The Digital Arms Race: NSA Preps America for Future Battle

http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html

Normally, internship applicants need to have polished resumes, with volunteer work on social projects considered a plus. But at Politerain, the job posting calls for candidates with significantly different skill sets. We are, the ad says, “looking for interns who want to break things.”

ANZEIGE

Politerain is not a project associated with a conventional company. It is run by a US government intelligence organization, the National Security Agency (NSA). More precisely, it’s operated by the NSA’s digital snipers with Tailored Access Operations (TAO), the department responsible for breaking into computers.

Potential interns are also told that research into third party computers might include plans to “remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware.” Using a program called Passionatepolka, for example, they may be asked to “remotely brick network cards.” With programs like Berserkr they would implant “persistent backdoors” and “parasitic drivers”. Using another piece of software called Barnfire, they would “erase the BIOS on a brand of servers that act as a backbone to many rival governments.”

An intern’s tasks might also include remotely destroying the functionality of hard drives. Ultimately, the goal of the internship program was “developing an attacker’s mindset.”

The internship listing is eight years old, but the attacker’s mindset has since become a kind of doctrine for the NSA’s data spies. And the intelligence service isn’t just trying to achieve mass surveillance of Internet communication, either. The digital spies of the Five Eyes alliance — comprised of the United States, Britain, Canada, Australia and New Zealand — want more.

The Birth of D Weapons

According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.

During the 20th century, scientists developed so-called ABC weapons — atomic, biological and chemical. It took decades before their deployment could be regulated and, at least partly, outlawed. New digital weapons have now been developed for the war on the Internet. But there are almost no international conventions or supervisory authorities for these D weapons, and the only law that applies is the survival of the fittest.

Canadian media theorist Marshall McLuhan foresaw these developments decades ago. In 1970, he wrote, “World War III is a guerrilla information war with no division between military and civilian participation.” That’s precisely the reality that spies are preparing for today.

The US Army, Navy, Marines and Air Force have already established their own cyber forces, but it is the NSA, also officially a military agency, that is taking the lead. It’s no coincidence that the director of the NSA also serves as the head of the US Cyber Command. The country’s leading data spy, Admiral Michael Rogers, is also its chief cyber warrior and his close to 40,000 employees are responsible for both digital spying and destructive network attacks.

Surveillance only ‘Phase 0’

From a military perspective, surveillance of the Internet is merely “Phase 0” in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows. They show that the aim of the surveillance is to detect vulnerabilities in enemy systems. Once “stealthy implants” have been placed to infiltrate enemy systems, thus allowing “permanent accesses,” then Phase Three has been achieved — a phase headed by the word “dominate” in the documents. This enables them to “control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0).” Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is “real time controlled escalation”.

One NSA presentation proclaims that “the next major conflict will start in cyberspace.” To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for “unconventional solutions” alone.

In recent years, malware has emerged that experts have attributed to the NSA and its Five Eyes alliance based on a number of indicators. They include programs like Stuxnet, used to attack the Iranian nuclear program. Or Regin, a powerful spyware trojan that created a furor in Germany after it infected the USB stick of a high-ranking staffer to Chancellor Angela Merkel. Agents also used Regin in attacks against the European Commission, the EU’s executive, and Belgian telecoms company Belgacom in 2011.

Given that spies can routinely break through just about any security software, virtually all Internet users are at risk of a data attack.

The new documents shed some new light on other revelations as well. Although an attack called Quantuminsert has been widely reported by SPIEGEL and others, documentation shows that in reality it has a low success rate and it has likely been replaced by more reliable attacks such as Quantumdirk, which injects malicious content into chat services provided by websites such as Facebook and Yahoo. And computers infected with Straitbizarre can be turned into disposable and non-attributable “shooter” nodes. These nodes can then receive messages from the NSA’s Quantum network, which is used for “command and control for very large scale active exploitation and attack.” The secret agents were also able to breach mobile phones by exploiting a vulnerability in the Safari browser in order to obtain sensitive data and remotely implant malicious code.

In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or “brick” the control center of a hospital as a result of a programming error, people who don’t even own a mobile phone could be affected.

Intelligence agencies have adopted “plausible deniability” as their guiding principle for Internet operations. To ensure their ability to do so, they seek to make it impossible to trace the author of the attack.

It’s a stunning approach with which the digital spies deliberately undermine the very foundations of the rule of law around the globe. This approach threatens to transform the Internet into a lawless zone in which superpowers and their secret services operate according to their own whims with very few ways to hold them accountable for their actions.

Attribution is difficult and requires considerable forensic effort. But in the new documents there are at least a few pointers. Querty, for example, is a keylogger that was part of the Snowden archive. It’s a piece of software designed to surreptitiously intercept all keyboard keys pressed by the victim and record them for later inspection. It is an ordinary, indeed rather dated, keylogger. Similar software can already be found in numerous applications, so it doesn’t seem to pose any acute danger — but the sourcecode contained in it does reveal some interesting details. They suggest that this keylogger might be part of the large arsenal of modules that that belong to the Warriorpride program, a kind of universal Esperanto software used by all the Five Eyes partner agencies that at times was even able to break into iPhones, among other capabilities. The documents published by SPIEGEL include sample code from the keylogger to foster further research and enable the creation of appropriate defenses.

‘Just a Bunch of Hackers’

The men and women working for the Remote Operations Center (ROC), which uses the codename S321, at the agency’s headquarters in Fort Meade, Maryland, work on one of the NSA’s most crucial teams, the unit responsible for covert operations. S321 employees are located on the third floor of one of the main buildings on the NSA’s campus. In one report from the Snowden archive, an NSA man reminisces about how, when they got started, the ROC people were “just a bunch of hackers.” Initially, people worked “in a more ad hoc manner,” the report states. Nowadays, however, procedures are “more systematic”. Even before NSA management massively expanded the ROC group during the summer of 2005, the department’s motto was, “Your data is our data, your equipment is our equipment.”

The agents sit in front of their monitors, working in shifts around the clock. Just how close the NSA has already gotten to its aim of “global network dominance” is illustrated particularly well by the work of department S31177, codenamed Transgression.

The department’s task is to trace foreign cyber attacks, observe and analyze them and, in the best case scenario, to siphon off the insights of competing intelligence agencies. This form of “Cyber Counter Intelligence” counts among the most delicate forms of modern spying.

In addition to providing a view of the US’s own ability to conduct digital attacks, Snowden’s archive also reveals the capabilities of other countries. The Transgression team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged.

The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department’s remit is to “discover, understand (and) evaluate” foreign attacks. Another document reads: “Steal their tools, tradecraft, targets and take.”

ANZEIGE

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack’s point of origin to China, but also in tapping intelligence information from other Chinese attacks — including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. “NSA is able to tap into Chinese SIGINT collection,” a report on the success in 2011 stated. SIGINT is short for signals intelligence.

The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: “Fourth Party Collection.” And all countries that aren’t part of the Five Eye alliance are considered potential targets for use of this “non-traditional” technique — even Germany.

‘Difficult To Track, Difficult To Target’

The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples’ Liberation Army. It wasn’t easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them “difficult to track; difficult to target.” In the end, though, the document states, they succeeded in exploiting a central router.

The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive “wading through uninteresting data” did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access sourcecode for Chinese malware.

But there have also been successful Chinese operations. The Snowden documents include an internal NSA assessment from a few years ago of the damage caused. The report indicates that the US Defense Department alone registered more than 30,000 known incidents; more than 1,600 computers connected to its network had been hacked. Surprisingly high costs are listed for damage assessment and network repair: more than $100 million.

Among the data on “sensitive military technologies” hit in the attack were air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information about nuclear submarines, missile defense and other top secret defense projects.

The desire to know everything isn’t, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a monitoring operation that was codenamed Voyeur. A different wave of attacks, known as Snowglobe, appears to have originated in France.

Transforming Defenses into Attacks

The search for foreign cyber attacks has long since been largely automated by the NSA and its Five Eyes partners. The Tutelage system can identify incursions and ensure that they do not reach their targets.

The examples given in the Snowden documents are not limited to attacks originating in China. The relatively primitive Low Orbit Ion Cannon (LOIC) is also mentioned. The name refers to malware used by the protest movement Anonymous to disable target websites. In that instance, one document notes, Tutelage was able to recognize and block the IP addresses being used to conduct the denial of service attack.

The NSA is also able to transform its defenses into an attack of its own. The method is described as “reverse engineer, repurpose software” and involves botnets, sometimes comprising millions of computers belonging to normal users onto which software has been covertly installed. They can thus be controlled remotely as part of a “zombie army” to paralyze companies or to extort them. If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance. However, a host infected with an exploitable bot could be hijacked through a Quantumbot attack and redirected to the NSA. This program is identified in NSA documents as Defiantwarrior and it is said to provide advantages such as “pervasive network analysis vantage points” and “throw-away non-attributable CNA (eds: computer network attack) nodes”. This system leaves people’s computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks.

NSA specialists at the Remote Operations Center (ROC) have an entire palette of digital skeleton keys and crowbars enabling access to even the best protected computer networks. They give their tools aggressive-sounding names, as though they were operating an app-store for cyber criminals: The implant tool “Hammerchant” allows the recording of Internet-based phone calls (VoIP). Foxacid allows agents to continually add functions to small malware programs even after they have been installed in target computers. The project’s logo is a fox that screams as it is dissolved in acid. The NSA has declined to comment on operational details but insists that it has not violated the law.

But as well developed as the weapons of digital war may be, there is a paradox lurking when it comes to breaking into and spying on third party networks: How can intelligence services be sure that they won’t become victims of their own methods and be infiltrated by private hackers, criminals or other intelligence services, for example?

To control their malware, the Remote Operation Center operatives remain connected to them via their own shadow network, through which highly sensitive telephone recordings, malware programs and passwords travel.

The incentive to break into this network is enormous. Any collection of VPN keys, passwords and backdoors is obviously of very high value. Those who possess such passwords and keys could theoretically pillage bank accounts, thwart military deployments, clone fighter jets and shut down power plants. It means nothing less than “global network dominance”.

But the intelligence world is a schizophrenic one. The NSA’s job is to defend the Internet while at the same time exploiting its security holes. It is both cop and robber, consistent with the motto adhered to by spies everywhere: “Reveal their secrets, protect our own.”

As a result, some hacked servers are like a bus during rush hour, with people constantly coming and going. The difference, though, is that the server’s owner has no idea anyone is there. And the presumed authorities stand aside and do nothing.

‘Unwitting Data Mules’

It’s absurd: As they are busy spying, the spies are spied on by other spies. In response, they routinely seek to cover their tracks or to lay fake ones instead. In technical terms, the ROC lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin — the act of exporting the data that has been gleaned. But the loot isn’t delivered directly to ROC’s IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else’s servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

It’s not just computers, of course, that can be systematically broken into, spied on or misused as part of a botnet. Mobile phones can also be used to steal information from the owner’s employer. The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called “unwitting data mules.”

NSA agents aren’t concerned about being caught. That’s partly because they work for such a powerful agency, but also because they don’t leave behind any evidence that would hold up in court. And if there is no evidence of wrongdoing, there can be no legal penalty, no parliamentary control of intelligence agencies and no international agreement. Thus far, very little is known about the risks and side-effects inherent in these new D weapons and there is almost no government regulation.

Edward Snowden has revealed how intelligence agencies around the world, led by the NSA, are doing their best to ensure a legal vacuum in the Internet. In a recent interview with the US public broadcaster PBS, the whistleblower voiced his concerns that “defense is becoming less of a priority than offense.”

Snowden finds that concerning. “What we need to do,” he said, “is we need to create new international standards of behavior.”

By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer

Operation Socialist The Inside Story of How British Spies Hacked Belgium’s Largest Telco

https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story

When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.

Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”

The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.

Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.

Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.

 

Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”

The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”

Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.

Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.

The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.

Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”

Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.

What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.

GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”

 

The beginning

The origins of the attack on Belgacom can be traced back to 2009, when GCHQ began developing new techniques to hack into telecommunications networks. The methods were discussed and developed during a series of top-secret “signals development” conferences, held annually by countries in the so-called “Five Eyes” surveillance alliance: the United States, the United Kingdom, Australia, New Zealand, and Canada.

Between 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it could use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ documents, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.”

When communications are sent across networks in encrypted format, it makes it much harder for the spies to intercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ, there was a simple solution. The agency decided that, where possible, it would find ways to hack into communication networks to grab traffic before it’s encrypted.

The British spies identified Belgacom as a top target to be infiltrated. The company, along with its subsidiary Belgacom International Carrier Services, plays an important role in Europe, and has partnerships with hundreds of telecommunications companies across the world—in Africa, Asia, Europe, the Middle East, and the United States. The Belgacom subsidiary maintains one of the world’s largest “roaming” hubs, which means that when foreign visitors traveling through Europe on vacation or a business trip use their cellphones, many of them connect to Belgacom’s international carrier networks.

The Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used by surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into Belgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners, monitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ documents, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and North Africa, illustrating why British spies deemed it of such high value.

Attack planning

Before GCHQ launched its attack on Belgacom’s systems, the spy agency conducted in-depth reconnaissance, using its powerful surveillance systems to covertly map out the company’s network and identify key employees “in areas related to maintenance and security.”

GCHQ documents show that it maintains special databases for this purpose, storing details about computers used by engineers and system administrators who work in the nerve center, or “network operations center,” of computer networks worldwide. Engineers and system administrators are particularly interesting to the spies because they manage networks—and hold the keys that can be used to unlock large troves of private data.

GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet. In early 2011, the documents show, GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO.

GCHQ narrowed down IP addresses it believed were linked to the Belgacom engineers by using data its surveillance systems had collected about internet activity, before moving into what would be the final stages prior to launching its attack. The documents show that the agency used a tool named HACIENDA to scan for vulnerable potential access points in the Belgacom’s networks; it then went hunting for particular engineers or administrators that it could infect with malware.

 

The infection

The British spies, part of special unit named the Network Analysis Center, began trawling through their vast repositories of intercepted Internet data for more details about the individuals they had identified as suspected Belgacom engineers.

The spies used the IP addresses they had associated with the engineers as search terms to sift through their surveillance troves, and were quickly able to find what they needed to confirm the employees’ identities and target them individually with malware.

The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person. GCHQ refers to cookies internally as “target detection identifiers.”

Top-secret GCHQ documents name three male Belgacom engineers who were identified as targets to attack. The Intercept has confirmed the identities of the men, and contacted each of them prior to the publication of this story; all three declined comment and requested that their identities not be disclosed.

GCHQ monitored the browsing habits of the engineers, and geared up to enter the most important and sensitive phase of the secret operation. The agency planned to perform a so-called “Quantum Insert” attack, which involves redirecting people targeted for surveillance to a malicious website that infects their computers with malware at a lightning pace. In this case, the documents indicate that GCHQ set up a malicious page that looked like LinkedIn to trick the Belgacom engineers. (The NSA also uses Quantum Inserts to target people, as The Intercept has previously reported.)

A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.

The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”

By December 2011, as part of a second “surge” against Belgacom, GCHQ identified other cellphone operators connecting to company’s network as part of international roaming partnerships, and successfully hacked into data links carrying information over a protocol known as GPRS, which handles cellphone internet browsing sessions and multimedia messages.

The spy agency was able to obtain data that was being sent between Belgacom and other operators through encrypted tunnels known as “virtual private networks.” GCHQ boasted that its work to conduct “exploitation” against these private networks had been highly productive, noting “the huge extent of opportunity that this work has identified.” Another document, dated from late 2011, added: “Network Analysis on BELGACOM hugely successful enabling exploitation.”

GCHQ had accomplished its objective. The agency had severely compromised Belgacom’s systems and could intercept encrypted and unencrypted private data passing through its networks. The hack would remain undetected for two years, until the spring of 2013.

 

The discovery

In the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices on Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of Belgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned, but Belgacom’s technical team couldn’t work out why.

The glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software update was sent to Belgacom’s email exchange server, the problems returned, worse than before. The administrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for the fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be found. (Microsoft declined to comment for this story.)

Sources familiar with the investigation described the malware as the most advanced they had ever seen.

Belgacom’s internal security team began to suspect that the systems had been infected with some sort of virus, and the company decided it was time to call in outside experts. It hired Dutch computer security firm Fox-IT to come and scan the systems for anything suspicious.

Before long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as legitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent automatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s systems.

About a month after Belgacom had identified the malicious software, or malware, it informed Belgian police and the country’s specialist federal computer crime unit, according to sources familiar with the incident. Belgian military intelligence was also called in to investigate the hack, together with Fox-IT.

The experts from Fox IT and military intelligence worked to dissect the malware on Belgacom’s systems, and were shocked by what they found. In interviews with The Intercept and its reporting partners, sources familiar with the investigation described the malware as the most advanced they had ever seen, and said that if the email exchange server had not malfunctioned in the first place, the spy bug would likely have remained inside Belgacom for several more years.

A deep breach

While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.

The most serious discovery was that the large routers that form the very core of Belgacom’s international carrier networks, made by the American company Cisco, were also found to have been compromised and infected. The routers are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows of sensitive private communications transiting through its networks.

Earlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the agency can remotely hack them, or physically intercept and bug them before they are installed at a company. In the Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct NSA assistance. (The NSA declined to comment for this story.)

Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators.

“You could ask many security companies to investigate those routers,” one of the investigators told The Intercept. By bringing in Cisco employees to do the investigation, “you can’t perform an independent inspection,” said the source, who spoke on condition of anonymity because he was not authorized to speak to the media

A spokesman for Cisco declined to comment on the Belgacom investigation, citing company policy. “Cisco does not comment publicly on customer relationships or specific customer incidents,” the spokesman said.

Shortly after the malware was found on the routers, Fox-IT was told by Belgacom to stop its investigation. Researchers from the Dutch security company were asked to write-up a report about their findings as soon as possible. Under the conditions of a non-disclosure agreement, they could not speak about what they had found, nor could they publicly warn against the malware. Moreover, they were not allowed to remove the malware.

Between late August and mid-Sept. 2013, there was an intense period of activity surrounding Belgacom.

On August 30, some parts of the malware were remotely deleted from the company’s infected systems—apparently after the British spies realized that it had been detected. But the malware was not completely removed, according to sources familiar with the investigation.

Two weeks later, on Sept. 14, employees from Belgacom, investigators, police and military intelligence services began an intensive attempt to completely purge the spy bug from the systems.

During this operation, journalists were tipped off for the first time about the malware investigation. The Intercept’s Dutch and Belgian partners NRC Handelsblad and De Standaard reported the news, disclosing that sources familiar with the investigation suspected NSA or GCHQ may have been responsible for the attack.

The same day the story broke, on Sept. 16, Belgacom issued a press release. “At this stage there is no indication of any impact on the customers or their data,” it said. “At no point in time has the delivery of our telecommunication services been compromised. “

Then, on Sept. 20, German news magazine Der Spiegel published documents from Snowden revealing that British spies were behind the hack, providing the first confirmation of the attacker’s identity.

 

Significant resources

In the aftermath of the revelations, Belgacom refused to comment on GCHQ’s role as the architect of the intrusion. Top officials from the company were called to appear before a European Parliamentary committee investigating the extent of mass surveillance revealed by Snowden.

The Belgacom bosses told the committee that there were no problems with Belgacom’s systems after a “meticulous” clean-up operation, and again claimed that private communications were not compromised. They dismissed media reports about the attack, and declined to discuss anything about the perpetrator, saying only that “the hackers [responsible] have considerable resources behind them.”

People with knowledge of the malware investigation watched Belgacom’s public statements with interest. And some of them have questioned the company’s version of events.

“There was only a partial clean-up,” said one source familiar with the malware investigation. “I believe it is still there. It is very hard to remove and, from what I’ve seen, Belgacom never did a serious attempt to remove it.”

Belgacom declined to comment for this story, citing the ongoing criminal investigation in Belgium.

Last month, The Intercept confirmed Regin as the malware found on Belgacom’s systems during the clean-up operation.

The spy bug was described by security researchers as one of the most sophisticated pieces of malware ever discovered, and was found to have been targeting a host of telecommunications networks, governments, and research organizations, in countries such as Germany, Iran, Brazil, Russia, and Syria, as well as Belgium.

GCHQ has refused to comment on Regin, as has the NSA, and Belgacom. But Snowden documents contain strong evidence, which has not been reported before, that directly links British spies to the malware.

Aside from showing extensive details about how the British spies infiltrated the company and planted malware to successfully steal data, GCHQ documents in the Snowden archive contain codenames that also appear in samples of the Regin malware found on Belgacom’s systems, such as “Legspin” and “Hopscotch.”

One GCHQ document about the use of hacking methods references the use of “Legspin” to exploit computers. Another document describes “Hopscotch” as part of a system GCHQ uses to analyze data collected through surveillance.

Ronald Prins, director of the computer security company Fox-IT, has studied the malware, and played a key role in the analysis of Belgacom’s infected networks.

“Documents from Snowden and what I’ve seen from the malware can only lead to one conclusion,” Prins told The Intercept. “This was used by GCHQ.”

Enkripsi Morse Dalam Lagu

Sumber: http://www.theverge.com/2015/1/7/7483235/the-code-colombian-army-morsecode-hostages

THE CODE: A declassified and unbelievable hostage rescue story

How the Colombian army sent a hidden message to hostages… using a pop song

By Jeff Maysh

Colonel Jose Espejo was a man with a problem. As the Colombian army’s communications expert watched the grainy video again, he saw kidnapped soldiers chained up inside barbed-wire pens in a hostage camp deep in the jungle, guarded by armed FARC guerillas. Some had been hostages for more than 10 years, and many suffered from a grim, flesh-eating disease caused by insect bites.

It was 2010, and the straight-talking Espejo was close to retirement after 22 years of military service. But he couldn’t stand the thought of quitting with men left behind enemy lines. He needed an idea, and when he needed an idea, he always went to one man.

Juan Carlos Ortiz was dunking his kids in the pool at his home in Coconut Grove, Miami, when he got the call from Colonel Espejo. With his easy charm and seemingly natural talent for creating clever commercials, the 42-year-old advertising executive had earned himself a Don Draper-like reputation in Colombia.

The ambitious Ortiz had shot to fame at the Colombian office of Leo Burnett — the legendary ad agency behind Tony the Tiger — where he created an anti-drug TV spot for the Colombian President’s Office. The ad showed an addict on a bus mistaking a fellow passenger’s dandruff for cocaine and snorting it up his nose. It made Ortiz the first Colombian to win a gold Lion at Cannes, the advertising industry’s Oscars. He returned to Bogotá a national hero and received a commendation from the nation’s first lady.

The success of his ad also brought threats from FARC guerillas, who relied, in part, on the cocaine market to fund their decades-old campaign against the government. “I had gone against their objectives with my anti-cocaine commercial,” he remembers. “They offered me the opportunity of paying them in exchange for my life.”

Deeply concerned by threatening letters and phone calls, Ortiz bought a bulletproof car for his family, and even assisted police in a sting operation to catch his blackmailers. But the threats persisted, and fearing for his safety, his employer urgently transferred Ortiz to its New York office. He took his family with him. A high-profile move to rival ad agency DDB in Miami followed, but Ortiz could never forget his enmity toward the FARC. He became the go-to guy for the Colombian army’s more bizarre requests in their battle against the guerillas.

On the telephone, Colonel Espejo explained that he urgently needed to get a message to the captured Colombian soldiers: help was coming. Daring commando missions were taking place throughout the region, including Operation Chameleon — a sixth-month operation that involved 300 government soldiers and secret raids. Because the FARC shoots hostages dead at the first sight of a military invasion, Espejo had to convey to the captives to be ready to escape.

How do you reach soldiers held under 24-hour armed guard in deeply rural territory? Juan Carlos Ortiz’s mind raced between ideas: Sky-writing? Aid parcels containing secret messages?

the army air-dropped 7 million pacifiers into the jungle with a message encouraging rebels to return to civilizationOrtiz had designed unorthodox campaigns to battle the FARC before. In 2008, he dreamed up an operation to persuade pregnant female guerrillas to defect: the army air-dropped 7 million pacifiers into the jungle with a message encouraging rebels to return to civilization. The operation involved seven helicopters, three airplanes, 960 flight hours, 17,800 gallons of fuel, and 72 soldiers flying twice a week for four months. During the holidays, the army illuminated giant Christmas trees across the jungle to remind guerrillas what they were missing. They also wrote messages promoting peace on soccer balls and floated them down the river toward the rebel encampments.

But this operation would be far more challenging. They had to create a message that could be understood by the hostages, but remain invisible to their captors. They needed to give the hostages hope, and encourage any soldiers harboring plans of escape that now was the time. Ortiz agreed to participate, and boarded the next plane to Bogotá.

The Revolutionary Armed Forces of Colombia, or FARC, emerged in the 1960s as a group of armed Communist peasants opposing the government and demanding labor reforms. This followed a period in Colombian history known as “La Violencia,” when fighting between the Liberal and Conservative parties resulted in 300,000 deaths. Driven deep into the jungle by a 1964 military bombing campaign, the FARC built up their strength and numbers. By 2010 the FARC had an estimated 8,000 to 10,000 members, according to the International Crisis Group.

By the time that the FARC and the Colombian government announced a ceasefire at the end of last year, their civil war had become one of the longest-running and bloodiest in the world. The FARC, Latin America’s oldest surviving left-wing insurgency, has been labeled a terrorist group by the US State Department and has a long history of kidnapping to help finance its operations. In the past decade, 6,880 people have been snatched in Colombia and held for ransom — some for as long as 18 years. Five hundred of the hostages are either involved with the military or politics. While the FARC prefer to kidnap Americans for money, prominent Colombian prisoners can be valuable political leverage.

Hostages’ accounts of their time in captivity are harrowing: Sgt. Jose Libardo Forero was one of Colombia’s “forgotten” hostages, held by the FARC for nearly 13 years. After his release, Forero spoke of relieving his mental anguish by bonding with jungle animals and one pet pig he called Josefo, whom he got hooked on coffee. Colombian politician Ingrid Betancourt, held for six years, recalled being chained to a tree by her neck.

Ortiz arrived at the Bogotá headquarters of the DDB advertising agency. The modern building features floor-to-ceiling windows that boast panoramic views of the traffic-choked Colombian capital, but keep out the symphony of car horns playing below. That day he was joined by his team of creative minds: Rodrigo Bolivar, Alfonso Diaz, Mario León, and Luis Castilla, the leading lights of Colombia’s advertising industry. Together with Colonel Espejo, they brainstormed ways to get a message to the hostages.

Sending messages directly to hostages is often impossible and not found in the guidebook of any law enforcement or military agency, says Christopher Voss, the FBI’s lead international kidnapping negotiator from 2003 to 2007. Now the owner of the negotiation firm Black Swan Group, Voss says: “When you send a message to a hostage, you have to assume the hostage takers are seeing it too.”

Gary Noesher is a former Chief Negotiator for the FBI who spent 23 years rescuing hostages and has dealt directly with the FARC. He says that sending sensitive messages meant solely for hostages is “incredibly risky.” Colonel Espejo’s case reminds him of a siege at the Japanese ambassador’s mansion in Lima, Peru, in December 1996. Noesher was on the team tasked with saving 72 hostages. “Secret messages were transmitted through the garbage. We received word that terrorists played indoor soccer in the living room, and a bomb was placed underneath the room and detonated,” Noesher says. “That is the only time I can remember covert messages sent to hostages.” Noesher won’t say exactly how the messages were sent, but adds: “Food and water were going into the embassy. All I can say is… messages were transmitted.” All of the militants were killed, along with two commandos and one hostage.

Sending messages directly to hostages is often impossibleCol. Espejo ran the brainstorming session with the efficiency of a military operation. He explained that FARC guerrillas usually allow hostages access to radios; it relieves the tedium of long hikes through the Colombian jungle and keeps their minds from escape.

Communicating with hostages via radio is a years-old practice in Colombia. The show “Voices of Kidnapping” on Bogota’s Caracol Radio is dedicated to victims’ families who send messages to their loved ones via special call-ins. Creator Herbin Hoyos Medina came up with the idea in 1994, after he was kidnapped for 17 days. He now broadcasts the show from Madrid, giving families 30-second slots to send messages.

Ortiz considered hiding a message in a radio commercial, perhaps hidden in the fine print spoken quickly at the end. Then Diaz, the creative director, suggested using code. What about código Morse, he said — Morse code.

Jeremiah Andrew Denton Jr. blinking T-O-R-T-U-R-E in Morse code

It wouldn’t be the first time Morse code was used in a hostage situation; in 1977, one of 52 hostages held captive by South-Moluccan gunmen on a Dutch train managed to transmit the message “get us out of here,” using sunlight and a hand mirror. Then there was Jeremiah Andrew Denton Jr., a United States Navy rear admiral who spent almost eight years as a prisoner of war in Vietnam, four of those in solitary confinement. In a forced North Vietnamese television interview in 1966, Denton ingeniously used Morse code to communicate with American Intelligence by blinking his eyes to spell out “T-O-R-T-U-R-E”.

“It was a eureka moment! We thought about hiding the Morse code in an advert,” says Ortiz. “Then we thought, how about a song?” As a young man, Ortiz was a musician, but his career never took off. The idea of producing a hit song appealed to him.

Ortiz pitched the Colonel a plan as if he were pitching a commercial to Heinz or Coca-Cola. The Colonel stroked his chin. Espejo liked the code idea, because he knew that many soldiers — especially in the communications departments — were taught Morse code in their basic training. Furthermore, Espejo reasoned, “The FARC were peasants from the fields, they wouldn’t know [Morse].” It was a longshot, but if the team could disguise the telltale dot-dot-dash signals in a song, there was a chance the soldiers would hear the message.

Radio Bemba is a small recording studio with six electric guitars on the wall where musicians write catchy commercial jingles. If the DDB agency is in Bogotá’s “Manhattan,” Radio Bemba is in the city’s “Brooklyn,” sharing its front door with an architecture company in a 50-year-old building on an edgy street.Word quickly got around the studio that the military wanted to produce a song so popular it would enterr the “Lista 40” — Colombia’s Billboard charts. Producer Carlos Portela, 34, thought they were nuts.

“But they were deadly serious, and explained it was a secret project,” says Portela, who wears an eyebrow ring and produces music for beer commercials. “Obviously we had never worked with Morse code before. But they were very specific about what they wanted. They needed to know if we could hide their message in a song, so that nobody would detect it unless they knew Morse code.”

The team began experimenting with Morse code using various percussion instruments and a keyboard. They learned that operators skilled in Morse code can often read the signals at a rate of 40 words per minute — but played that fast, the beat would sound like a European Dance track. “We discovered the magic number was 20,” says Portela. “You can fit approximately 20 Morse code words into a piece of music the length of a chorus, and it sounds okay.”

“You can fit approximately 20 Morse code words into… the length of a chorus, and it sounds okay.”With the help of a military policeman skilled in Morse, they coded the message: “19 people rescued. You are next. Don’t lose hope.” It was a signal to boost morale and indicate that help was nearby. Portela wrote the song and the lyrics with composer Amaury Hernandez, creating a thinly-veiled ballad about life as a hostage: “In the middle of the night / Thinking about what I love the most / I feel the need to sing… About how much I miss them.” He even added the lyric, “Listen to this message, brother,” just before the coded message kicks in. The code sounds like a brief synth interlude just after the chorus.

Portela says they played with the Morse code using Reason software, which gives each audio channel or instrument its own dedicated track. With a separate visual lane for certain elements, it was possible to match the code to the beat of the song — and, crucially, blend it in.

The CODE morse GIF

Hiding the Morse code took weeks, with constant back-and-forth with Col. Espejo and the military to make sure their men could understand the message. “It was difficult because Morse code is not a musical beat. Sometimes it was too obvious,” says Portela. “Other times the code was not understood. And we had to hide it three times in the song to make sure the message was received.”

Finally, in September 2010, the song was mastered. They titled it “Better Days,” performed by session artists Natalia Gutierrez Y Angelo, fairly anonymous background musicians who’d worked on other jingles at the studio. Ortiz thought it was a masterpiece. “When I first listened, I thought it was a song of freedom,” he says.

With the song completed, they had to get it on the airwaves. Commercial Colombian stations largely only played hits by famous artists like Coldplay and Shakira. Luckily, says Col. Espejo, in many of the jungle areas where the hostages were held, all the radio stations were controlled by the government. “The hostages were listening to our own stations, so we made sure the song was played,” he says. “The code message said, ‘you’re next’ because the hostages thought if they ran away, they would die in the jungle. We let them know that our troops were nearby.’” At that time, active commando missions were underway, placing troops undercover in FARC-controlled areas.

Former hostage Major General Luis Mendieta Ovalle Herlindo helped the operation by appearing on live television and making an appeal directly to the guerillas. Herlindo, who escaped in one of the secretive commando-led escapes during “Operation Chameleon,” said: “This message is for members of the FARC. For those being held captive without a radio. Please, give them radio.” Though it might seem that this gave the game away, to Colombians it sounded like an appeal for hostages to be able to hear the voices of their families, who call in to radio shows.

The song was played on over 130 small stations and heard by 3 million people. Though most Colombians in major cities would not even recognize the song, it became popular in the rural areas controlled by the FARC. By December 2010, “Better Days” was echoing across the jungle. And the plan worked.

“We know of hostages who heard the message and were able to escape and provide information that led to the release of more hostages,” says Colonel Espejo.

Later in December 2010, the FARC announced its plans to release five more hostages as a humanitarian gesture, including a police major, two military service members, and two politicians; two months later, Major Guillermo Solorzano, 35, and Corporal Salin Sanmiguel, 28, were released back to their families; and in the spring of 2012, the last 10 police and military hostages — some of whom had spent 14 years in captivity — were released and flown in a Brazilian military helicopter to safety. Colonel Espejo watched the hostages on TV, waving and punching the air with delight as they stepped off a helicopter in Villavicencio. At the country’s presidential palace, the president, Juan Manuel Santos, said: “Welcome to liberty, soldiers and policemen of Colombia. Freedom has been very delayed, but now it is yours, to the delight of the whole country.”

One former hostage was able to confirm the song’s effectiveness, according to Col. Espejo. He told Ortiz of a clandestine operation that resulted in the release of Private Joshua Alvarez. In his military psychological evaluation, Col. Espejo says that the soldier spoke of hearing “the code hidden in the song,” and revealed how the message was passed from soldier to soldier. The song was even enjoyed by the FARC, who were oblivious to its secret message. Back home in his village in western Nariño, Alvarez was greeted with a hero’s welcome, including fireworks and banners.

“It makes me very happy to think of the hostages listening to our song,” Ortiz says.

Ortiz still keeps in touch with Col. Espejo, who retired from the military and now works as a journalist. Col. Espejo wrote the book El Gran Cartel, an investigation into the FARC’s finances. Ortiz continues to travel between Colombia, New York, and Miami, where he has created commercials for Rice Krispies and Volkswagen. He’s earned a place in the American Advertising Federation’s Hall of Fame, and on a top 10 list of “exceptional Colombians.”

On the wall of Ortiz’s Miami office there’s a photo of him celebrating his gold Lion for the dandruff cocaine ad in 2000, wildly waving a Colombian flag on stage. He recalls how he persuaded a local tailor in Cannes to fashion him a Colombian flag on the morning of the awards. Receiving that award should have been the greatest moment of his life, he says, but that victory was marred by the FARC and their threats. “One moment, I was the king of the world,” he says ruefully, “the next… just another Colombian victim of the terrorists. Being able to help the military with the code project was my way of helping them fight.”

The army agreed to declassify “The Code” operation in 2011 and allowed the song to be entered into the Cannes Lions. “Better Days” earned Ortiz his second gold Lion. “This time,” he says, “we enjoyed it.”