A new report reveals UK intelligence is using man-in-the-middle style attacks to target employees of GRX providers.
A new report by German newspaper Der Spiegel has revealed the British signals intelligence is employing something called “quantum insert” to target the employees of two companies which are provders for the Global Roaming Exchange (GRX).
GRX is essentially an internet exchange point; a physical infrastructure through which Internet service providers share traffic between their networks. The GRX however, is aimed at mobile and roaming traffic. There are only about two dozen providers for GRX in the world. The new attack has targeted administrators and engineers of providers Comfone and Mach.
The Spiegel report suggests that the Government Communications Headquarters (GCHQ), the British equivalent of the NSA, used fake LinkedIn and Slashdot accounts to feed malware to their targets. This same technique was previously used to attack nine employees of the Organization of Petroleum Exporting Countries (OPEC).
It’s possible that the attack is related to an attack on Belgian telecom giant Belgacom’s subsidiary Belgacom International Carrier Services (BICS), earlier this year. BICS is indeed also a provider for GRX.
Bruce Schneier, who works as a security expert and is a well known cryptographer, explained on his blog that “the NSA relies on its secret partnerships with US telecoms companies.” One could assume that the GCHQ is operating similarly with British and European telecoms companies. Schneier explains how the NSA technique works:
As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server.
In the academic literature, these are called “man-in-the-middle” attacks and have been known to the commercial and academic security communities. More specifically, they are examples of “man-on-the-side” attacks.
They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.