British spy agency scanned for vulnerable systems in 32 countries, German paper reveals

Heise Online reveals top-secret details about the GCHQ's 'Hacienda' program

British intelligence agency GCHQ used port scanning as part of the "Hacienda" program to find vulnerable systems it and other agencies could compromise across at least 27 countries, German news site Heise Online has revealed.

The use of so-called port scanning has long been a trusty tool used by hackers to find systems they can potentially access. In top-secret documents published by Heise on Friday, it is revealed that in 2009, GCHQ started using the technology against entire nations.

One of the documents states that full scans of network ports of 27 countries and partial scans of another five countries had been carried out. Targets included ports using protocols such as SSH (Secure Shell) and SNMP (Simple Network Management Protocol), which are used for remote access and network administration.

The results were then shared with other spy agencies in the U.S., Canada, the U.K., Australia and New Zealand. "Mailorder" is described in the documents as a secure way for them to exchange collected data.

Gathering the information is only the first step, according to Heise Online.

The documents also reveal "Landmark," a program started by the Canadian spy agency CSEC to find what it calls ORBs (Operational Relay Boxes), which are used to hide the location of the attacker when it launches exploits against targets or steals data, Heise said. For example, during an exercise in February 2010, eight groups of three "network exploitation analysts" were able to find 3,000 potential ORBs, which could then potentially be used by CSEC.

"It isn't surprising [the intelligence organizations] were technically able to do this ... That they attack people they have no reason to attack and then install malware on their systems to attack even more systems is really shocking and sickening to see. On that I think we can all agree," said Christian Grothoff, one of the co-authors of the Heise article, in an interview with IDG News Service.

At the Technische Universität München, he has led the development of TCP Stealth, which can help prevent Hacienda and similar tools from identifying systems. The development of TCP Stealth was started during a course on peer-to-peer systems and security that Grothoff taught last year.

TCP Stealth works by adding a passphrase on the user's device and on the system that needs to be protected.

"For example, if you have remote administration of routers or servers you don't want that access to be public. You typically have a small group of administrators that are authorized, so between them you share a passphrase and also add it where they want to connect," Grothoff said.

If the passphrase is incorrect when the connection is started, the system simply doesn't answer, and the service appears to be dead.

For this to work, operating systems and applications have to be upgraded to be able to use TCP Stealth. Linux has already been upgraded and there is a library application developers can use to add TCP Stealth to their software without having to recompile. Windows, Chrome OS and Mac OS haven't been ported to TCP Stealth.

The hope is now that the technology will be standardized by the IETF (Internet Engineering Task Force). A first draft has already been filed with the organization. It was co-authored by Jacob Appelbaum with the Tor project and edited by Holger Kenn from Microsoft in Germany.

"I think there is a chance we can convince people this is necessary," Grothoff said.

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Detection / preventionintrusionsecurityAccess control and authenticationGCHQ

More about GCHQIDGIETFInternet Engineering Task ForceLandmarkLinuxNSASNMPSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mikael Ricknäs

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place