November 11, 2013, 8:23 AM — British intelligence agency Government Communications Headquarters (GCHQ) reportedly used spoofed LinkedIn and Slashdot pages to compromise the computers of network engineers working for global roaming exchange providers based in Europe.
Special teams from GCHQ's My Network Operations Centre (MyNOC) division identified key employees doing network maintenance and security at the targeted companies and determined which of them were users of LinkedIn or Slashdot.org. The teams then directed the targeted individuals to fake versions of those sites which contained malicious code designed to install malware on their computers, German magazine Der Spiegel reported based on secret GCHQ documents leaked by former U.S. National Security Agency (NSA) contractor Edward Snowden.
The technology used for these computer infiltration operations is called "Quantum Insert" and according to past media reports it was also used by the NSA.
GCHQ used this system to target network engineers from Belgian telecommunications provider Belgacom as part of an operation called "Socialist," as well as the employees of "international mobile billing clearinghouses" as part of a separate operation called "Wylekey," Der Spiegel reported.
Services provided by these clearinghouse companies are used by mobile operators to streamline the process of roaming administration and billing, giving those companies access to a large quantity of data about mobile connections.
One of the clearinghouses whose employees were reportedly targeted by GCHQ was Mach, a Luxembourg company that was acquired in July by Syniverse Technologies, a provider of cloud services for mobile carriers and ISPs headquartered in Tampa, Florida. Mach's business in Europe was resold to Starhome of Zurich.
"We acquired the Mach brand, European customer base, and ownership of the Mach clearing software," Guy Reiffer, VP of marketing and partnerships at Starhome and a former Mach employee, said via email. "We have now implemented a brand new Clearing House in Germany and this went live in September 2013. We think it extremely unlikely that our platform is affected by this attack (which was instigated in 2010) but have decided to perform a security audit to ensure that no issues exist."
Syniverse did not immediately respond to a request for comment.
Another clearinghouse reportedly on GCHQ's target list was Comfone of Bern, Switzerland. It did not respond to a request for comment.
In the case of Operation Socialist which targeted Belgacom engineers, the goal was to compromise their computers and then gain access to the GRX (Global Roaming Exchange) routers operated by its BICS subsidiary.