GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses...
The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person.
Hope you aren't sending cookies to an http site. Ever.
Also note "GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."
Then the screenshot shows some queries of TELNET / SSH connections, which can mean: whoever uses SSH stands out from the crowd.
Do companies using Git tend to use it over SSH like personal github/Bitbucket works? If so, that's presumably a lot of noise in this genius detection scheme.
There would be very different traffic patterns. Git over SSH would be a shortlived session with high data speeds, an interactive shell is longer with lower throughput changing in fits and starts. The popularity and hostnames of ssh servers also give some hints. Noise in detection would all depends on how intricate the monitoring is and how well it can be queried.
Score one for adblockers. At least that will get rid of some of the most frequently used ones that in the case of google also tie into your real world identity.
Is there a way to disable http cookies in the browser without disabling https cookies? It seems like with the recent push towards https this should be viable.
What would be the appropriate sanctions for a breach of this magnitude? The EU is pretty spineless and I suspect the answer to the question will be 'none'. Just don't do it again and if you do don't get caught or something like that.
Belgacom seems to have been more than happy to see this swept under the carpet, the gag on Fox-IT and their partial answers in the investigation are most telling.
They should charge the attackers same as any other criminals, and then issue an European Arrest Warrant to execute it.
The diplomatic fallout from that would be nice enough deterrent that no EU member would dare to ever again send state sponsored hackers at an other member.
I really don't think regulating espionage between member states is within the scope of the EU's objectives. Presumably, the Belgian government could make a complaint to the British government through the usual diplomatic channels. Introducing any sort of international sanctions would be a bit of an overreaction.
Spying on other memberstates in the EU parliament (indirectly in this case) violates the neutrality of the body governing the EU. It's a pretty big deal imho, but we'll see what the eventual fall-out will be.
Here is a good article (in Dutch) about the whole thing:
One key bit is that this is not just GHCQ working in isolation, the NSA also had a hand in it:
"Ze maken gebruik van een Amerikaanse techniek (Quantum Insert), ontwikkeld door een speciale afdeling van de NSA, om computers te hacken. Als iemand online gaat, wordt zijn internetverkeer vliegensvlug omgeleid naar een netwerkcomputer (of server) die de Amerikaanse geheime dienst stiekem controleert."
Which roughly translates to "They use a special American technique (Quantum Insert), developed by a special department of the NSA, to hack computers. If someone goes online their internettraffic is redirected lightningfast to a network computer (or server) controlled by the American secret services."
Does GCHQ rely on NSA QI facilities, or can they run the attack on their own? The Intercept makes a weaker claim than the above about NSA direct involvement. Certainly, I believe NSA QI redirects traffic to NSA controlled servers, but I'd imagine when GCHQ is running the op they would prefer to redirect to their own servers.
Both GCHQ and NSA have separate QUANTUM rollouts, with slightly different capabilities. They can each more-or-less freely use the other (the NSA reaches GCHQ's directly over the gchq.nsa.ic.gov gateway, and there's a similar one on the other side).
> one of the most advanced spy tools ever identified by security researchers
It's interesting to watch the apparently monotonically advancing capabilities of malware. Every piece of spyware discovered is far more advanced than anything that came before. (With the occasional exception, "complete amateur hour shite" malware.) Nobody ever seems to use spyware that's just good enough.
Does "advanced spy tools" just mean "stockpile of unpatched vulnerabilities"? And if so why are "responsible" governments leaving those vulnerabilities extant when they could be used to harm their own citizens. Are we not a target worth protecting?
Cynically, I believe "advanced spy tools" means "I want this story to sound exciting". You hardly need 0-days to pwn most targets. A combination of 7-days, "check out this draft of next week's roadmap", and weak/reused passwords is more than enough.
Malware isn't really my specialty, but this mostly sounds like malware 101 stuff.
> This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.
Or in other words, they read the documentation for writing a kernel driver?
Yeah, I can definitely believe this came from GCHQ/NSA/whoever, but the breathless reporting makes it sound like Fox Mulder recovered it from an alien crash.
Think of how precious responsible employees that have read the documentation are to any company. Having teams of dedicated, capable, honest people who are working for a government on malware is absolutely a new development.
Perhaps, in their eyes, a few hundred stolen identities & fraudulent purchases is collateral damage and petty compared to the type of threats they're dealing with.
Of particular interest is how they used the MITM attack using LinkedIn. Was LinkedIn running https back then? Does it imply that company or certificates have been compromised also?
2012 saw a very large password leak for LinkedIn....
As long as networks continue to be centralized at large hubs like Google, Facebook, Belgacom, etc. this will continue to be a problem. Break things up and make them less centralized and all of a sudden it is much harder to do all this.
Could it be, and I just thinking out loud and speculating here, that the Belgium government or secret service knew about this and that the UK was simply using Belgacom as "target practise"?
I mean, I would assume that GCHQ would would want to test the effectiveness of their systems that using an EU member state and partner would make sense but you obviously don't want them to generally know about it because it wouldn't make the target practise legit.
The Belgian government has a lot to lose in all this. They host the EU parliament which was a top target for this exercise. If the Belgian government would be found to be complicit in this then the fall-out might include such things as a relocation of the EU parliament to a country that would not readily bend over to aid another country in spying on the EU parliament members.
That alone I think is sufficient to highly doubt Belgian government involvement in this.
The Belgian government is highly incompetent in all matters related to cyber security (amongst many other things).
There was a case a few years back, where apparently some of their more important systems were infected by an unknown trojan or a piece of spyware - can't exactly remember what it was.
I believe, at the time, they assumed that it came from the NSA. Guess who they called to fix it? The NSA.
Personally, I believe they should've been able to fix it themselves. Then again, I'm also the kind of person who believes that you don't spy on your friends.
> Personally, I believe they should've been able to fix it themselves.
Difficult to fix stuff when you don't have both access to the source code AND verifiable builds. And we know that no one can trust Cisco in any case - if Cisco themselves do not cooperate, NSA will intercept the parcel en route anyway.
I'd certainly expect worldwide sales of Cisco routers to decrease as a result of this. Furthermore I'd expect a large number of Belgacom customers to walk too.
GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses...
The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person.
Hope you aren't sending cookies to an http site. Ever.