A potential diplomatic crisis is emerging after Belgian federal prosecutors accused British intelligence of hacking the country’s largest telecommunications operator.
Belgacom first detected unusual activity in the summer of 2012. Although its security team noticed anomalies then, it was not until the following year that investigators began to understand the full scope of the incident.
Malware disguised as Microsoft software had infiltrated Belgacom’s systems and was exfiltrating data. Documents released by Edward Snowden linked the operation to the UK’s GCHQ and identified it as part of a campaign codenamed “Operation Socialist.”
Snowden told The Intercept in 2014 that the disclosures represented “the first documented example to show one EU member state mounting a cyber attack on another,” calling it a striking illustration of state-sponsored hacking at scale.
The spyware identified in the attack, known as Regin, is widely regarded as one of the most sophisticated strains discovered by security researchers. Analysts at Symantec compared Regin’s complexity to Stuxnet, the state-developed malware used against Iranian nuclear infrastructure.
According to published accounts, Regin enabled British and American intelligence services to collect data from Belgacom’s internal networks and from customers, which reportedly included institutions such as the European Commission, the European Parliament, and the European Council.
Belgian prosecutors warned that such activity is exceptional among EU partners and carries the risk of a diplomatic incident.
When Belgacom first noticed irregularities, investigators considered the possibility of NSA involvement in light of Snowden’s disclosures about extensive U.S. surveillance programs. While some components of the malware appeared to be developed in the United States, forensic leads indicated that the operations traced back to the United Kingdom.
The investigation had appeared to stall after perpetrators attempted to cover their tracks, but forensic work tracing the IP addresses used by devices communicating with the spyware revealed three addresses registered to a British company.
Belgian authorities requested assistance from the UK Home Office to identify users associated with those IP addresses. According to the prosecutors’ report, the British response declined to provide the details, citing concerns that disclosure could affect the nation’s sovereignty, security, and public order.
Interested in hearing industry leaders discuss issues like state-sponsored cyber operations and the challenges they pose? Attend the Cyber Security & Cloud Expo World Series, with upcoming events in Silicon Valley, London, and Amsterdam, to learn more from experts and practitioners.