HACIENDA, GCHQ Port Scanning Program on a wide-scale

New revelation on British GCHQ confirms the existence of the HACIENDA Port Scanning Program which is targeting systems in 27 countries.

In the last years the British GCHQ has conducted numerous hacking operation against systems in 27 countries, through a massive port scanning the intelligence agency was searching for vulnerability to exploit in cyber attacks.

The Intelligence agency targeted different type of services including ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration).

That bombshell comes amid fresh leaks detailing the dragnet surveillance programs operated by the Five Eyes nations: America, UK, Canada, Australia and New Zealand.

German publisher Heise revealed the existence of the HACIENDA program that scans open ports on all servers connected to the Internet searching for vulnerabilities to exploit.

The system is used for reconnaissance activity on a large scale, the Heise report is co-written by Jacob Appelbaum and Laura Poitras.

“The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of ‘Mastering the Internet‘, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.

Using this logic, every device is a target for colonisation, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target.” – states the report on the HACIENDA program.

As explained by the experts the data collected by the HACIENDA is shared by the GCHQ with other Intelligence agencies of the Five Eyes.

The article states that scanning activities of HACIENDA program are conducted with popular software like nmap and Zmap, the most common scan mode used by hackers of the GCHQ is the TCP Stealth.

“in 2013, a port scanner called Zmap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC. [3] The massive use of this technology can thus make any server anywhere, large or small, a target for criminal state computer saboteurs.” States the report on HACIENDA program.

The news is not surprising, Intelligence agencies fuel their database with any kind of data related to systems exposed on the Internet.

“Five Eyes have their own non-public Shodan and they are using it,” said the security expert the Grugq.

It is obvious that state-sponsored hackers adopt tools considered fundamental in the hacking community, it is important to highlight the wide-scale of program like HACIENDA.

Pierluigi Paganini

(Security Affairs – HACIENDA, Intelligence)