British intelligence agency GCHQ (Government Communications Headquarters) has spoofed LinkedIn profiles of employees at mobile communications companies and mobile billing firms to gain access to their corporate networks, Der Spiegel reported.
The first known attack was on Belgacom, a telecom firm partly owned by the Belgian government, according to a top secret GCHQ presentation revealed by NSA whistleblower Edward Snowden. That attack was among projects launched by GCHQ to infiltrate foreign networks.
The British intelligence agency also targeted international mobile billing clearinghouses, which process international payment transactions between wireless companies.
Hitting US Companies
Syniverse and Mach, a company it acquired in July, are high on the list of clearinghouses GCHQ has targeted for such penetration, according to Der Spiegel.
GCHQ apparently has targeted three network engineers at Mach, using the Quantum Insert method.
Syniverse provides solutions that let different mobile technologies interoperate around the world. With its acquisition of Mach, it serves more than 1,500 mobile service providers, enterprises, ISPs and app providers in nearly 200 countries.
“There have been no known breaches of the Syniverse or Mach data centers by any government agency,” Syniverse spokesperson Bobby Eagle told TechNewsWorld. “Privacy and confidentiality are essential priorities for Syniverse, and we take these matters very seriously.”
The Essence of GCHQ’s Attack
The British intelligence service is, basically, redirecting traffic to and from targets to a server between them so it can intercept communications.
This is known as a “man in the middle” attack.
Such attacks are commonly used on the banking sector. iMessages are vulnerable to MITM, Quarkslab disclosed in October.
“Man-in-the-middle attacks are one of the oldest kinds of attacks out there,” Daniel Castro, senior analyst at the Information Technology and Innovation Foundation, told TechNewsWorld.
We Are the (Tainted) World
GCHQ’s techniques are strikingly similar to the ones used by cybercriminals when they launch targeted attacks, such as spearphishing.
The agency first determines who works for a target company using publicly available data such as the victim’s LinkedIn profile. It apparently focuses on IT personnel and network admins because they have extensive access privileges on their computers.
The agency then gathers all available information about its victim — in one case, even gaining access to cookies on a victim’s PCs — then develops what are essentially viruses in payloads customized for the victim’s computers.
One method of attack involved concealing the malware payloads on spoofed versions of victims’ LinkedIn pages. Pulling up the fake profile would launch the malware into the victim’s computer.
“We have never cooperated with any government agency, nor we have any knowledge, with regard to these actions,” LinkedIn spokesperson Julie Inouye told TechNewsWorld.
“To date, we have not detected any of the spoofing activity that is being reported,” she said. “LinkedIn takes the privacy and security of our members very seriously, and when we’re made aware of any activity that may be considered problematic, we work to quickly shut it down.”
The Sincerest Form of Flattery
It appears that GCHQ borrowed heavily from the United States’ National Security Agency.
The NSA places secret servers, codenamed “Quantum,” at key places on the Internet backbone as part of its so-called “Turmoil” system, according to security specialist Bruce Schneier.
Turmoil is part of the NSA’s Turbulence program.
Once the Quantum servers are in place, a query to a website they are spoofing hits them before it hits the legitimate site. The query is then redirected to another set of secret Internet servers, codenamed “FoxAcid,” Schneier said.
The FoxAcid servers then inject malware into victims’ PCs to compromise them.
It’s not clear whether the UK agency is using the same technology as the NSA, although Der Spiegel uses the term “Quantum Insert” in its description of the GCHQ attacks.
“Capturing large amounts of Internet traffic and redirecting it like that should be off limits,” the ITIF’s Castro remarked.