The covert operation was the first known example of a European Union member state hacking the critical infrastructure of another. The malware infection triggered a massive cleanup operation within Belgacom, which has since renamed itself Proximus. The company – of which the Belgian government is the majority owner – was forced to replace thousands of its computers at a cost of several million Euros. Elio di Rupo, Belgium’s then-prime minister, was furious, calling the hack a “violation.” Meanwhile, one of the country’s top federal prosecutors opened a criminal investigation into the intrusion.
The criminal investigation has remained open for more than four years, but no details about its activities have been made public. Now, following interviews with five sources close to the case, The Intercept – in collaboration with Dutch newspaper de Volkskrant – has gained insight into the probe and uncovered new information about the scope of the hack. The sources, who are subject to confidentiality agreements and not authorized to talk to the media, spoke on the condition of anonymity. Their accounts reveal an extraordinary investigation that was hindered from the outset by political, diplomatic, technical, and legal difficulties.
The Belgacom breach sparked outrage in Europe’s political institutions and made global headlines. But Belgium’s effort to identify the spies responsible and hold them accountable faced roadblocks at almost every turn. Europol, the European Union’s law enforcement agency, refused to assist. Prosecutors overseeing the case feared triggering a major diplomatic dispute and were reluctant to pursue it aggressively. Meanwhile, British spies tried to destroy the evidence.
“We wanted to show that as a small country, we would not be bullied,” said a source close to the investigation. “But we were fighting against two big cyberarmies from the U.K. and the U.S. We knew we could never win this.”
At first, it was not clear how severely Belgacom’s systems were compromised or who was responsible for the breach. Inside a grayish four-story office building on Lebeau Street in Brussels, one of the company’s email servers kept malfunctioning. The problem, first identified in the summer of 2012, was assumed then to be a routine technical fault. But about a year later – in June 2013 – the issue flared up again, and Belgacom’s security experts realized there was a more sinister explanation: The company’s systems had been hacked.
Belgacom notified the authorities that it had been targeted, and in July 2013, filed a formal complaint with a federal prosecutor. The complaint triggered a major investigation that was code-named “Trinity,” led by a group that included members of Belgium’s federal police, domestic secret service, military intelligence, and a specialist unit known as a Computer Emergency Response Team. Belgacom also recruited help in the form of Netherlands-based cybersecurity firm Fox-IT; it called in the U.S. technology company Cisco to assess the damage, as well.
Once they had the chance to analyze Belgacom’s infected computers, the Belgian authorities realized that they were not dealing with a routine cyberattack. Instead, they assessed that it was an “advanced persistent threat” – a deep-reaching hack perpetrated by a well-funded, highly skilled actor. They had never encountered anything like it before.
The malware that had infected Belgacom’s systems was disguised as legitimate Microsoft software, the investigators found. It was secretly collecting data from the company’s networks before storing it in compressed containers with several layers of encryption. Assessing the extent of the damage was no easy task. The Belgians could not completely decrypt the files and were therefore unable to identify exactly what had been taken from Belgacom’s computers.
The hackers were retrieving the stolen information from Belgacom’s systems during business hours, masking their activity within the normal flows of data passing to and from the company’s networks. But in late August 2013, the malware suddenly began deleting itself, vanishing in minutes from Belgacom’s infected computers. “The attackers knew they’d been discovered,” said a security expert who worked on the case. “They pushed a button to destroy the malware.”
Their prime suspects were people who did not exist.
Luckily, the investigators had already made copies of the bug. They followed the digital evidence, forensically analyzing it for clues. They found that the stolen data had been sent out of Belgacom’s systems to a network of servers seemingly operated by the hackers. They identified the servers by tracing IP addresses – a series of numbers assigned to computers when they connect to the internet – to countries including India, the Netherlands, Indonesia, and Romania.
The hackers had rented the servers from private companies operating in each of these countries. Belgian police contacted the companies and asked them to turn over any information they had about the customers who had purchased the servers. The companies complied, providing the police with names, addresses, and payment records. The police now had a list of people they believed could be responsible for the hack. But that’s where the trail began to go cold.
The addresses were for people who appeared to live in Germany and Denmark. Belgian federal police officers reached out to their counterparts in these countries, sharing the details about their suspects. But there were no records of anyone with the suspects’ names having lived at the addresses. In Germany, the address the hackers had used turned out to be a theater. It quickly became obvious to the investigators that the information was fraudulent. Their prime suspects were people who did not exist.
“There was nothing there – just ghosts,” said a source close to the investigation. “They are spies. They put up smokescreens.”
One detail would later take on significance, however. The servers had in some cases been purchased with payment cards that appeared to have been issued to people based in the U.K.
In June 2013, shortly before the discovery of the intrusion at Belgacom, journalists began publishing documents leaked by National Security Agency whistleblower Edward Snowden. The documents exposed controversial mass surveillance programs operated by the NSA and its British counterpart, GCHQ.
Some of the Belgacom investigators initially suspected that the NSA was involved in the hack, partly due to the complexity of the malware. It bore similarities to Stuxnet and Flame, U.S.-created digital viruses designed to sabotage and collect intelligence about Iran’s uranium enrichment program. “This was by far the most sophisticated malware I’ve ever seen,” recalled Frank Groenewegen, a researcher who analyzed Belgacom’s infected systems for the cybersecurity firm Fox-IT.
It was not until September 2013 that the Belgians would learn the truth: The Belgacom intrusion had in fact been carried out by another of their close allies, the British. Documents from Snowden, published that month by Der Spiegel, showed that a GCHQ unit called the Network Analysis Centre had hacked into the computers of three Belgacom engineers who had access to sensitive parts of the company’s systems.
When the details about the hack went public, Belgacom tried to play down the extent of the breach. The company circulated a press release insisting there was “no indication of any impact” for its customers and their data. But the reassurance turned out to be false. As The Intercept revealed in December 2014, the most sensitive parts of Belgacom’s networks were compromised in stages between January and December 2011. After installing malware on the engineers’ computers by luring them to a fake version of the LinkedIn website, GCHQ was able to steal their keys to the secure parts of Belgacom’s networks and begin monitoring the data flowing across them. The agency boasted in classified reports that the operation was “hugely successful.” It gained access to Belgacom “both deep into the network and at the edge of the network” and hacked into data links carrying information over a protocol known as GPRS, which handles cellphone internet browsing sessions and multimedia messages.
The British spies appear to have targeted Belgacom due to its role as one of Europe’s most important telecommunications hubs. Through a subsidiary company called Belgacom International Carrier Services, it maintains data links across the continent and also processes phone calls and emails passing to and from the Middle East, North Africa, and South America. But tapping into a broad range of global communications is only one possible motive. GCHQ may also have sought access to Belgacom’s networks to snoop on NATO and key European institutions, such as the European Commission, the European Parliament, and the European Council. All of those organizations have large offices and thousands of employees in Belgium. And all were Belgacom customers at the time of the intrusion.
Over the last decade, as the internet and smartphone use have boomed, GCHQ has increasingly turned to hacking to collect intelligence on matters related to economics, geopolitics, and security. Aside from Belgacom, the agency has broken into the computer systems of the oil production organization OPEC; the Netherlands-based security company Gemalto; and organizations that process international cellphone billing records, including Switzerland’s Comfone. The agency has also hacked several governments and companies from countries including Ireland, South Africa, Pakistan, India, Turkey, Iran, Argentina, Russia, North Korea, the United Arab Emirates, and Zimbabwe, according to previously undisclosed lists of some of its targets, contained in the archive of classified documents that The Intercept obtained from Snowden.
The hacking attacks are among GCHQ’s most sensitive and risky operations, mainly because the method is not as discrete as more traditional forms of electronic surveillance, like monitoring a phone line. Challenges the agency faces during its computer intrusions include “avoiding detection by [the] target or another agency” and “remaining within the law,” according to a previously undisclosed top-secret GCHQ document from the Snowden archive. All of GCHQ’s hacking activities “must be U.K. deniable,” the document says, meaning it should be impossible for those targeted by the hacks to trace them back to GCHQ’s computers. The agency’s hackers use what they call “intermediary machines” and “covert infrastructure” to disguise themselves before they steal information from hacked computers or phones.
In the Belgacom case, these protections failed and GCHQ’s biggest fear was realized. Its operation was discovered and its identity as the perpetrator was publicly exposed. For the authorities in Belgium, however, seeking justice for the damage that the agency caused still proved a remarkable challenge.
As news organizations began publishing the Snowden documents in 2013, the Belgians studied them with interest. The classified files revealed details about the planning and execution of the hack. But because the documents appeared in the press, were partly redacted, and had not been handed straight to the police, the law enforcement officials overseeing the criminal investigation did not consider them direct evidence, though they did enter the documents into their case file.
According to a source close to the investigation, there were informal discussions over whether it would be possible to ask Snowden to testify as a witness in the case, so he could verify the documents and potentially provide his own statement about the hack of Belgacom. However, senior prosecutor Frederic Van Leeuw poured cold water on the idea, on the grounds that it would be too damaging diplomatically. Snowden was in Russia, where he had sought asylum, and interviewing him could upset the U.S., a powerful ally of the Belgian government. At the time, there were rising concerns about the movement of potential Islamist terrorists in Europe. The Belgians needed U.S. assistance in tracking that threat and feared any move that could jeopardize the cooperation. (A spokesperson for Van Leeuw declined to comment for this story.)
The investigators knew the U.K. was responsible for the hack. But they wanted to build their own case, based on their own sources, that nailed GCHQ as the perpetrator. Some of the forensic evidence they had obtained from Belgacom’s systems pointed toward the U.K., but it was not conclusive and could still be denied.
The Belgians believed Europol had stonewalled them for political reasons.
There were the payments they had been able to trace to the U.K., but those turned out to have been made using pre-paid credit cards that were obtained anonymously – in the Kent area of England and elsewhere – and not linked directly to GCHQ. The investigators also found the names “Daredevil” and “Warriorpride” embedded within the code of the malware that had infected Belgacom’s systems. These are the names of a hacking tool used by GCHQ and NSA, according to the Snowden documents, and their discovery within Belgacom was as close as the investigators got to a smoking gun. But the Belgians felt these details were still too circumstantial. They needed more.
In late 2013, Belgian police decided to approach the European Union’s law enforcement agency, Europol, for assistance. Europol helps E.U. member states fight terrorism and serious crime. It has a specialist unit called the European Cybercrime Centre, whose mandate is to “strengthen the law enforcement response to cybercrime in the E.U.” The Belgians hoped the unit would help them gather more evidence about the hack.
However, Europol wanted nothing to do with the investigation and refused to assist, according to two sources familiar with the interaction. Europol asserted that it would not carry out investigations into other European Union member states – in this case, the U.K. The Belgians were frustrated and believed Europol had stonewalled them for political reasons; they noted with suspicion that the organization was led by Rob Wainwright, who is British.
Jan Op Gen Oorth, a spokesperson for Europol, told The Intercept in an email that regulations restricted the organization to “investigating acts affecting two or more EU Member States, involving serious and organized crime and terrorist actors only.” Questioned on which regulations he meant, Op Gen Oorth pointed to a policy that did not exist at the time the Belgians asked for assistance with the hack of Belgacom. (The policy was in fact brought into force in May 2017; it states that Europol is empowered to investigate hacks “of suspected criminal origin,” but says nothing about hacks perpetrated by governments.)
At every turn in the case, the Belgian investigators encountered a dead end. They knew that even if they identified specific GCHQ personnel responsible for the hack, they would likely never be able to arrest or extradite them from the U.K. It might have been possible to place the names of particular GCHQ employees on a watch list, and if they ever traveled to Belgium, police could detain and interrogate them. But that would pose its own set of problems. Arresting a British spy would trigger a massive public dispute with the U.K. and there was insufficient political appetite for such a showdown. As such, the Belgian Trinity investigation came to be viewed as little more than symbolic in value.
“We could see GCHQ was behind it, but we knew it was never going to go to court,” said a source close to the case. “But still, we wanted to gather information and make it known to the world that in Belgium if you try to hack our national telecoms we won’t look away, we will investigate.”
The British government has never publicly acknowledged any role in the Belgacom hack. GCHQ declined to answer questions for this story and instead issued a statement asserting that its work is carried out “in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.” Any GCHQ hack that targets foreign organizations must be approved at a senior level within the agency, and particularly sensitive operations sometimes require the sign-off of the government’s foreign secretary, who at the time of the Belgacom intrusion was William Hague. A spokesperson for Hague refused to discuss the case, saying he would not comment on “national intelligence matters.”
In the aftermath of the incident, it is likely that the Belgian government lodged diplomatic protests with its British counterparts. According to U.K. government records obtained by The Intercept through the Freedom of Information Act, British officials held a series of meetings with Belgian government representatives after the Belgacom intrusion was publicly exposed. In October 2013, for instance, foreign secretaries of each country and senior diplomats attended a two day “Belgian-British conference” at Lancaster House in London’s West End. Two weeks later, the British ambassador to Belgium met in Brussels with Johan Delmulle, a top Belgian federal prosecutor, who was overseeing the Belgacom investigation at the time.
Even within the Belgian government and law enforcement community, however, there was a lack of clarity about how the case was being handled. The country’s law enforcement personnel were not informed about whether a diplomatic dialogue was underway with the British. Meanwhile, Alexander De Croo, the Belgian government minister responsible for telecoms services, appears to have been kept in the dark about the incident. During a January 2016 talk at the World Economic Forum in Davos, Switzerland, De Croo made the extraordinary suggestion that his own government might even have secretly allowed the British to go ahead with the hack.
“The whole question is: Did we agree or not,” De Croo said. “I am not the Minister of Justice so I don’t get access to everything .… It might very well be that the Belgian intelligence services said, ‘Yes please go ahead, why not?’”
De Croo declined to be interviewed for this story. Belgium’s Ministry of Justice and intelligence services refused to discuss De Croo’s comments, citing an ongoing investigation.
The police file on the Belgacom hack numbers thousands of pages and is expected to be handed over soon to the prosecutor now overseeing the case. That prosecutor, Geert Schoorens, will decide what to do next, including whether to charge anyone over the breach.
Despite the political uproar the incident triggered in 2013, it is unlikely that any action will be taken. That GCHQ was responsible is beyond doubt, but the agency will face no consequences, say sources with knowledge of the case. There will be no sanctions for the U.K., no compensation to cover the damage caused, no arrests, no interrogations, no apology, and no admission of guilt. Rather, Schoorens will turn over a report to the Belgian parliament and the investigation will be quietly closed.
Despite this, the hack has had a palpable impact in Belgium. Belgacom – or Proximus, as it is now known – committed to spend more than $55 million to reform its internal security procedures. The company created a cyberdefense unit and recruited “ethical hackers” who routinely try to break into its networks, which helps identify and fix any potential vulnerabilities. It has also trained its employees in how to spot potential hacking attempts, introduced new systems that constantly monitor activity within its internal networks, and reduced the number of its computers that have access to sensitive parts of its systems.
The Belgian authorities, too, were forced to embrace changes after the breach. The criminal investigation brought the country’s law enforcement and secret services closer together, and now the agencies are more cooperative on cybersecurity issues. For them, GCHQ’s actions were a rude awakening – and the sign of a looming new threat, for which they are now preparing. “In the next few years, this malware is going to be in the hands of criminals and terrorists,” said a source close to the investigation. “Belgacom was a learning curve. We learned how to respond to a crisis before the next crisis.”
Documents published with this article: