Gemalto, the world's biggest SIM card manufacturer has confirmed UK and US spies breached its systems but the cyberattack didn't result in the theft of SIM card encryption keys as had been claimed following the leak of NSA documents by Edward Snowden.
The Dutch company issued a detailed statement on Wednesday morning, 25 February, ahead of holding a press conference in Paris to address the controversy. The company said:
"The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened. The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys."
The conclusion is based on an internal investigation begun in the wake of the publication on 19 February of a report on The Intercept which was based on documents leaked to it by Edward Snowden.
"None of our other products were impacted by this attack"
The report claimed that a joint operation between the two agencies beginning in 2010 resulted in encryption keys being compromised potentially allowing access to voice and data communication of hundreds of millions of mobile phone users around the globe.
Based on an investigation of the leaked documents and its own internal monitoring tools, Gemalto says: "None of our other products were impacted by this attack."
However, Gemalto claims the NSA/GCHQ operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally, but by 2010 (when the operation is said to have begun), Gemalto says it had already "widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft".
3G/4G not vulnerable
The company added that in the eventuality that encryption keys were stolen, it would only allow for surveillance on the older 2G networks as 3G or 4G are "not vulnerable to this type of attack".
The company said: "If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone."
The company says that while it is constantly dealing with cyber-attacks of greater or lesser sophistication, it has pinpointed two in particular from 2010 and 2011 which it says were "particularly sophisticated intrusions which could be related to the [NSA/GCHQ] operation".
In June 2010 the company spotted a breach of its internal communications systems on one of its French websites, but immediately took action to counteract the intrusion. Later in 2010, several customers of Gemalto received spear-phishing emails which spoofed real Gemalto email addresses and contained malware.
Office networks breached
It also spotted attempts to compromise Gemalto employees who were dealing directly with customers.
"These intrusions only affected the outer parts of our networks - our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks," the company said.
Gemalto is the world's largest SIM card manufacturer and supplies 450 networks and operators in over 85 countries around the world with some two billion SIM cards every year from its network of 28 manufacturing plants.
The company points out that as the largest SIM card manufacturer in the world it "may have been the target of choice for the intelligence services" but the leaked documents mention elements which don't relate to the company.
"Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen."