hankyoreh

An image from the UK‘s GCHQ with analysis of South Korean companies

Evidence that Government Communications Headquarters (GCHQ), a UK intelligence agency, collected and analyzed data from the servers of South Korean corporations using a program that it developed has been found in the documents leaked by Edward Snowden, a former contractor for the US National Security Agency (NSA). The corporations in question were IT companies that provided corporate e-mail services to organizations such as the Korea Chamber of Commerce and Industry (KCCI) and NICE Credit Information Service.

This is the first time that documentary evidence has shown that foreign intelligence agencies have collected and analyzed online data about South Korean companies. While it is unclear whether actual hacking took place, the mere fact that these companies were regarded as the subjects of periodical surveillance is shocking.

After reviewing around 40 documents leaked by Snowden and published at the end of last year by the German media, the Hankyoreh concluded that GCHQ used an internet snooping program of its own creation called Flying Pig to collect and analyze online communication data on Mailplug, a South Korean company, around 2011.

Flying Pig is a program that collects and analyzes online information, and in particular information that has been encrypted by the SSL and TLS protocols, which were designed to tighten up internet security.

The standard internet communications protocol, known as HTTP, has been criticized for its security loopholes. This led to the development of the SSL and TLS protocols, which are currently used largely in e-commerce and e-mail.

One thing that has been attracting attention is the fact that even encrypted communication, which has been regarded as relatively secure, is being subjected to surveillance and analysis by intelligence agencies.

The document, titled “Profiling ssl and attributing private networks,” begins by explaining that the two programs-Flying Pig and Hush Puppy-are designed for indiscriminate analysis of large amounts of encrypted data.

While the document does not state when it was composed, it contains information from as late as Nov. 2012, suggesting that it was composed sometime after the end of 2012.

The 19-page presentation file includes a screen capture containing IP addresses with the first half redacted, the names and geographical locations of internet users (that is, clients), the domain names, the client IPs, and the server IPs.

For the locations, “KR” (for Korea) and “SEOUL” are written in bold, while the IP address with the name “Korea Telecom: mailplug.co.kr” appears 20 times among information about dozens of internet user companies (client companies).

Between Oct. and Nov. 2011, Flying Pig checked these IP addresses 100 times altogether. Other companies and organizations connected with Korea that appear in addition to Mailplug are the Korea Teachers‘ Credit Union (ktcu.or.kr); Postman (postman.co.kr), an online marketing company; and Kornet (kornet.net), a company that provides a data circuit service.

Multiple internet security experts that the Hankyoreh contacted drew attention to the fact that intelligence agencies are snooping on companies that provide encrypted email relying on the SSL and TLS protocols.

The development of encrypted technology has made it harder for intelligence agencies to conduct surveillance. One of the documents expresses concern that the targets of the GCHQ are gradually moving toward SSL/TLS services in order to protect their private information.

Mailplug provides its secure email service to around 300 companies, including the Korean Chamber of Commerce, Korea Expressway Corporation, Vilac, and Lock & Lock. Perhaps most significantly, it provides the same service to NICE Credit Information Service, which stores and manages a vast array of corporate and personal information.

“SSL is the encryption protocol that is currently being used by banks, Naver, and Gmail. It’s scary to think that intelligence agencies in other countries are talking about a powerful tool they’ve created to collect encrypted data,” said a professor of computer security who had read the documents. The professor spoke on condition of anonymity.

“I had assumed that it would be safe to communicate with SSL, but the tool the UK has developed is a powerful one. As far as I know, technology this sophisticated doesn’t currently exist in the private sector, and no attack tools have been designed.”

This is the first evidence that has been found of foreign intelligence agencies regularly collecting and analyzing data from the servers of South Korean private corporations.

In the document, GCHK states that the objective of this surveillance is to acquire information about the information networks of foreign governments as well as the aviation, energy, and finance sectors. GCHK shares its intelligence with the US‘s NSA.

But the document does not state whether GCHK actually succeeded at hacking these companies’ servers or whether it only composed a list of companies to monitor.

“This appears to be a technique for creating a router to monitor the internet rather than a tool for hacking specific servers. Hacking wouldn’t have been necessary to obtain the information that appears in the document,” a source at Mailplug told the Hankyoreh.

The Hankyoreh contacted the British government via the British Embassy in Seoul to request confirmation of this information, but the British government declined to respond.

Since Snowden made his revelations in 2013, GCHK has refused to either confirm or deny the claims made about it.

By Choi Hyun-june, staff reporter

Please direct questions or comments to [english@hani.co.kr]