Dutch chipmaker Gemalto reckons US and UK intelligence agencies may have hacked into its network but denies they were able to steal encryption keys allowing them to eavesdrop on phone and Internet communications globally.
The denial comes after The Intercept last week reported that spies at the US National Security Agency (NSA) and the UK's Government Communications Headquarters (GCHQ) had been able to breach Gemalto 's systems and steal encryption keys used to protect communications on billions of mobile phones. (See Eurobites: Telekom Austria Tests Virtual CPE.)
The original source of that report is US whistleblower and fugitive Edward Snowden, a former contractor with the NSA who previously revealed evidence of similar subterfuge by the NSA and GCHQ.
Gemalto admits that it was probably the target of cyberattacks carried out by the two agencies in 2010 and 2011 but insists these attacks did not breach the systems used to protect its encryption keys.
In June 2010 the company says it took action after detecting that a third party was trying to spy on the office network at one of its French sites. A month later, it noticed that fake emails "spoofing" legitimate Gemalto email addresses were being sent to one of its mobile operator customers. Those fake emails included an attachment containing malicious code.
At the time, Gemalto was unable to identify the source of the attacks, but it now believes the NSA and GCHQ could have been responsible, describing the intrusions as "particularly sophisticated" in their nature.
However, Gemalto was at pains to emphasize that encryption keys are not stored on office networks and remained secure throughout this period.
Gemalto reckons intelligence agencies targeted its office and external communications because their plan was to intercept encryption keys while they were being sent between mobile operators and their suppliers globally.
As the company notes, this means the NSA and GCHQ were targeting numerous other players.
Since 2010 Gemalto claims to have been using a secure transfer system when communicating with third parties -- to reduce the risk of data being intercepted -- but it says that "certain operators and suppliers had opted not to use" these data transmission methods at the time of the cyberattacks.
According to Gemalto, even if hackers had been able to obtain the encryption keys, they would not have been able to spy on 3G and 4G communications because of additional security measures used to protect those technologies, leaving only 2G communications vulnerable to surveillance.
The Dutch company also takes issue with some of the details in The Intercept report, noting that it has never sold SIM cards to four of the 12 operators listed in accompanying documents. A list published by The Intercept purports to show the locations of Gemalto's personalization centers, but Gemalto insists that it did not operate centers in Japan, Colombia and Italy -- all of which appear on that list -- when the attacks were carried out.
Gemalto ships about 2 billion SIM cards every year and reported revenues of approximately €2.4 billion ($2.7 billion) in 2013. Its share price took a beating last week after publication of The Intercept's report but has subsequently recovered and had risen by more than 2.5% in Amsterdam today.
— Iain Morris, , News Editor, Light Reading