Spies at Britain's GCHQ surveillance and listening post conned IT staff at European telecommunications companies into visiting fake websites posing as LinkedIn and Slashdot, before injecting their computers with malware to monitor their online activity.


GCHQ agents would first identify employees of interest at the companies, such as Belgium's Belgacom, through public directories like LinkedIn, before gathering more information - such as IP addresses used to access the web at work and home, social network usernames and their web browser's cookies - and then directing them to the bogus websites.

Appearing identical to the real LinkedIn and technology news site Slashdot, the pages functioned in the usual way, but would install malicious software on the target's computer, capable of monitoring everything they did online.

Cited by German magazine Der Spiegel, top secret documents detailing the techniques used by GCHQ were given to journalist Laura Poitras by former NSA contractor and whistleblower Edward Snowden.

On its international website, Der Spiegel reports how the documents leaked by Snowden show how an employee of Mach, a mobile telecommunications company, was targeted by the Cheltenham-based surveillance centre.

"A complex graph of [the employee's] digital life depicts the man's name in red crosshairs and lists his work computers and those he uses privately ('suspected tablet PC'). His Skype username is listed, as are his Gmail account and his profile on a social networking site," the magazine says.

The report claims British government agents "even gained access to the cookies on the unsuspecting victim's computers, as well as identifying the IP addresses he uses to surf the web for work and personal use. In short, GCHQ knew everything about the man's digital life, making him an open book for its spies."

Preparatory stage

But this was only the "preparatory stage," the publication claims. Once the man's personal data had been mapped, it was time for the "attack department" to take over. GCHQ created a set of what Der Spiegel calls "digital attack weapons" to be deployed against six Mach employees.

The Quantum Insert method used by GCHQ was previously documented by Snowden's leaks, and involves the use of high-speed servers to reroute a target's internet connection without them noticing. If they ask for LinkedIn, for example, the server can hijack this request and return GCHQ's bogus website to the target before the real LinkedIn server has responded.

These fake websites appear identical to the original, but can be used to smuggle malware over to the target's computer.

In a statement sent to IBTimes UK, LinkedIn said: "We want to clarify that we have never cooperated with any government agency, nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported. LinkedIn takes the privacy and security of our members very seriously, and when we're made aware of any activity that may be considered problematic, we work to quickly respond."

A statement to IBTimes UK from Slashdot's parent company, Dice Holdings, reads: "To be clear, we have not been asked to cooperate with any government agency related to this matter and have not provided access to Slashdot systems or user information. We know of no unauthorized Slashdot code manipulation, or attempts to effect any. We do not approve of this reported activity and if true, it's unfortunate that we are yet another in a long line of internet businesses to suffer this type of intrusion."


A leaked document from 2012 claims Quantum Insert is relatively successful, stating: "For LinkedIn the success rate [of rerouting a target to a malicious website] is looking to be greater than 50%."

Once GCHQ has installed the malware, it can monitor the actions of telecommunications companies such as Mach and Belgacom, and work to gain information on their customers. The documents claim the hack provided "knowledge of and access to encrypted links between the clearinghouses and various mobile network operators." From here, GCHQ claimed it was "deep into the [Belgacom] network."

GCHQ's next steps are not yet known, but a document from 2011 describes the agency's "vision" for the future as: "Any mobile device, anywhere, anytime".