{
	"id": "f687801d-7c58-47dc-81b8-9e6c92e3e20e",
	"created_at": "2026-04-06T00:08:54.888553Z",
	"updated_at": "2026-04-10T13:12:50.197494Z",
	"deleted_at": null,
	"sha1_hash": "4c850e1d6ceda58332e611813c7527b8bf2649b7",
	"title": "The Inside Story of How British Spies Hacked Belgium’s Largest Telco",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1219072,
	"plain_text": "The Inside Story of How British Spies Hacked Belgium’s Largest\r\nTelco\r\nBy Ryan Gallagher\r\nPublished: 2014-12-13 · Archived: 2026-04-05 18:15:34 UTC\r\nWhen the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear\r\nthat this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking\r\nattack was in progress. And the perpetrators were British government spies.\r\nIt was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest\r\ntelecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security\r\nexperts were able to figure out what was going on. The computer systems of Belgacom had been infected with a\r\nhighly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing\r\ndata.\r\nLast year, documents from National Security Agency whistleblower Edward Snowden confirmed that British\r\nsurveillance agency Government Communications Headquarters was behind the attack, codenamed Operation\r\nSocialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the\r\nmost advanced spy tools ever identified by security researchers, who named it “Regin.”\r\nThe full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack\r\nhave remained shrouded in mystery—and the scope of the attack unclear.\r\nNow, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has\r\npieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ\r\nhacking operation.\r\nBased on new documents from the Snowden archive and interviews with sources familiar with the malware\r\ninvestigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more\r\naggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time\r\npenetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.\r\n“a breathtaking example of the state-sponsored hacking problem.”\r\nSnowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a\r\ngovernmental cyber attack against critical infrastructure.”\r\nThe Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber\r\nattack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”\r\nPublicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were\r\nbreached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 1 of 9\n\nagency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and\r\nunencrypted streams of private communications handled by the company.\r\nBelgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the\r\nattack. However, The Intercept has learned that sources familiar with the malware investigation at the company\r\nare uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware\r\nwere never fully removed.\r\nThe revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world.\r\nThe company operates a large number of data links internationally (see interactive map below), and it serves\r\nmillions of people across Europe as well as officials from top institutions including the European Commission, the\r\nEuropean Parliament, and the European Council. The new details will also be closely scrutinized by a federal\r\nprosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.\r\nSophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance\r\nexposed by Snowden, told The Intercept that she believes the British government should face sanctions if the\r\nlatest disclosures are proven.\r\n“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about\r\naccountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”\r\nOther similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western\r\ncountries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that\r\nwas found collecting data from systems predominantly in the Middle East.\r\nWhat sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is\r\nbacked up by a series of top-secret documents, which The Intercept is now publishing.\r\nGCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”\r\nThe beginning\r\nThe origins of the attack on Belgacom can be traced back to 2009, when GCHQ began developing new techniques\r\nto hack into telecommunications networks. The methods were discussed and developed during a series of top-secret “signals development” conferences, held annually by countries in the so-called “Five Eyes” surveillance\r\nalliance: the United States, the United Kingdom, Australia, New Zealand, and Canada.\r\nBetween 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it\r\ncould use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ\r\ndocuments, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.”\r\nWhen communications are sent across networks in encrypted format, it makes it much harder for the spies to\r\nintercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ,\r\nthere was a simple solution. The agency decided that, where possible, it would find ways to hack into\r\ncommunication networks to grab traffic before it’s encrypted.\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 2 of 9\n\nThe British spies identified Belgacom as a top target to be infiltrated. The company, along with its subsidiary\r\nBelgacom International Carrier Services, plays an important role in Europe, and has partnerships with hundreds of\r\ntelecommunications companies across the world—in Africa, Asia, Europe, the Middle East, and the United States.\r\nThe Belgacom subsidiary maintains one of the world’s largest “roaming” hubs, which means that when foreign\r\nvisitors traveling through Europe on vacation or a business trip use their cellphones, many of them connect to\r\nBelgacom’s international carrier networks.\r\nThe Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used\r\nby surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into\r\nBelgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners,\r\nmonitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ\r\ndocuments, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and\r\nNorth Africa, illustrating why British spies deemed it of such high value.\r\nAttack planning\r\nBefore GCHQ launched its attack on Belgacom’s systems, the spy agency conducted in-depth reconnaissance,\r\nusing its powerful surveillance systems to covertly map out the company’s network and identify key employees\r\n“in areas related to maintenance and security.”\r\nGCHQ documents show that it maintains special databases for this purpose, storing details about computers used\r\nby engineers and system administrators who work in the nerve center, or “network operations center,” of computer\r\nnetworks worldwide. Engineers and system administrators are particularly interesting to the spies because they\r\nmanage networks—and hold the keys that can be used to unlock large troves of private data.\r\nGCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system\r\nadministrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect\r\nto the internet. In early 2011, the documents show, GCHQ refined the NOCTURNAL SURGE system with the\r\nhelp of its Canadian counterparts, who had developed a similar tool, named PENTAHO.\r\nGCHQ narrowed down IP addresses it believed were linked to the Belgacom engineers by using data its\r\nsurveillance systems had collected about internet activity, before moving into what would be the final stages prior\r\nto launching its attack. The documents show that the agency used a tool named HACIENDA to scan for\r\nvulnerable potential access points in the Belgacom’s networks; it then went hunting for particular engineers or\r\nadministrators that it could infect with malware.\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 3 of 9\n\nThe infection\r\nThe British spies, part of special unit named the Network Analysis Center, began trawling through their vast\r\nrepositories of intercepted Internet data for more details about the individuals they had identified as suspected\r\nBelgacom engineers.\r\nThe spies used the IP addresses they had associated with the engineers as search terms to sift through their\r\nsurveillance troves, and were quickly able to find what they needed to confirm the employees’ identities and target\r\nthem individually with malware.\r\nThe confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are\r\nautomatically placed on computers to identify and sometimes track people browsing the Internet, often for\r\nadvertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these\r\nintercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person. GCHQ\r\nrefers to cookies internally as “target detection identifiers.”\r\nTop-secret GCHQ documents name three male Belgacom engineers who were identified as targets to attack. The\r\nIntercept has confirmed the identities of the men, and contacted each of them prior to the publication of this story;\r\nall three declined comment and requested that their identities not be disclosed.\r\nGCHQ monitored the browsing habits of the engineers, and geared up to enter the most important and sensitive\r\nphase of the secret operation. The agency planned to perform a so-called “Quantum Insert” attack, which involves\r\nredirecting people targeted for surveillance to a malicious website that infects their computers with malware at a\r\nlightning pace. In this case, the documents indicate that GCHQ set up a malicious page that looked like LinkedIn\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 4 of 9\n\nto trick the Belgacom engineers. (The NSA also uses Quantum Inserts to target people, as The Intercept has\r\npreviously reported.)\r\nA GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on\r\nBelgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By\r\ninstalling the malware on the engineers’ computers, the spies had gained control of their machines, and were able\r\nto exploit the broad access the engineers had into the networks for surveillance purposes.\r\nThe document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at\r\nthe edge of the network,” adding that ongoing work would help “further this new access.”\r\nBy December 2011, as part of a second “surge” against Belgacom, GCHQ identified other cellphone operators\r\nconnecting to company’s network as part of international roaming partnerships, and successfully hacked into data\r\nlinks carrying information over a protocol known as GPRS, which handles cellphone internet browsing sessions\r\nand multimedia messages.\r\nThe spy agency was able to obtain data that was being sent between Belgacom and other operators through\r\nencrypted tunnels known as “virtual private networks.” GCHQ boasted that its work to conduct “exploitation”\r\nagainst these private networks had been highly productive, noting “the huge extent of opportunity that this work\r\nhas identified.” Another document, dated from late 2011, added: “Network Analysis on BELGACOM hugely\r\nsuccessful enabling exploitation.”\r\nGCHQ had accomplished its objective. The agency had severely compromised Belgacom’s systems and could\r\nintercept encrypted and unencrypted private data passing through its networks. The hack would remain undetected\r\nfor two years, until the spring of 2013.\r\nInside the Belgacom network control center in Brussels.\r\nThe discovery\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 5 of 9\n\nIn the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices\r\non Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of\r\nBelgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned,\r\nbut Belgacom’s technical team couldn’t work out why.\r\nThe glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software\r\nupdate was sent to Belgacom’s email exchange server, the problems returned, worse than before. The\r\nadministrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for\r\nthe fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be\r\nfound. (Microsoft declined to comment for this story.)\r\nSources familiar with the investigation described the malware as the most advanced they had ever seen.\r\nBelgacom’s internal security team began to suspect that the systems had been infected with some sort of virus, and\r\nthe company decided it was time to call in outside experts. It hired Dutch computer security firm Fox-IT to come\r\nand scan the systems for anything suspicious.\r\nBefore long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as\r\nlegitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent\r\nautomatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s\r\nsystems.\r\nAbout a month after Belgacom had identified the malicious software, or malware, it informed Belgian police and\r\nthe country’s specialist federal computer crime unit, according to sources familiar with the incident. Belgian\r\nmilitary intelligence was also called in to investigate the hack, together with Fox-IT.\r\nThe experts from Fox IT and military intelligence worked to dissect the malware on Belgacom’s systems, and\r\nwere shocked by what they found. In interviews with The Intercept and its reporting partners, sources familiar\r\nwith the investigation described the malware as the most advanced they had ever seen, and said that if the email\r\nexchange server had not malfunctioned in the first place, the spy bug would likely have remained inside Belgacom\r\nfor several more years.\r\nA deep breach\r\nWhile working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage\r\nwas far more extensive than they first thought. The malware had not only compromised Belgacom’s email servers,\r\nit had infected more than 120 computer systems operated by the company, including up to 70 personal computers.\r\nThe most serious discovery was that the large routers that form the very core of Belgacom’s international carrier\r\nnetworks, made by the American company Cisco, were also found to have been compromised and infected. The\r\nrouters are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows\r\nof sensitive private communications transiting through its networks.\r\nEarlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the\r\nagency can remotely hack them, or physically intercept and bug them before they are installed at a company. In\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 6 of 9\n\nthe Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct\r\nNSA assistance. (The NSA declined to comment for this story.)\r\nEither way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of\r\nthe Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses\r\ninsisted that only employees from Cisco could handle the routers, which caused unease among some of the\r\ninvestigators.\r\n“You could ask many security companies to investigate those routers,” one of the investigators told The Intercept.\r\nBy bringing in Cisco employees to do the investigation, “you can’t perform an independent inspection,” said the\r\nsource, who spoke on condition of anonymity because he was not authorized to speak to the media\r\nA spokesman for Cisco declined to comment on the Belgacom investigation, citing company policy. “Cisco does\r\nnot comment publicly on customer relationships or specific customer incidents,” the spokesman said.\r\nShortly after the malware was found on the routers, Fox-IT was told by Belgacom to stop its investigation.\r\nResearchers from the Dutch security company were asked to write-up a report about their findings as soon as\r\npossible. Under the conditions of a non-disclosure agreement, they could not speak about what they had found,\r\nnor could they publicly warn against the malware. Moreover, they were not allowed to remove the malware.\r\nBetween late August and mid-Sept. 2013, there was an intense period of activity surrounding Belgacom.\r\nOn August 30, some parts of the malware were remotely deleted from the company’s infected systems—\r\napparently after the British spies realized that it had been detected. But the malware was not completely removed,\r\naccording to sources familiar with the investigation.\r\nTwo weeks later, on Sept. 14, employees from Belgacom, investigators, police and military intelligence services\r\nbegan an intensive attempt to completely purge the spy bug from the systems.\r\nDuring this operation, journalists were tipped off for the first time about the malware investigation. The Intercept’s\r\nDutch and Belgian partners NRC Handelsblad and De Standaard reported the news, disclosing that sources\r\nfamiliar with the investigation suspected NSA or GCHQ may have been responsible for the attack.\r\nThe same day the story broke, on Sept. 16, Belgacom issued a press release. “At this stage there is no indication of\r\nany impact on the customers or their data,” it said. “At no point in time has the delivery of our telecommunication\r\nservices been compromised. “\r\nThen, on Sept. 20, German news magazine Der Spiegel published documents from Snowden revealing that British\r\nspies were behind the hack, providing the first confirmation of the attacker’s identity.\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 7 of 9\n\nSignificant resources\r\nIn the aftermath of the revelations, Belgacom refused to comment on GCHQ’s role as the architect of the\r\nintrusion. Top officials from the company were called to appear before a European Parliamentary committee\r\ninvestigating the extent of mass surveillance revealed by Snowden.\r\nThe Belgacom bosses told the committee that there were no problems with Belgacom’s systems after a\r\n“meticulous” clean-up operation, and again claimed that private communications were not compromised. They\r\ndismissed media reports about the attack, and declined to discuss anything about the perpetrator, saying only that\r\n“the hackers [responsible] have considerable resources behind them.”\r\nPeople with knowledge of the malware investigation watched Belgacom’s public statements with interest. And\r\nsome of them have questioned the company’s version of events.\r\n“There was only a partial clean-up,” said one source familiar with the malware investigation. “I believe it is still\r\nthere. It is very hard to remove and, from what I’ve seen, Belgacom never did a serious attempt to remove it.”\r\nBelgacom declined to comment for this story, citing the ongoing criminal investigation in Belgium.\r\nLast month, The Intercept confirmed Regin as the malware found on Belgacom’s systems during the clean-up\r\noperation.\r\nThe spy bug was described by security researchers as one of the most sophisticated pieces of malware ever\r\ndiscovered, and was found to have been targeting a host of telecommunications networks, governments, and\r\nresearch organizations, in countries such as Germany, Iran, Brazil, Russia, and Syria, as well as Belgium.\r\nGCHQ has refused to comment on Regin, as has the NSA, and Belgacom. But Snowden documents contain strong\r\nevidence, which has not been reported before, that directly links British spies to the malware.\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 8 of 9\n\nAside from showing extensive details about how the British spies infiltrated the company and planted malware to\r\nsuccessfully steal data, GCHQ documents in the Snowden archive contain codenames that also appear in samples\r\nof the Regin malware found on Belgacom’s systems, such as “Legspin” and “Hopscotch.”\r\nOne GCHQ document about the use of hacking methods references the use of “Legspin” to exploit computers.\r\nAnother document describes “Hopscotch” as part of a system GCHQ uses to analyze data collected through\r\nsurveillance.\r\nRonald Prins, director of the computer security company Fox-IT, has studied the malware, and played a key role\r\nin the analysis of Belgacom’s infected networks.\r\n“Documents from Snowden and what I’ve seen from the malware can only lead to one conclusion,” Prins told The\r\nIntercept. “This was used by GCHQ.”\r\n———\r\nDocuments published with this article:\r\nAutomated NOC detection\r\nMobile Networks in My NOC World\r\nMaking network sense of the encryption problem\r\nStargate CNE requirements\r\nNAC review – October to December 2011\r\nGCHQ NAC review – January to March 2011\r\nGCHQ NAC review – April to June 2011\r\nGCHQ NAC review – July to September 2011\r\nGCHQ NAC review – January to March 2012\r\nGCHQ Hopscotch\r\nBelgacom connections\r\n———\r\nPhoto: Belgacom headquarters: Paul O’Driscoll/Getty; Map: Ingrid Burrington and Josh Begley; Belgacom\r\noperations center, Paul O’Driscoll/Bloomberg via Getty.\r\nSource: https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nhttps://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/"
	],
	"report_names": [
		"belgacom-hack-gchq-inside-story"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c850e1d6ceda58332e611813c7527b8bf2649b7.pdf",
		"text": "https://archive.orkl.eu/4c850e1d6ceda58332e611813c7527b8bf2649b7.txt",
		"img": "https://archive.orkl.eu/4c850e1d6ceda58332e611813c7527b8bf2649b7.jpg"
	}
}