Der Spiegel has revealed new information on yet another attack on German networks.
They reported last year on the infiltration of Cetel, Stellar, and IABG, three German satellite telecoms that were attacked and successfully placed under surveillance.
The new revelation comes from documentation about the GCHQ program "Treasure Map", which refers to a large scale system to map and monitor the networks of the entire internet in "near real time". In the documents, some targets are listed as already under surveillance, indicating that the NSA has already attacked and compromised those networks. The two new companies are Deutsche Telekom and Netcologne. Netcologne is a small regional ISP and transit network provider. Deutsche Telekom is a large worldwide data services provider and partially (~30%) owned by the German government.
The penetration into Deutsche Telekom is huge because they are a Tier-1 network provider and control thousands of routers along the backbone of the internet.
Der Spiegel reached out to these two providers, who both claimed to have done large-scale internal audits of their networks, looking for suspicious outbound traffic. Neither was able to find any evidence of intrusion into their networks.
However, it is well known that the NSA injects firmware into Cisco and Juniper equipment with relative regularity, and firmware-based malware is extremely hard to detect. When written properly, it would not only send out streams of data to the person who crafted the malware, but it wouldn't report the movement of the data through the firmware of the network. It would also be possible to harden the firmware attack against flashing the router "back to normal" by flashing or doing updates to the firmware. The update module within the firmware would be compromised to allow the hack to persist through full flashes and updates to the firmware.
This would make a firmware-based hack on the routers very hard to detect (because the firmware is sending out false reports), and very hard to eradicate (it would persist through router updates and firmware flashes).
Also of note is that Germany is a member of the surveillance consortium that has access to XKeyScore, the NSA's giant database of worldwide surveillance. It could be that the company and the government are complicit in the surveillance of the German people. So an audit would not find "unauthorized access" because the network is "working as intended."
It will be interesting to see the fallout of this, because this indicates that there might be more widespread attacks going on with strong American allies than previously believed, or that the American allies are more deeply in bed with the surveillance state than previously believed.
Here is a video of Der Speigel revealing to Stellar's lead admins that they have specifically targeted and hacked. The look on their faces says it all: http://www.spiegel.de/video/chokepoint-the-moment-stellar-learns-it-has-been-hacked-video-1521333.html