belgium’s Secret Service, their federal police, their military intelligence, and their

00:20:43.980 --> 00:20:49.020
computer emergency response team came together to investigate this attack. They code-named their

00:20:49.020 --> 00:20:55.380
investigation Trinity. Belgium wanted to send a clear message of anyone thinking of attacking

00:20:55.380 --> 00:21:00.180
them through cyber-means; they would investigate and track down who was responsible and they would

00:21:00.180 --> 00:21:05.700
make sure these people were held accountable. But in August 2013, two months after the Snowden leak,

00:21:05.700 --> 00:21:10.560
suddenly all the malware that infected Belgacom started deleting itself. Someone

00:21:10.560 --> 00:21:15.840
hit a kill-switch and was removing the malware from the network and all traces of it, but the

00:21:15.840 --> 00:21:20.640
Belgacom security team had made copies. They discovered the data extracted by the malware

00:21:20.640 --> 00:21:25.380
had been exported from their internal computers out to outside servers,

00:21:25.380 --> 00:21:28.800
servers they were confident were controlled by the hackers.

00:21:28.800 --> 00:21:33.660
Naturally, they followed this trail. It seemed, through the IP addresses of these servers that

00:21:33.660 --> 00:21:38.280
they discovered, these were rented under fake names and addresses and they were registered

00:21:38.280 --> 00:21:43.020
in the UK to what they thought were front companies. The payment details for renting

00:21:43.020 --> 00:21:48.000
the servers were from cards issued from the UK but when they checked out, the pre-paid cards

00:21:48.000 --> 00:21:55.860
issued to anonymous buyers, making whoever rented these servers impossible to trace.

00:21:55.860 --> 00:22:00.420
The Trinity team are the Belgians that were investigating this malware. Since the road

00:22:00.420 --> 00:22:05.520
to tracing it led to these servers in the UK, they approached the British Home Office

00:22:05.520 --> 00:22:10.200
to ask them to help investigate this. They wanted to know more details about these

00:22:10.200 --> 00:22:15.060
servers so they could potentially identify the hackers but the British Home Office responded

00:22:15.060 --> 00:22:20.340
to the Belgians by saying quote, “We have decided to refuse this help. The United Kingdom believes

00:22:20.340 --> 00:22:26.160
that this could jeopardize our sovereignty, security, and public order.” End quote.

00:22:26.160 --> 00:22:36.780
Whoa. [MUSIC] It was soon after these discoveries that Snowden documents were released and the GCHQ

00:22:36.780 --> 00:22:41.640
were publically accused of being behind this cyber-attack on Belgacom. The documents themselves

00:22:41.640 --> 00:22:46.200
were not considered useful to the investigation for the Belgian police and that’s because

00:22:46.200 --> 00:22:51.780
Snowden’s documents were released by the media and not handed directly to the police. The chain of

00:22:51.780 --> 00:22:56.700
evidence would be difficult to prove. Belgium was now in a difficult position;

00:22:56.700 --> 00:23:02.160
they wanted to bring the hackers to justice but if it was the intelligence service of the British,

00:23:02.160 --> 00:23:08.160
an allied country and fellow EU member, well, that changes the lay of the land more than a little.

00:23:08.160 --> 00:23:14.700
Suddenly politics get involved and the worry of a diplomatic fallout is [00:25:00] a messy dispute.

00:23:14.700 --> 00:23:19.860
I mean, what does Belgium do with Snowden? The federal prosecutors actually considered getting

00:23:19.860 --> 00:23:25.320
Snowden to Belgium from his exile in Russia. The thoughts there were that he could testify

00:23:25.320 --> 00:23:30.600
about these documents and their authenticity but that would not go down so well with the US

00:23:30.600 --> 00:23:36.600
because the US wanted Snowden back in the US and charge him for espionage. Then there’s the UK;

00:23:36.600 --> 00:23:43.080
if Belgium started arresting their spies, that too would have a lot of political blowback. They were

00:23:43.080 --> 00:23:50.640
gonna need to tread very carefully. Towards the end of 2013, federal prosecutors went to Europol

00:23:50.640 --> 00:23:55.080
for help but they hit a brick wall. Europol said they couldn’t investigate other

00:23:55.080 --> 00:24:00.600
EU member states so that just didn’t go any further because there’s no precedent for this.

00:24:00.600 --> 00:24:07.200
This was the first known attack ever from one EU member state to a fellow EU member state. It’s

00:24:07.200 --> 00:24:12.900
not something people knew how to respond to. They were used to a clear enemy state where there’s an

00:24:12.900 --> 00:24:20.340
obvious good guy and a bad guy but this muddied the water and made it very political. Let me

00:24:20.340 --> 00:24:24.060
remind you of all the Belgian politicians that may have been snooped on during this attack;

00:24:24.060 --> 00:24:33.960
wherever these hackers were, they might have gotten an inside peek at Belgian politics.

00:24:33.960 --> 00:24:40.620
[MUSIC] The Snowden leaks threw the concepts of mass-surveillance into the public realm.

00:24:40.620 --> 00:24:45.000
The documents he exposed highlighted covert operations the public were not

00:24:45.000 --> 00:24:49.920
supposed to know about and they raised a lot of questions, questions on where the line is,

00:24:49.920 --> 00:24:55.140
where the balance is between covert intelligence through cyber-exploitation and the public’s right

00:24:55.140 --> 00:25:00.060
to privacy. Not to forget that in the middle of it is the vital role that intelligence plays in

00:25:00.060 --> 00:25:05.040
keeping our nations safe, protecting us from serious threats both on cyber-space and on the

00:25:05.040 --> 00:25:09.660
ground. The question everyone was debating was whether this balance had tipped too far

00:25:09.660 --> 00:25:15.900
and gave the intelligence agencies too much free reign. The cyber-attack on Belgacom caused some

00:25:15.900 --> 00:25:19.860
serious ripples around the telecommunication industry and it wasn’t just the telecoms

00:25:19.860 --> 00:25:21.720
community who worried. REPORTER1: Final story…

00:25:21.720 --> 00:25:26.220
JACK: 2014, ten months after the Belgacom and GCHQ leak was published…

00:25:26.220 --> 00:25:29.820
REPORTER1: Internet service providers and six countries have filed a legal complaint against

00:25:29.820 --> 00:25:33.660
the British spy agency the GCHQ. JACK: A group of internet service

00:25:33.660 --> 00:25:37.290
providers came together and launched a legal action against the GCHQ.

00:25:37.290 --> 00:25:41.400
REPORTER1: Covert mass-surveillance, legal action was taken against the government’s communications

00:25:41.400 --> 00:25:45.180
headquarters by internet providers of the US, UK, Netherlands, South Korea,

00:25:45.180 --> 00:25:50.820
Zimbabwe, and also in Germany. GCHQ is accused of using a malicious software program to break

00:25:50.820 --> 00:25:55.380
into networks and to collect data on users. The decision for court action follows reports

00:25:55.380 --> 00:25:59.700
of mass government surveillance by American whistleblower Edward Snowden. The UK spy agency

00:25:59.700 --> 00:26:04.800
has been under mounting criticism for gathering secret intelligence and sharing it with American

00:26:04.800 --> 00:26:08.940
partner, the National Security Agency. JACK: They based their case on the Belgacom

00:26:08.940 --> 00:26:14.160
attack. They said the GCHQ had made it clear that independent operators were targets they

00:26:14.160 --> 00:26:19.740
could infiltrate, turning those operators into unwitting providers of users’ sensitive data. They

00:26:19.740 --> 00:26:24.660
were worried that they might have been targeted themselves or that they would be in the future.

00:26:24.660 --> 00:26:30.060
These organizations referenced the Belgacom attack and they filed a complaint with the Investigatory

00:26:30.060 --> 00:26:34.500
Powers Tribunal. This is an independent body appointed by the Queen of England

00:26:34.500 --> 00:26:41.100
herself and deals with any complaints about the UK intelligence community; complaints about MI5,

00:26:41.100 --> 00:26:47.880
MI6, and the GCHQ. A lot of organizations called these attacks unlawful and destructive. Public

00:26:47.880 --> 00:26:53.880
outcry came from RiseUp and May First, GreenNet in the UK, Greenhost from the Netherlands, Mango

00:26:53.880 --> 00:26:59.100
in Zimbabwe, Jinbonet in Korea, and the German hacker collective, The Chaos Computer Club.

00:26:59.100 --> 00:27:02.220
Speaking through the civil liberties charity, Privacy International,

00:27:02.220 --> 00:27:07.860
they said the Belgacom engineers were targeted for intrusive surveillance. These people were not

00:27:07.860 --> 00:27:13.380
threats to national security; they were tech staff who worked at Belgacom with admin access rights

00:27:13.380 --> 00:27:19.380
to the networks that GCHQ was interested in. They claimed the actions of the GCHQ were unacceptable

00:27:19.380 --> 00:27:23.400
and a breach of trust. If an individual had carried out these actions, they’d be

00:27:23.400 --> 00:27:28.140
looking at a long list of criminal offences. This was the third legal action that Privacy

00:27:28.140 --> 00:27:33.900
International had taken the lead on against the GCHQ, all based on intelligence operations that

00:27:33.900 --> 00:27:38.700
were revealed in the Snowden leaks. Belgacom remained in the spotlight and the Belgian

00:27:38.700 --> 00:27:43.500
authorities were watching with interest on what the result of this legal action was going to be.

00:27:43.500 --> 00:27:49.920
They would have to wait almost two years for the Tribunal to finish their investigation.

00:27:49.920 --> 00:27:53.700
While the Belgian government and federal prosecutors were investigating the attack, the

00:27:53.700 --> 00:27:58.080
company had managed to clean up their systems and continue with their business. Those involved with

00:27:58.080 --> 00:28:02.940
the clean-up still had one question; what was the malware that was infected on the Belgacom network

00:28:02.940 --> 00:28:09.540
and what was it doing? In November 2014, Symantec exposed a serious and advanced malware framework

00:28:09.540 --> 00:28:14.640
they referred to as Regin, an advanced and sophisticated [00:30:00] malware toolkit believed

00:28:14.640 --> 00:28:20.040
to be the work of a nation state actor. Kaspersky immediately followed up with a report of their own

00:28:20.040 --> 00:28:24.660
which is not unusual for security researchers. That’s what they do; they discover and analyze

00:28:24.660 --> 00:28:29.760
new cyber-threats and they publish their findings but what was unusual about these Regin reports was

00:28:29.760 --> 00:28:34.740
that Regin was not new. Security companies had been tracking this malware for years and it was

00:28:34.740 --> 00:28:38.520
used in attacks all over the world. Within weeks of these publications,

00:28:38.520 --> 00:28:46.860
Regin was matched with the malware found on the Belgacom systems.

00:28:46.860 --> 00:28:50.640
[MUSIC] After the Quantum Insert phishing method was done on Belgacom,

00:28:50.640 --> 00:28:56.460
then this malware was installed on the target’s computers which was called Regin.

00:28:56.460 --> 00:29:01.560
The malware-scanning website VirusTotal had actually seen this malware as far back as 2009,

00:29:01.560 --> 00:29:06.960
four years before it was seen on Belgacom. No one really knew what this malware did or what

00:29:06.960 --> 00:29:12.540
it was about back then. In April 2011, Microsoft suddenly picked up on them and added protection

00:29:12.540 --> 00:29:18.000
against them in their programs. These were some early samples of Regin. The Regin malware has

00:29:18.000 --> 00:29:23.700
a trackable history of its attacks. In spring of 2011, the European Commission discovered it

00:29:23.700 --> 00:29:29.340
had been hacked. It was a sophisticated attack using a zero-day exploit. Multiple systems at

00:29:29.340 --> 00:29:34.020
the European Commission and European Council were infected before the attack was discovered.

00:29:34.020 --> 00:29:40.320
Fast forward two years to 2013 and Belgacom is attacked. Five months later, around November 2013,

00:29:40.320 --> 00:29:46.440
another attack is discovered but this time it was targeting a Belgian cryptographer and professor,

00:29:46.440 --> 00:29:50.580
the same guy who figured out the technology behind smart payment cards and still

00:29:50.580 --> 00:29:56.160
carries out research and advisories on security. All these attacks used Regin.

00:29:56.160 --> 00:30:02.580
Kaspersky had been tracking Regin ever since 2012; Symantec since 2013, and F-Secure around the same

00:30:02.580 --> 00:30:07.260
time, too. This malware had been hitting telecoms companies, research institutions, financial

00:30:07.260 --> 00:30:12.960
institutions, and government agencies across the world in at least fourteen different countries.

00:30:12.960 --> 00:30:18.000
Afghanistan, Belgium, Brazil, Germany, Russia, Iran, Syria, and India are just

00:30:18.000 --> 00:30:23.400
a few that have seen Regin. At the same time of exposing Regin in 2014, researchers had

00:30:23.400 --> 00:30:27.780
seen over one hundred victims. Almost 50% of the computers known to be

00:30:27.780 --> 00:30:31.980
infected by Regin were inside internet service providers, most likely because

00:30:31.980 --> 00:30:37.320
the hackers wanted surveillance on targets who were customers of these ISPs. 28% of

00:30:37.320 --> 00:30:42.900
the computers infected were telecommunication backbone providers like Belgacom. Their network

00:30:42.900 --> 00:30:48.900
infrastructure and the data going through them would be very attractive for hackers.

00:30:48.900 --> 00:30:55.200
Analysis of Regin revealed some similar features to other malware like Flame and Duqu. Flame

00:30:55.200 --> 00:31:01.080
was a spy tool used to collect data to target individuals and businesses just like Regin did.

00:31:01.080 --> 00:31:06.300
Duqu was malware that favored hacking the venues of important meetings between world leaders. Okay,

00:31:06.300 --> 00:31:10.380
so there were similarities between this malware, right? Get this; Duqu is thought to be created

00:31:10.380 --> 00:31:16.920
by the NSA and Unit 8200 in Israel and Flame is thought to be created by the NSA and GCHQ.

00:31:16.920 --> 00:31:22.440
This indicates that there may be a common author in all this malware which could possibly be the

00:31:22.440 --> 00:31:27.540
NSA. A previous Regin attack going straight for the system administrators of a telecom

00:31:27.540 --> 00:31:33.480
company had some striking parallels. Kaspersky reported Regin used a payload to steal usernames

00:31:33.480 --> 00:31:38.220
and passwords of system administrators at a telecom company. They didn’t want to name the

00:31:38.220 --> 00:31:43.560
company or where in the Middle East, but it seems like access to mobile traffic was the objective.

00:31:43.560 --> 00:31:46.140
If you dig into these tech reports a little more, you see pretty quickly

00:31:46.140 --> 00:31:50.640
just how advanced this malware is. Regin is the ultimate hacker’s toolkit. Rather

00:31:50.640 --> 00:31:56.040
than just a program that can install, infiltrate, monitor, and extract data and then remove itself,

00:31:56.040 --> 00:32:02.700
it’s built on a more flexible and customizable module system. [MUSIC] It can be added to,

00:32:02.700 --> 00:32:06.900
changed, altered, all in accordance with what the target is and the objective is.

00:32:06.900 --> 00:32:12.780
It’s a framework that can be used to adapt and change however the hacker wants. Regin,

00:32:12.780 --> 00:32:16.980
it seems, is not just a piece of malware that’s designed to carry out one planned campaign;

00:32:16.980 --> 00:32:23.040
it’s a platform aimed at Microsoft computers that can be used again and again with multiple modules.

00:32:23.040 --> 00:32:28.320
Seventy-five modules have been found so far and we’re used to malware coming from cyber-criminals

00:32:28.320 --> 00:32:33.420
looking for monetary reward to hold data hostage or steal it or sell it, but now we see that some

00:32:33.420 --> 00:32:39.900
of the most advanced malware is being used to spy on enemy states. Stuxnet proved just how powerful

00:32:39.900 --> 00:32:45.300
a virus can be if developed by the right people with the skills and resources to do it and Regin

00:32:45.300 --> 00:32:51.240
is also extremely sophisticated, too. But it’s not designed to destroy; it’s designed to spy,

00:32:51.240 --> 00:32:58.380
to watch, listen, capture, and remain hidden at all costs. Regin was designed to provide extensive

00:32:58.380 --> 00:33:03.120
remote control of the target systems. It can take screenshots, steal files, collect

00:33:03.120 --> 00:33:09.840
keystrokes, access e-mails, and data from network traffic. Regin also has an unusual ability not

00:33:09.840 --> 00:33:15.360
common in malware infections; it has the ability to infiltrate [00:35:00] GSM systems which are

00:33:15.360 --> 00:33:21.480
mobile base stations, giving the hackers control over mobile networks. Potentially, this means they

00:33:21.480 --> 00:33:28.320
could listen to and record calls and intercept and redirect them. Regin gets in and opens doors to

00:33:28.320 --> 00:33:33.600
allow different types of attacks to be carried out on the target’s network. It’s a powerful malware

00:33:33.600 --> 00:33:41.640
kit that not only performs its own actions but lays the groundwork for more specific attacks.

00:33:41.640 --> 00:33:45.900
We still don’t know what the objective is for this attack but it’s possible that the

00:33:45.900 --> 00:33:51.180
objective was to attack and gain access to routers in Belgacom’s international networks,

00:33:51.180 --> 00:33:54.600
to intercept mobile traffic communications going through other nations.

00:33:54.600 --> 00:34:00.240
The data they could gain from this added together would give them a pretty good idea of the user and

00:34:00.240 --> 00:34:05.460
exactly what they were doing day-to-day. Belgacom customers included some fairly powerful people,

00:34:05.460 --> 00:34:10.740
decision-makers within various European political bodies who all have their headquarters in Belgium,

00:34:10.740 --> 00:34:15.000
and there were customers in Middle Eastern countries who used the Belgacom international

00:34:15.000 --> 00:34:21.720
network as a rebranded mobile provider. Regin is delivered in five separate stages. Once activated,

00:34:21.720 --> 00:34:26.340
they follow on from each other, with each one providing an encryption key to unlock

00:34:26.340 --> 00:34:31.860
and activate the next. Stage one is the installer, getting the malware onto the target system. Stage

00:34:31.860 --> 00:34:37.380
two-to-five are fully-encrypted. Just in case security researchers find it, it’s gonna be hard

00:34:37.380 --> 00:34:42.300
for them to figure out what’s going on here. To understand this malware and to figure out exactly

00:34:42.300 --> 00:34:47.940
what it’s capable of, you need all five stages in order to decrypt at all. These features were

00:34:47.940 --> 00:34:53.340
no doubt purposely designed within Regin. Remember, a primary objective of this malware is

00:34:53.340 --> 00:34:58.380
to remain hidden and not leave any trace of its presence. The creators need it to be impossible

00:34:58.380 --> 00:35:04.020
to crack and must not, under any circumstance, be trackable back to who created it. Many extra

00:35:04.020 --> 00:35:10.200
safeguards were put in place with this malware. Extreme care was used when building it. [MUSIC]

00:35:10.200 --> 00:35:15.540
Once malware is inside a target system, it needs a way to communicate back to the hackers and pass

00:35:15.540 --> 00:35:20.340
them the data that it finds. This is usually done by a command and control server that’s controlled

00:35:20.340 --> 00:35:25.080
by the hackers. Elaborate communications are set up for the infected machines to report

00:35:25.080 --> 00:35:28.860
back to the attackers through these command and control servers but instead of direct

00:35:28.860 --> 00:35:32.820
communications like usual, the infected systems talk to each other first on the

00:35:32.820 --> 00:35:37.260
network and then through a central hub which then communicates back to the command servers.

00:35:37.260 --> 00:35:43.260
Regin hides the data and the extended attribute section within a packet, splitting its data across

00:35:43.260 --> 00:35:47.820
multiple packets to hide what’s being stolen. This makes it really hard to spot the data

00:35:47.820 --> 00:35:52.980
being stolen since it’s encrypted, it’s in the section of a packet you don’t normally look for,

00:35:52.980 --> 00:35:58.380
and it’s broken up into tiny pieces. Once enough of the packets are collected, the data is then

00:35:58.380 --> 00:36:03.060
linked together and turned into a single, readable file. When Regin infects a machine,

00:36:03.060 --> 00:36:08.640
it gets assigned a virtual IP address. This forms a VPN layer on top of everything else.

00:36:08.640 --> 00:36:13.740
The attackers can then use this to keep inside the infected machine without drawing attention to

00:36:13.740 --> 00:36:19.200
their presence. This helps them hide the traffic even more. The traffic looks like expected traffic

00:36:19.200 --> 00:36:24.660
in the network so the security team doesn’t see any spikes or any suspicious activity.

00:36:24.660 --> 00:36:28.500
They use a variety of transport protocols to also disguise their communication to

00:36:28.500 --> 00:36:32.880
the infected servers. They sometimes used UDP, they sometimes used TCP,

00:36:32.880 --> 00:36:40.680
they sometimes sent data over HTTP cookies. A lot was done over your typical SSL and even SMB.

00:36:40.680 --> 00:36:44.880
With all these covert channels being used, it allowed the attackers to use this malware for

00:36:44.880 --> 00:36:50.760
years before it was detected. Obviously, a lot of time and money was spent making this malware. The

00:36:50.760 --> 00:36:56.460
longer that the hackers can use it before it goes noticed, the more value they can get out of it.

00:36:56.460 --> 00:37:01.320
Because once it becomes discovered, then it gets patched and it gets detected by Antivirus.

00:37:01.320 --> 00:37:07.980
If the attackers use it again, people can quickly point fingers at who it might be.

00:37:07.980 --> 00:37:11.520
With any malware attack, finding who did it is really hard. This

00:37:11.520 --> 00:37:15.480
becomes especially hard when indications point to nation state espionage.

00:37:15.480 --> 00:37:20.460
No one wants to raise their head above the pulpit and expose a nation state’s weapon

00:37:20.460 --> 00:37:25.740
in the fight for national security. While the security companies are not keen to name names

00:37:25.740 --> 00:37:32.100
on the creators of Regin, they do all seem to agree that it is state-sponsored malware. Maybe

00:37:32.100 --> 00:37:36.720
they were just being cautious on what they expose because it is scary for a security researcher to

00:37:36.720 --> 00:37:41.880
expose a weapon of a nation state actor to the world. If that threat actor knew you were about

00:37:41.880 --> 00:37:47.400
to publish that report, they might do something to stop you from doing it. In December 2015,

00:37:47.400 --> 00:37:51.960
the Investigatory Powers Tribunal was done with their investigation. This is the UK

00:37:51.960 --> 00:37:58.020
body appointed by the Queen to investigate allegations against MI5, MI6, and GCHQ. This

00:37:58.020 --> 00:38:02.400
is where the internet service providers in six countries filed their legal complaint with.

00:38:02.400 --> 00:38:07.800
The Tribunal heard the case that these ISPs said the GCHQ hacked Belgacom and it was

00:38:07.800 --> 00:38:12.660
illegal. The Tribunal’s job is to investigate these complaints to decide whether the agency

00:38:12.660 --> 00:38:18.060
in question [00:40:00] acted improperly. During the tribunal, to everyone’s surprise, the GCHQ

00:38:18.060 --> 00:38:24.000
did admit to carrying out hacking operations in the UK and abroad which to me is a big deal;

00:38:24.000 --> 00:38:28.860
for the GCHQ to officially say they do hacking? Yeah, I don’t think they publically admitted to

00:38:28.860 --> 00:38:34.560
that previously. We even learned that in 2013, about 20% of its intelligence reports came from

00:38:34.560 --> 00:38:40.080
information that was from hacking operations. They also said that computer network exploitation,

00:38:40.080 --> 00:38:44.460
or otherwise known as hacking, has protected the public from threats and can often be the only way

00:38:44.460 --> 00:38:49.320
to gather certain intelligence. But after the Tribunal heard the case and spent a few years

00:38:49.320 --> 00:38:54.900
looking it over, they came to a conclusion; the Tribunal ruled in favor of the GCHQ.

00:38:54.900 --> 00:39:00.180
The ruling said that they were satisfied with the correct balance between safeguarding the public

00:39:00.180 --> 00:39:05.040
on one side and protecting an individual’s rights and privacy on the other. Really,

00:39:05.040 --> 00:39:09.240
the Tribunal said the computer network exploitation, or hacking carried out by the

00:39:09.240 --> 00:39:16.200
GCHQ was legal and didn’t infringe upon individual rights. That seems to be the end of the lawsuit.

00:39:16.200 --> 00:39:21.660
In 2016, the Belgacom cyber-attack in GCHQ involvement was still being questioned.

00:39:21.660 --> 00:39:26.700
Alexander De Croo, the Deputy Prime Minister for Belgium, made some unexpected comments

00:39:26.700 --> 00:39:32.580
while at a conference. He was participating in the World Economic Forum in January, 2016 in Davos,

00:39:32.580 --> 00:39:38.760
Switzerland. He was asked how Belgium protects its citizens from being spied on by an ally. His

00:39:38.760 --> 00:39:42.960
slightly uncomfortable response was definitely surprising. Here’s what he said.

00:39:42.960 --> 00:39:48.480
REPORTER2: How does Belgium protect its citizens from being spied on by allies?

00:39:48.480 --> 00:39:54.660
ALEX: You want me to say we do it in a good way or in a bad way?

00:39:54.660 --> 00:39:58.320
REPORTER2: The bad way would be better, more entertaining for us.

00:39:58.320 --> 00:40:09.180
ALEX: Well, no, mainly we’ve had one case where a big teleco that basically came out. Yes,

00:40:09.180 --> 00:40:14.580
it seems that there had been infiltration. The whole question is, did we agree or not?

00:40:14.580 --> 00:40:19.185
REPORTER2: Infiltration by who? ALEX: Infiltration – it’s not defined.

00:40:19.185 --> 00:40:23.580
REPORTER2: The Germans? ALEX: But based on the Snowden slides,

00:40:23.580 --> 00:40:30.180
you could infer something. The whole question of course is – and even me; I mean, I’m not

00:40:30.180 --> 00:40:37.020
the Minister of Justice. I don’t get access to everything. My question was, did we agree or not?

00:40:37.020 --> 00:40:40.560
It might very well be that the Belgian intelligence services said yeah,

00:40:40.560 --> 00:40:46.740
why not? Please go ahead. The whole question is who is giving an okay to that or not?

00:40:46.740 --> 00:40:53.520
JACK: Again, that was the Deputy Prime Minister of Belgium giving a suggestion that possibly the

00:40:53.520 --> 00:41:00.660
Belgium government also agreed to this attack. For the UK’s intelligence services, that’s MI5,

00:41:00.660 --> 00:41:06.600
MI6, and the GCHQ, any surveillance operations that are considered intrusive and that intercept

00:41:06.600 --> 00:41:12.960
communications need the approval of the Secretary of State. A Foreign Secretary is responsible for

00:41:12.960 --> 00:41:18.240
GCHQ, keeping the Prime Minister and the Secretary of State up to date on their activities. For

00:41:18.240 --> 00:41:22.500
something like Operation Socialist, it most likely would have gone all the way to the

00:41:22.500 --> 00:41:27.720
Foreign Secretary and Secretary of State for approval. [MUSIC] But did that approval involve

00:41:27.720 --> 00:41:34.620
asking permission from Belgium’s State Secretary Services, and did they give it? We don’t know, and

00:41:34.620 --> 00:41:39.240
this, of course, is where all this stops. The intelligence operations of any country are

00:41:39.240 --> 00:41:43.560
not open to the public and the GCHQ, or the NSA, or the Belgium intelligence services

00:41:43.560 --> 00:41:49.860
will never confirm or deny any suggestions or allegations about their operations. Really, we

00:41:49.860 --> 00:41:56.160
will never know. The only thing we have are those leaked Snowden documents and these large, moving

00:41:56.160 --> 00:42:06.720
shadows just below the surface. There’s no hard evidence who was behind this or what was taken.

00:42:06.720 --> 00:42:10.680
Belgacom themselves have never publically commented on the allegations that it was

00:42:10.680 --> 00:42:15.660
the GCHQ or NSA that hacked them. Although the exact data that the malware may have extracted

00:42:15.660 --> 00:42:20.400
from their systems is unknown, Belgacom stated that the traffic from the malware was very low

00:42:20.400 --> 00:42:25.140
and they didn’t believe that it was an aim to extract bulk data from their networks.

00:42:25.140 --> 00:42:29.220
Since the attack, Belgacom has a new CEO and they rebranded to Proximus,

00:42:29.220 --> 00:42:34.020
both changes that they implemented in 2014. At the end of that year the company still had

00:42:34.020 --> 00:42:38.820
a 41% in the Belgium mobile market. The cyber-attack didn’t seem to affect their

00:42:38.820 --> 00:42:44.160
share price. They were up 40% a year after the hack. Proximus, as they’re now known,

00:42:44.160 --> 00:42:50.220
have invested heavily in cyber-security since this attack was discovered in 2013. The company now has

00:42:50.220 --> 00:42:55.380
an internal cyber-security program costing fifteen million euros and a cyber-security

00:42:55.380 --> 00:43:00.780
incident response team. They also continue to have ethical hackers and penetration testers to

00:43:00.780 --> 00:43:05.460
test out the security to highlight any gaps. It’s obvious that they tried to learn from this attack

00:43:05.460 --> 00:43:10.920
and strengthen their security as much as possible and at significant cost. The Trinity investigation

00:43:10.920 --> 00:43:14.760
into this cyber-attack reached its final stages [00:45:00] in September of last year.

00:43:14.760 --> 00:43:19.800
The Belgian federal prosecutors submitted their confidential investigation report to the Belgian

00:43:19.800 --> 00:43:24.540
government. The report is believed to confirm the attack on Belgacom had been ongoing for

00:43:24.540 --> 00:43:29.760
around two years before it was discovered by the IT team. It also said the investigators believed

00:43:29.760 --> 00:43:34.200
Operation Socialist must have been approved on a high level of the British government before it

00:43:34.200 --> 00:43:38.520
was implemented. With no firm evidence that would hold up in court on who was behind this attack,

00:43:38.520 --> 00:43:44.340
no individual prosecutions were going to happen. The investigation into the Belgacom cyber-attack

00:43:44.340 --> 00:43:50.340
appears to have been closed. [MUSIC]

00:43:50.340 --> 00:43:55.287
This story is about a communication provider allegedly hacked on a grand scale by a nation

00:43:55.287 --> 00:44:01.680
state using a few very advanced pieces of malware. The Quantum Insert technique and the Regin malware

00:44:01.680 --> 00:44:08.160
give us a peek as to how sophisticated nation state malware is. There are surely many more

00:44:08.160 --> 00:44:12.780
things behind this that we don’t even know about. For the victims of a cyber-attack like this,

00:44:12.780 --> 00:44:19.080
it’s a David and Goliath scenario, but one that David has no way of winning. Craig Mundie is

00:44:19.080 --> 00:44:24.600
the advisor to the CEO at Microsoft. A few years back he was speaking at the School of

00:44:24.600 --> 00:44:29.460
International and Public Affairs at Columbia University. There, he had this to say.

00:44:29.460 --> 00:44:36.000
CRAIG: The real problem right now is that if a nation state

00:44:36.000 --> 00:44:43.740
chooses to use their full array of capabilities against even a sophisticated business,

00:44:43.740 --> 00:44:51.180
the business almost doesn’t stand a chance. Part of the problem we’ve got is that people

00:44:51.180 --> 00:44:59.580
are still thinking that if they use conventional defensive techniques to improve the perimeter

00:44:59.580 --> 00:45:05.160
security of their network, that they’re going to be okay. That may be sufficient

00:45:05.160 --> 00:45:13.320
against malicious mischief or petty criminals but it’s questionable against sophisticated

00:45:13.320 --> 00:45:18.420
organizations and it’s probably hopeless as a defense strategy against the government.

00:45:18.420 --> 00:45:23.880
The reason is governments don’t confine themselves to the network means of attack.

00:45:23.880 --> 00:45:30.060
They’ll come in and bribe your system administrator. They’ll come in and threaten to do

00:45:30.060 --> 00:45:37.260
evil things to his family or whatever it might be. People become a key component of compromise. It’s

00:45:37.260 --> 00:45:45.060
always been true but we now start to see those kind of national techniques being applied in these

00:45:45.060 --> 00:45:52.920
economic espionage cases. Therefore, even if your CIO tells you that he’s happily got the perimeter

00:45:52.920 --> 00:46:00.600
secured, you really can’t believe that. I think, whether you’re a business or a government now,

00:46:00.600 --> 00:46:07.140
you really need to start to think wow, there’s really sophisticated actors here and if I have

00:46:07.140 --> 00:46:14.880
anything I really care about, I’m going to have to take some additional steps to try to protect

00:46:14.880 --> 00:46:18.780
these things. JACK: [MUSIC]

00:46:18.780 --> 00:46:23.880
Even if conclusive, no-doubt evidence can be found which of course it can’t, the political

00:46:23.880 --> 00:46:30.120
ramifications of Belgium seeking criminal charges against a nation state attacker is huge. The twist

00:46:30.120 --> 00:46:34.800
in the tale here is that this was an alleged nation state attack on a friendly, allied state;

00:46:34.800 --> 00:46:42.180
not a hostile one. On top of that, it was an attack on a company in a friendly, allied state.

00:46:42.180 --> 00:46:46.140
Because of that, the rules are different, the response is different, and the outcomes for those

00:46:46.140 --> 00:46:51.120
who are hacked are different. It really seems to me that in cyber-space there are no boundaries

00:46:51.120 --> 00:46:56.580
and that political agreements are ignored, and friendly nations might be foes, and information

00:46:56.580 --> 00:47:03.000
sharing is happening on back channels. The online world offers a level of anonymity,

00:47:03.000 --> 00:47:07.920
of deniability; as long as your skills are up to scratch so that all rows leading back

00:47:07.920 --> 00:47:13.380
to you are blocked. This is something not only criminally-minded hackers are taking advantage of,

00:47:13.380 --> 00:47:20.160
but nation states too in this ever increasing, developing landscape of cyber-crime and

00:47:20.160 --> 00:47:30.420
cyber-warfare. JACK

00:47:30.420 --> 00:47:42.420
(OUTRO): [OUTRO MUSIC] Hey, if you can’t wait for the next episode to come out, guess what? You

00:47:42.420 --> 00:47:47.640
can get bonus episodes over on Patreon. There are now three bonus episodes available for you there,

00:47:47.640 --> 00:47:51.900
right now. Patreons also get an ad-free feed too, so you don’t have to listen

00:47:51.900 --> 00:47:57.300
to ads anymore. By being a Patreon supporter, it helps everything. It helps keep ads to a minimum,

00:47:57.300 --> 00:48:02.100
it helps support the show to hire extra help which helps get you more episodes. This show

00:48:02.100 --> 00:48:06.720
might not even be here today if it wasn’t for the Patreon supporters so thank you very much,

00:48:06.720 --> 00:48:11.580
everyone who has donated. Please consider signing up there and giving something to

00:48:11.580 --> 00:48:17.220
support the show. [00:50:00] This show is created by me, the bod guy, Jack Rhysider. Writing help

00:48:17.220 --> 00:48:22.800
for this episode was by Fiona Guy. Editing help was from the key-tapper Damienne and our theme

00:48:22.800 --> 00:48:27.420
music is by the beat-builder Breakmaster Cylinder. Even though people ask me how

00:48:27.420 --> 00:48:32.820
to hack their girlfriend’s Facebook account every time I say it, this is Darknet Diaries.