When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.
It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.
Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.
Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.
Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.
“a breathtaking example of the state-sponsored hacking problem.”
Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”
The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”
Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.
Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.
The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.
Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.
“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”
Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.
What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”
The beginning
The origins of the attack on Belgacom can be traced back to 2009, when GCHQ began developing new techniques to hack into telecommunications networks. The methods were discussed and developed during a series of top-secret “signals development” conferences, held annually by countries in the so-called “Five Eyes” surveillance alliance: the United States, the United Kingdom, Australia, New Zealand, and Canada.
Between 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it could use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ documents, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.”
When communications are sent across networks in encrypted format, it makes it much harder for the spies to intercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ, there was a simple solution. The agency decided that, where possible, it would find ways to hack into communication networks to grab traffic before it’s encrypted.
The British spies identified Belgacom as a top target to be infiltrated. The company, along with its subsidiary Belgacom International Carrier Services, plays an important role in Europe, and has partnerships with hundreds of telecommunications companies across the world—in Africa, Asia, Europe, the Middle East, and the United States. The Belgacom subsidiary maintains one of the world’s largest “roaming” hubs, which means that when foreign visitors traveling through Europe on vacation or a business trip use their cellphones, many of them connect to Belgacom’s international carrier networks.
The Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used by surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into Belgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners, monitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ documents, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and North Africa, illustrating why British spies deemed it of such high value.
Attack planning
Before GCHQ launched its attack on Belgacom’s systems, the spy agency conducted in-depth reconnaissance, using its powerful surveillance systems to covertly map out the company’s network and identify key employees “in areas related to maintenance and security.”
GCHQ documents show that it maintains special databases for this purpose, storing details about computers used by engineers and system administrators who work in the nerve center, or “network operations center,” of computer networks worldwide. Engineers and system administrators are particularly interesting to the spies because they manage networks—and hold the keys that can be used to unlock large troves of private data.
GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet. In early 2011, the documents show, GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO.
GCHQ narrowed down IP addresses it believed were linked to the Belgacom engineers by using data its surveillance systems had collected about internet activity, before moving into what would be the final stages prior to launching its attack. The documents show that the agency used a tool named HACIENDA to scan for vulnerable potential access points in the Belgacom’s networks; it then went hunting for particular engineers or administrators that it could infect with malware.
The infection
The British spies, part of special unit named the Network Analysis Center, began trawling through their vast repositories of intercepted Internet data for more details about the individuals they had identified as suspected Belgacom engineers.
The spies used the IP addresses they had associated with the engineers as search terms to sift through their surveillance troves, and were quickly able to find what they needed to confirm the employees’ identities and target them individually with malware.
The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person. GCHQ refers to cookies internally as “target detection identifiers.”
Top-secret GCHQ documents name three male Belgacom engineers who were identified as targets to attack. The Intercept has confirmed the identities of the men, and contacted each of them prior to the publication of this story; all three declined comment and requested that their identities not be disclosed.
GCHQ monitored the browsing habits of the engineers, and geared up to enter the most important and sensitive phase of the secret operation. The agency planned to perform a so-called “Quantum Insert” attack, which involves redirecting people targeted for surveillance to a malicious website that infects their computers with malware at a lightning pace. In this case, the documents indicate that GCHQ set up a malicious page that looked like LinkedIn to trick the Belgacom engineers. (The NSA also uses Quantum Inserts to target people, as The Intercept has previously reported.)
A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.
The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”
By December 2011, as part of a second “surge” against Belgacom, GCHQ identified other cellphone operators connecting to company’s network as part of international roaming partnerships, and successfully hacked into data links carrying information over a protocol known as GPRS, which handles cellphone internet browsing sessions and multimedia messages.
The spy agency was able to obtain data that was being sent between Belgacom and other operators through encrypted tunnels known as “virtual private networks.” GCHQ boasted that its work to conduct “exploitation” against these private networks had been highly productive, noting “the huge extent of opportunity that this work has identified.” Another document, dated from late 2011, added: “Network Analysis on BELGACOM hugely successful enabling exploitation.”
GCHQ had accomplished its objective. The agency had severely compromised Belgacom’s systems and could intercept encrypted and unencrypted private data passing through its networks. The hack would remain undetected for two years, until the spring of 2013.
The discovery
In the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices on Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of Belgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned, but Belgacom’s technical team couldn’t work out why.
The glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software update was sent to Belgacom’s email exchange server, the problems returned, worse than before. The administrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for the fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be found. (Microsoft declined to comment for this story.)
Sources familiar with the investigation described the malware as the most advanced they had ever seen.
Belgacom’s internal security team began to suspect that the systems had been infected with some sort of virus, and the company decided it was time to call in outside experts. It hired Dutch computer security firm Fox-IT to come and scan the systems for anything suspicious.
Before long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as legitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent automatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s systems.
About a month after Belgacom had identified the malicious software, or malware, it informed Belgian police and the country’s specialist federal computer crime unit, according to sources familiar with the incident. Belgian military intelligence was also called in to investigate the hack, together with Fox-IT.
The experts from Fox IT and military intelligence worked to dissect the malware on Belgacom’s systems, and were shocked by what they found. In interviews with The Intercept and its reporting partners, sources familiar with the investigation described the malware as the most advanced they had ever seen, and said that if the email exchange server had not malfunctioned in the first place, the spy bug would likely have remained inside Belgacom for several more years.
A deep breach
While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.
The most serious discovery was that the large routers that form the very core of Belgacom’s international carrier networks, made by the American company Cisco, were also found to have been compromised and infected. The routers are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows of sensitive private communications transiting through its networks.
Earlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the agency can remotely hack them, or physically intercept and bug them before they are installed at a company. In the Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct NSA assistance. (The NSA declined to comment for this story.)
Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators.
“You could ask many security companies to investigate those routers,” one of the investigators told The Intercept. By bringing in Cisco employees to do the investigation, “you can’t perform an independent inspection,” said the source, who spoke on condition of anonymity because he was not authorized to speak to the media
A spokesman for Cisco declined to comment on the Belgacom investigation, citing company policy. “Cisco does not comment publicly on customer relationships or specific customer incidents,” the spokesman said.
Shortly after the malware was found on the routers, Fox-IT was told by Belgacom to stop its investigation. Researchers from the Dutch security company were asked to write-up a report about their findings as soon as possible. Under the conditions of a non-disclosure agreement, they could not speak about what they had found, nor could they publicly warn against the malware. Moreover, they were not allowed to remove the malware.
Between late August and mid-Sept. 2013, there was an intense period of activity surrounding Belgacom.
On August 30, some parts of the malware were remotely deleted from the company’s infected systems—apparently after the British spies realized that it had been detected. But the malware was not completely removed, according to sources familiar with the investigation.
Two weeks later, on Sept. 14, employees from Belgacom, investigators, police and military intelligence services began an intensive attempt to completely purge the spy bug from the systems.
During this operation, journalists were tipped off for the first time about the malware investigation. The Intercept’s Dutch and Belgian partners NRC Handelsblad and De Standaard reported the news, disclosing that sources familiar with the investigation suspected NSA or GCHQ may have been responsible for the attack.
The same day the story broke, on Sept. 16, Belgacom issued a press release. “At this stage there is no indication of any impact on the customers or their data,” it said. “At no point in time has the delivery of our telecommunication services been compromised. “
Then, on Sept. 20, German news magazine Der Spiegel published documents from Snowden revealing that British spies were behind the hack, providing the first confirmation of the attacker’s identity.
Significant resources
In the aftermath of the revelations, Belgacom refused to comment on GCHQ’s role as the architect of the intrusion. Top officials from the company were called to appear before a European Parliamentary committee investigating the extent of mass surveillance revealed by Snowden.
The Belgacom bosses told the committee that there were no problems with Belgacom’s systems after a “meticulous” clean-up operation, and again claimed that private communications were not compromised. They dismissed media reports about the attack, and declined to discuss anything about the perpetrator, saying only that “the hackers [responsible] have considerable resources behind them.”
People with knowledge of the malware investigation watched Belgacom’s public statements with interest. And some of them have questioned the company’s version of events.
“There was only a partial clean-up,” said one source familiar with the malware investigation. “I believe it is still there. It is very hard to remove and, from what I’ve seen, Belgacom never did a serious attempt to remove it.”
Belgacom declined to comment for this story, citing the ongoing criminal investigation in Belgium.
Last month, The Intercept confirmed Regin as the malware found on Belgacom’s systems during the clean-up operation.
The spy bug was described by security researchers as one of the most sophisticated pieces of malware ever discovered, and was found to have been targeting a host of telecommunications networks, governments, and research organizations, in countries such as Germany, Iran, Brazil, Russia, and Syria, as well as Belgium.
GCHQ has refused to comment on Regin, as has the NSA, and Belgacom. But Snowden documents contain strong evidence, which has not been reported before, that directly links British spies to the malware.
Aside from showing extensive details about how the British spies infiltrated the company and planted malware to successfully steal data, GCHQ documents in the Snowden archive contain codenames that also appear in samples of the Regin malware found on Belgacom’s systems, such as “Legspin” and “Hopscotch.”
One GCHQ document about the use of hacking methods references the use of “Legspin” to exploit computers. Another document describes “Hopscotch” as part of a system GCHQ uses to analyze data collected through surveillance.
Ronald Prins, director of the computer security company Fox-IT, has studied the malware, and played a key role in the analysis of Belgacom’s infected networks.
“Documents from Snowden and what I’ve seen from the malware can only lead to one conclusion,” Prins told The Intercept. “This was used by GCHQ.”
———
Documents published with this article:
- Automated NOC detection
- Mobile Networks in My NOC World
- Making network sense of the encryption problem
- Stargate CNE requirements
- NAC review – October to December 2011
- GCHQ NAC review – January to March 2011
- GCHQ NAC review – April to June 2011
- GCHQ NAC review – July to September 2011
- GCHQ NAC review – January to March 2012
- GCHQ Hopscotch
- Belgacom connections
———
Photo: Belgacom headquarters: Paul O’Driscoll/Getty; Map: Ingrid Burrington and Josh Begley; Belgacom operations center, Paul O’Driscoll/Bloomberg via Getty.
After looking at a few of the blog articles on your site, I seriously appreciate your way of writing it. I saved as a favorite it to my bookmark site list and will be checking back in the near future.
Take your shiny apples to some other dwarf’s hut, old hag! We don’t take cold calls or unverified key certificates.
Why do you post this roaster and refuse to let us have at it? Just the side kicking icehole in yourself? Are you SERIOUSLY considering going over to the uptake side? I thought you were on the down and low…you only report leakages. Sorry, I see this as wavering. Turn your back; not back, Lot’s wife!! Oh well…
Are you NUTZ, Milgram? Stay away for the apps! That’s the key to their penetration! Sis is always loading up her phone and I keep wonder where they house the multitudinous choruses of her droning.
We need to declare war on North Korea for wrecking Sony’s computer network.
I am sure if Fox News contacts Dick Cheney that is what he will also recommend.
The best part of this story is missing! Anti-virus vendors including Symantec, Kaspersky, and F-Secure (and every other vendor with access to the VirusTotal data-feed – which is pretty much all vendors) knew about this since 2009, and deliberately did not add the signatures to their products or even mention this threat until after the found out that info about Regin found it’s way into the mass media already. Details: http://www.schneier.com/crypto-gram-1412.html
Even more amusing – their weak and feeble “excuses” for the way they acted. You can’t trust governments to behave, and you can’t trust anti-virus vendors to protect you either. World-war-III is in full swing…
Actually, they did add the signatures.
They just didn’t publish a detailed analysis until recently. Writing up a detailed analysis on malware that big takes a lot more time than adding detection.
I don’t particularly like the anti-virus companies, but in this instance at least, they did not act improperly.
So Kaspersky was also into the mischief? I thought it was from Putin’s own country and so would not be influenced by NSA and GCHQ. How come?
I wonder why people don’t use Linux. It’s not hard at all. If schools taught their students to use Linux in a few years most people would be using it.
Linux is OK for self-contained software. any cross-platform browser is still about the same browser as on other OSes.
But working between types of software isn’t as easy in Linux, though admitttedly I haven’t sought obscure software which might happen to interact with (browsers) better.
I have Linux running here for people who mostly use browsers.
I agree about providing diverse experiences to students.
Well done GCHQ UK taxpayer getting there money worth
They have entirely resolved the “Belgacom” problem.
Now it’s “Proximus”.
This seems interesting until you get to crux of the matter that NO SERIOUS attempt has been made to remove Regin. It’s all smoke and mirrors. They have the technology and they are not going to stop using it. Privacy? Go back to the typewriter…but remember they may be watching what you type from cctv overhead
Postal Service Confirms Photographing All U.S. Mail
By RON NIXON
Published: August 2, 2013
Facebook
Twitter
Google+
Save
Email
Share
Print
Reprints
WASHINGTON — The Postal Service on Friday confirmed that it takes a photograph of every letter and package mailed in the United States — about 160 billion pieces last year — and occasionally provides the photos to law enforcement agencies that request them as part of criminal cases.
Oops, thought I’d deleted the social network links, etc.
Lol
Excellent piece, Ryan. Admirably thorough and succinct.
“They” are just breathtakingly out of control, aren’t they? No matter how bad we thought it was, it turns out to be even worse.
Possibly the most important article of the year. This needs to be spread as much as possible. The surveillance of the sys admins and engineers is clearly illegal and something needs to be done. This article is the smoking gun
The silence of the Belgian gov is the really hot spot. Did they notice they are involved in the grand scheme of the crimes? Or were they simply intimidated?
Here lies the news of the world!
Well done GCHQ and NSA. Nice to see a successful government info gathering operation that thats only torture involved slow e mails, rather than sleep deprivation, water boarding, illegal confinement etc etc. I reckon they must have developed BTs new mail system.
First-class reporting, Ryan. Very, very good. Thanks so much.
I wonder about LinkedIn. Did they comment on being used and abused? Presumably GCHQ made an identical logo and page to look like LinkedIn. Was it the FBI who personated AP newspage in the States? Is it legal in the EU? Do LinkedIn have a comment on being (ab)used in such a manner by a security agency?
Top class informed journalism here. It is not clear to me why this entire attack on Belgacom was justified in the first place. Was the “Intelligence” garnered by GCHQ worth all this effort and expense.
Are you serious? By having access to Belgacom, the British can probably spy on the communications of thousands of European Commission civil servants, the Commissioners themselves probably, know about the positions of the 28 EU members countries before they are made public, etc. This gives Britain, and probably the US, a huge advantage in trade negotiations, for lobbying purposes, etc. Imagine: they probably know what the European Commission’s top officials investigating Google’s monopolistic practices think and then use that information to leak information to the the media which will then help Google prepare its defence. The impact on Europe is huge. We are being enslaved. I don’t understand why EU officials don’t come out and forbid any US or UK company from providing e-mail or communication material to EU institutions. MEPs should give up their personal Gmail addresses or LinkedIn accounts. The current passivity is baffling.
Why? Lol. U kidding aren’t u? Belgacom’s home market includes EU & NATO HQs, and the world’s second largest diplomatic, lobbying and press corps after Washington, plus countless weekly state visits to the EU with their courtiers and negotiators.
Any clue why?
I have had a tendency to assume US bullying (and Israel’s interests) are the magnetic north for corporatist/militarist proactive corrupt Western behavior on an international level, and that the intimidation of those parties is what largely causes the ‘five eyes’ to submit, but informative articles like this indicate that independently reprehensible (and functionally stupid-as-precedent) actions are being commonly initiated by British authorities quite apart from American corruption.
“Great” Britain?
Microsoft can’t possibly sell closed source software seriously anymore. No one except the U.S. Government trusts them now.
I am struck by page 15 of the “Automated NOC Detection” document:
• Interaction with Routers over TCP Port 23 maybe nefarious:
– Scanning
– Password guessing
• Need to separate legitimate use from nefarious activity
• Look for signs of legitimate use.
– Successful login
– Follow on commands
In other words, the hackers at GCHQ have to be careful not to be distracted by traffic from *other*, would-be attackers probing at the same systems they are trying to compromise. Because the activities of those other guys (gals) are “nefarious”!!
It’s to laugh …
Government officials of our 3 branches of Government & of the CIA & NSA should remember what happened to the Nazi @ the Nuremberg Trials, so they won’t be shocked when it happens to them ! !
What happened to the Nazis was what generally happens to all those who lose wars. What makes you think USA or UK will lose any war any time soon? Russia is a spent force and China is only interested in business.
As our allies abandon us it is only a matter of time for some payback !
> China is only interested in business
big business (“corporations”) is the same as war, religion
ROP’s form of government is state corporatism, which is why the rest of the world’s executive class (“business leaders”) imitates China’s communism to the extents possible.
this article feels very important. the breadth and depth of deception and invasion of privacy to “protect” is nonsensical and can only be a lie. in and of itself, it is horrifying. the likely given that it is only a fraction of what is actually transporting and actually only a symptom of the true abyss in which the populace finds themselves.
this is an act of war, not only against the governments involved, but against their very citizens. the more the reality is put in display, the more light shined onto these dark and murky actions and those who enable them, the closer we must be coming to the eventual end of this slavery. Orwell reconfirmed his brilliance yet again, snowden his hero status.
All good information and I’m happy to see someone tackling these sorts of activities. Having said this, will there ever come a time when The Intercept (or anyone else) might decide that it’s worthwhile to pursue offline domestic surveillance, harassment and worse? What’s being done with the various watchlists? What are our fusion centers doing with the dossiers that are being built/expanded? How about the actions of groups like the LEIU (and others) to which the FOIA doesn’t apply? Cointelpro-style activities continue, but mum’s the word, apparently. No one will touch certain domestic activities that were ramped up after 9/11. What’s transpiring on U.S. soil is beyond shameful and yet it continues.
Agreed. I would also love to see some intrepid reporter crack something like this from the downstream end. In particular, I’m thinking of the infamous case of Justin Carter, who made some wacky comments in an online gaming session, and was sentenced to be attacked in prison, then subject to pedophile-like restrictions on his movement and banned from using the Internet for 2+ years while hoping to prove his innocence. ( http://www.npr.org/blogs/alltechconsidered/2014/12/01/367771533/as-high-court-considers-online-threats-an-update-on-justin-carter ) The thing is: I don’t buy the claim that some Canadian woman just happened to read his message at the one moment he sounded threatening without viewing the context, and that some butthead prosecutor in Texas is just doing this for the heck of it. This sounds like something an organization would do as a test case for a new spying program, and keep going at all costs because to fold would mean admitting their program was no good and could be scrapped. Wish someone could find out about the supposed complainant, see if she has connections with CSIS…
Very good questions that I do hope someone at The Intercept is looking into. Like right now. Pretty please?
Or maybe James Risen or Seymour Hersh could check with all their intelligence sources (both agencies and private contractors). I’d love to be wrong, but I’m guessing there weren’t any documents in the Snowden file about the program; so, someone is going to have to do some shoe-leather reporting — or at least email or call a bunch of people — to expose this monstrosity.
I have a strong hunch that one of the golden rules of the current domestic counter-intelligence program — at least at this point in the “experiment” — is not to conspicuously stalk and surveill anyone with the capacity to expose the program.
Given the tech available that we hear about every day, I imagine that well-known individuals are monitored in less conspicuous ways, which may be part of the reason — perhaps the main reason — there is basically no media coverage: I don’t think the media understands or believes there is a sample group of Americans being conspicuously stalked and surveilled — almost 24/7 — in a manner that is more akin to the way the FBI stalked and hounded the once-main suspect, who was later completely cleared, in the anthrax letter probe, Dr. Steven Hatfill.
And while I would not be surprised to find out the government is indeed using directed energy weapons (DEWS) in some limited cases, I think the conflation of these types of weapons with old-fashioned, so-completely-up-in-your-shit-that-we-just-drove-over-your-foot
conspicuous targeting has prevented journalists from giving the subject the appropriate attention.
If the management was in on it, then surely it could have been done without being discovered and no public revelations at all? The actions of management are consistent with their desire to hold on to their clients. Not so intelligent, perhaps, but what do you expect?
This was reply to the general.
This sort of information is accessible to people with security clearances and on a need-to-know basis. Only those with sufficient authority to secure the system physically would be let on into the secrets. The engineers are there to make sure rogue spies from Russia, China or North Korea don’t break in. If they don’t need to be told about GCHQ break in then they won’t be told.
By having the bugs installed surreptitiously (GCHQ) the Belgacom engineers are kept out of the loop. The fewer the players the easier to keep secret. The Belgacom “managers” are probably no different than the Microsoft managers. They’re complicit!
I am sending this article to friends as an example of a spy novel.
US & UK spying on Europe!
No place to hide for almost anyone on the planet.
In trade treaties, governments are giving up sovereignty.
Are governments giving up sovereignty in the information arena as well?
Thank God for Edward Snowden. If there had been several more years of these secret efforts, it might not have been possible to recover.
What could an “Evil Edward Snowden” do with such information? Edward Snowden answers:
Snowden on CSPAN – “The NSA still asks, “What did he get?” and they still don’t know. If their auditing is so poor…What’s going to happen when they have someone who’s trying to stay under the radar, who is trying to cover their tracks, who is trying to game the system, who is going to use these authorities, these incredible powers for themselves, their class, their group, their own interest…
https://www.youtube.com/watch?v=SLsspQsw4vY
The NSA, GCHQ and the other ‘five eyes’ claim their are electronically spying on the world to keep it ‘safe’. And they can’t even audit their own house to find out what data Snowden copied (not stole).
The obvious fact is: The NSA can’t find their own ass crack with both hands.
This article is the first I’ve seen with the proper punctuation on the GCHQ boilerplate. Most transcribe it as “necessary, legal and proportionate”.
However, it is indeed the new “necessary legal” standard, which means the operation should only be as legal as is strictly necessary. Legal behaviors are not proscribed, but there should be a very good reason for them.
It is nonsense without the comma. “necessary” is an adjective, and it cannot modify the adjective “legal”; Both must modify the following noun or the one on the other side of “is”.
In any case, they do not stick to what is legal, minimally so or otherwise, and so what they say is a lie. Expect nothing else from them.
To be completely correct, it should be written as ‘necessary-legal’ to indicate a compound adjective. But since the term has only recently been invented by the GCHQ, I wasn’t going to quibble with the author of this excellent piece about some esoteric grammatical point.
I’m sorry, but you know how much disinformation is out there about these sorts of organizations (no doubt much of it of their own manufacture). You need to provide a reputable source for a claim like that… otherwise people are liable to think it is something you heard on Coast to Coast AM or Jesse Ventura’s show.
“it is indeed the new “necessary legal” standard, which means the operation should only be as legal as is strictly necessary.”
That is fundamentally incorrect. No UK government agency engaged in national security work is going to publicly disseminate a “standard” suggesting its conduct conforms to anything less than the Rule of Law. What the agency does secretly is an entirely different matter, but for public purposes they will only ever acknowledge conduct which is legal.
Re: Benito Mussolini – 13 Dec 2014 at 9:07 & 11:49 am
As your latest comment attests, Ryan Gallagher’s article is an “excellent piece” of professional reporting! His quoting of governmental fabrication of tortured language, used to facilitate the amending circumvention of existing lawful parameters, is merely illustrative of the early stages of the process, one too commonly employed to disguise malfeasance and corruption and present it as being properly within the “color of law”.
While Mr. Gallagher’s quotation may have inadvertently omitted a comma,
the appearance of such a likely “typo” should not distract the attention of informed critical thinking readers, lest they be more interested in fomenting distractions and dissembling disguised as thoughtful commentary.
For my part, I would like to see Glenn Greenwald, from his expertise as a legal scholar and public service activist, present some in depth analysis of the element of the “legal community” that engages in employing their professional expertise in providing the convoluted language that facilitates the various corruptions of law that lie at the foundation of implementing such practices; both in governments and private sectors of society.
You artfully say,
Disguised improper reasoning, likewise, should not be allowed to impersonate good intention by providing “plausible deniability” to “bad actors”.
“Work is love made visible.” KG
As Usual,
EA
Thank you for the fantastic article and publishing more original documents related to this matter!
“…the hackers [responsible] have considerable resources behind them.”
Am I the only one that suspects whoever hacked Sony (no slouch in IT themselves) also had – “considerable resources behind them,” and how does that equate to a country still denying its best and brightest access to the internet just a couple years ago? (Watch Thursday’s Daily Show and Jon’s interview of a Korean teacher / spy…)
Was Sony in fact defying and incurring repercussions from the U.S. government in making the new Rogen / Franco film, “The Interview,” and not North Korea.
Inquiring minds…
No NFJTAKFA, you are NOT THE ONLY ONE! When I read of the massive hacking of SONY, the first thing I thought was: Thanks a lot NSA & GCHQ for weakening encription for all!
Who knows what their real motive was for penetrating SONY. Are the SONY corporate attorneys such pussies for not going after the NSA? Robert De Niro’s quotes in the movie ‘CASINO’ is really fitting in this case: 1) “You didn’t see the scam? You didn’t see what was going on?”; 2) “Listen, if you didn’t know you were being scammed you’re too fuckin’ dumb to keep this job, if you did know, you were in on it.”
This great analysis at emptywheel requires that I reconsider Sony’s IT slouchiness…
https://www.emptywheel.net/2014/12/13/sony-hacked-its-not-one-massive-breach-its-more-than-50-breaches-in-15-years/#more-46038
Excellent article. To me, the most interesting aspect is the reaction of Belgacom’s senior executives to stop Fox IT’s investigation after Regin was discovered, and their subsequent statements. Can you provide more detail about this, maybe in a follow up article?
That’s right. The names and nationalities of the Belgacom bosses must be published and exposed. I am pretty sure they were aware of the whole thing from the beginning. It is the standard operating procedure of spy agencies to first gain control of the company management and then implement these subversions.
Cisco routers are terrible. My ISP has installed a Cisco router, but I use another one that I purchased and then placed the two in a series configuration. All my devices connect to my router, not the Cisco one.
Belgium, the most boring country in the world, just became remotely interesting.