NSA/GCHQ Accused of Hacking Belgian Cryptographer

There has been a lot of news about Belgian cryptographer Jean-Jacques Quisquater having his computer hacked, and whether the NSA or GCHQ is to blame. There have been a lot of assumptions and hyperbole, mostly related to the GCHQ attack against the Belgian telecom operator Belgacom.

I'm skeptical. Not about the attack, but about the NSA's or GCHQ's involvement. I don't think there's a lot of operational value in most academic cryptographic research, and Quisquater wasn't involved in practical cryptanalysis of operational ciphers. I wouldn't put it past a less-clued nation-state to spy on academic cryptographers, but it's likelier this is a more conventional criminal attack. But who knows? Weirder things have happened.

Posted on February 10, 2014 at 6:57 AM • 26 Comments

Comments

Nicholas WeaverFebruary 10, 2014 7:25 AM

Probably the best report is here:
http://www.techweekeurope.co.uk/news/quisquater-nsa-gchq-malware-attacks-137990

Two reasons why its probably NOT NSA/GCHQ:

a) It was targeted with a well constructed "phish to get user to click link to exploitative site" attack.

b) It appears to be a MiniDuke variant.

The first is suggestive because the NSA/GCHQ doesn't bother with phishing anymore, especially someone like Quisquater who uses LinkedIn is very easy to target with QUANTUM (and target at home where you guarantee no IDS log).

The second is also suggestive because although MiniDuke is very well engineered, its mostly targeted European and US interests.

Thus the general conclusion for me is "Nation state but NOT the NSA/GCHQ".

Finally, there is the interesting feature that the malcode appears to be inactive when at home. Since Quisquater is known to consult, I'd personally suspect the target was not Quisquater, but rather some company where the attacker knows his laptop will visit.

AspieFebruary 10, 2014 7:35 AM

It's not clear where he was attacked; at home, on the train to somewhere, whilst at work ... etc. That might be useful data.

And opportunistic attacking is likely to increase now the techniques are more widely available. So presumably that means statistically some people involved with or on the periphery of security work will inevitably fall into the ring.

BenniFebruary 10, 2014 7:55 AM

The fact that Miniduke does not attack asian countries is perhaps just because the software, with commanding servers in europe and its commanding twitter accounts in english language, was never ment to attack chinese computers but european ones.


I would argue that for an attack on asian computers, any agency would deploy command servers in asia and twitter accounts in asian language. Then it may generate less sucpicion when the malware contacts these asian servers.
From the fact that miniduke is not directed against china, one can therefore not conclude that the atteckers are from an asian country.

However, miniduke targets "healthcare providers". And the NSA is known to spy on medecins du monde and other international health care organizations.

Furthermore, Quisquater told the news that there also was an attack with a faked linked-in page. But Quisquater noticed that, immediately turned his computer off, and ran antivirus software on his pc.

Now a math professor is that kind of species of man, who are perhaps the most likely persons to click on a pdf file with technical details. This is the way miniduke is usually deployed. It maybe quantum insert simply failed on him, and they had to use another way.


p4bl0February 10, 2014 8:01 AM

> Quisquater wasn't involved in practical cryptanalysis of operational ciphers.

Actually he works among other things on side-channel attacks, which may not be cryptanalysis but are clearly practical ways to break operational cryptosystems.

BenniFebruary 10, 2014 8:14 AM

I think this here shows most details:
http://www.pcworld.com/article/2093700/prominent-cryptographer-victim-of-malware-attack-related-to-belgacom-breach.html

for example:

Quisquater remembers having received a spoofed LinkedIn email on Sept. 16, the same day the Belgacom security breach was made public. The email was very well crafted and contained a link to the LinkedIn profile of a person he knew.

Quisquater said he clicked on the link, but quickly realized it was a spoof and shut down his computer. He claims he later ran scans with several anti-malware products, but they didn’t find anything.

It’s not clear if the LinkedIn attack was successful and installed the malware later found on the laptop or if some other attack vector was used, Quisquater said Monday via email.


and this here:
According to Quisquater, his laptop was infected with a malware program that was different than the one used in the Belgacom attack. However, the malware on his PC communicated over an encrypted link with malware on Belgacom’s servers, he said Monday via email.


So the attacker of quisquater, if they were not from nsa, would actually have had to hack belgacom too...

Given that quisquater also got a faked linkedin page, recognized this, and put his computer off, which could perhaps made the installation of a different malware necessary, I think it one should believe the police.

Quisquater says: “Federal police were very careful and was ‘thinking’ it was coming from NSA". Well, why not believe the police? Not to believe police investigators would, at least for me, require more detailed information, which is not given in these articles.

65535February 10, 2014 8:15 AM

@ Nicholas W.

You maybe right or maybe wrong. Why not use a MiniDuke variant? Why not turn it off when he is at home? The EU has strict privacy laws and if it leads back to the GCHQ - there will be trouble. Also, I don't know if this is a trustworthy publication.

I did a whois look up on techweekeurope(dot)co(dot)uk and got a sketchy lookup (from France to Denmark back to the UK, 241 Borough High Street, London).

Snarki, child of LokiFebruary 10, 2014 8:18 AM

Who would hack a Belgian cryptographer? Why exactly would the US/UK bother?

I think you have to cast a suspicious look at those Luxembourgers next door, hatching their nefarious schemes for world domination.

wumpusFebruary 10, 2014 8:23 AM

@"I wouldn't put it past a less-clued nation-state"

To me, the biggest revelation of the Snowden documents was that the NSA was simply handing all its eggs to anybody with a clearance. It showed that the NSA's supposed hypercompetance was all a myth and that whatever clueful parts they may have weren't running the show.

So the usual suspects should be:
"less-clued nation-states"
"criminal gangs of sufficient size"
"less-clued sections of the NSA/GCHQ/other intelligence agencies"

The USA spends a ton on defense/espionage/dick waving, and does almost all of it with minimal (if that) oversight. I would claim that they are a likely suspect merely because there are so many spies, each having to find something to spy on. It might be a much more valuable target to the other suspects, but the USA can't be ruled out since they can attack so *many* targets.

I'd like to think that Americans (especially the ones that don't read this blog) would think long and hard about what it means to have agencies that can make so many attacks.

BenniFebruary 10, 2014 8:27 AM

By the way, the domains of miniduke listed here:

https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

are partly still active

arabooks.ch
artas.org
tsoftonline.com
www.eamtm.com
news.grouptumbler.com

and one alerted my antivirus program.

The german site eamtm.com that deployed the miniduke malware currently shows a small company selling used machine parts. The site It lists a contact information: European Association of Machine Tool Merchants vzw Villalaan 83,
B-1190 Brussels, Belgium
the domain service whois lists eamtm.de as a domain of the following registranr: Hans-Juergen Geiger Maschinen & Apparate GmbH
Adresse: Hans-Juergen Geiger, Gutenbergstr. 31,
PLZ: 72555, Ort: Metzingen, Land: DE which is apparently the same company.

Perhaps this small company was hacked by the miniduke deployers? But they do not seem to have issued some statement on their site that they have cleaned their servers and now are bug-free-

Furthermore, if you attack engineers, then a malware that contacts an engineer company is perfectly the least suspicious way to do.

the other servers have the following whois entries listed below.

Has anyone tried to contact these sites? I mean they are listet as deployment domains of a top secret government malware. Why are these servers not shut down? Who runs them?

[Querying whois.nic.ch]
[whois.nic.ch]
whois: This information is subject to an Acceptable Use Policy.
See http://www.nic.ch/terms/aup.html
Domain name:
arabooks.ch
Holder of domain name:
Librairie Arabe l'Olivier
Bittar-Maurin Alain
rue de Fribourg 5
CH-1201 Gen?ve
Switzerland
Contractual Language: French
Technical contact:
VTX Services S.A.
COBBI Francis
avenue de Lavaux 101
CH-1009 Pully
Switzerland
DNSSEC:N
Name servers:
cardassian.deckpoint.ch [194.38.160.129]
narn.deckpoint.ch [194.38.160.133]
[Querying whois.verisign-grs.com]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]
Domain Name: TSOFTONLINE.COM
Registrar URL: http://www.godaddy.com
Registrant Name:
Registrant Organization:
Name Server: NS1.TANPIXEL.COM
Name Server: NS2.TANPIXEL.COM
DNSSEC: unsigned
Domain Name: EAMTM.COM
Registrar: ASCIO TECHNOLOGIES, INC.
Whois Server: whois.ascio.com
Referral URL: http://www.ascio.com
Name Server: NS1.SCARTECH.BE
Name Server: NS2.SCARTECH.BE
Name Server: NS3.SCARTECH.BE
Status: ok
Updated Date: 22-may-2013
Creation Date: 20-may-1997
Expiration Date: 21-may-2014
Domain Name: GROUPTUMBLER.COM
Registry Domain ID: 1637534467_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: www.register.com
Creation Date: 2011-01-29 13:32:47Z
Registrar Registration Expiration Date: 2014-01-29 13:32:47Z
Registrar: REGISTER.COM, INC.
Registrar IANA ID: 9
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.4042602594
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: TIM K. LAPPIN
Registrant Organization: GROUPTUMBLER.COM
Registrant Street: 4573 FROE STREET
Registrant Street: BLUEFIELD, WV 24701
Registrant City: BLUEFIELD
Registrant State/Province: WV
Registrant Postal Code: 24701
Registrant Country: US
Registrant Phone: +1.3043241632
Registrant Phone Ext:
Registrant Fax: +1.3043241632
Registrant Fax Ext:
Registrant Email: ADMINISTRATOR@GROUPTUMBLER.COM
Registry Admin ID:
Admin Name: TIM K. LAPPIN
Admin Organization: GROUPTUMBLER.COM
Admin Street: 4573 FROE STREET
Admin Street: BLUEFIELD, WV 24701
Admin City: BLUEFIELD
Admin State/Province: WV
Admin Postal Code: 24701
Admin Country: US
Admin Phone: +1.3043241632
Admin Phone Ext:
Admin Fax: +1.3043241632
Admin Fax Ext:
Admin Email: ADMINISTRATOR@GROUPTUMBLER.COM
Registry Tech ID:
Tech Name: TIM K. LAPPIN
Tech Organization: GROUPTUMBLER.COM
Tech Street: 4573 FROE STREET
Tech Street: BLUEFIELD, WV 24701
Tech City: BLUEFIELD
Tech State/Province: WV
Tech Postal Code: 24701
Tech Country: US
Tech Phone: +1.3043241632
Tech Phone Ext:
Tech Fax: +1.3043241632
Tech Fax Ext:
Tech Email: ADMINISTRATOR@GROUPTUMBLER.COM
Name Server: DNS01.GPN.REGISTER.COM
Name Server: DNS02.GPN.REGISTER.COM
Name Server: DNS03.GPN.REGISTER.COM
Name Server: DNS04.GPN.REGISTER.COM
Name Server: DNS05.GPN.REGISTER.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-02-01 09:25:09Z
Domain ID: D39723668-LROR
Creation Date: 2000-11-03T11:36:57Z
Updated Date: 2013-09-24T16:55:39Z
Registry Expiry Date: 2014-11-03T11:36:57Z
Sponsoring Registrar:Gandi SAS (R42-LROR)
Sponsoring Registrar IANA ID: 81
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:0-1344430-GANDI
Registrant Name:Association Artas
Registrant Organization:Association Artas
Registrant Street: Chateau de Touche Noire
Registrant City:GEHEE
Registrant State/Province:
Registrant Postal Code:36240
Registrant Country:FR
Registrant Phone:+33.254408048
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:duret.anne@wanadoo.fr
Admin ID:BH1576-GANDI
Admin Name:Patrick Priem
Admin Organization:Art'As
Admin Street: 19 rue Victor Lefevre 1030 Bruxelles
Admin City:BRUXELLES
Admin State/Province:
Admin Postal Code:1030
Admin Country:BE
Admin Phone:+32.477262751
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin
Email:9d0135a5660d7aeed4fb609991631227-1208301@contact.gandi.net
Tech ID:GV237-GANDI
Tech Name:Gilles Vincent
Tech Organization:
Tech Street: Whois Protege / Obfuscated whois
Tech City:Paris
Tech State/Province:
Tech Postal Code:75013
Tech Country:FR
Tech Phone:+33.170377666
Tech Phone Ext:
Tech Fax: +33.143730576
Tech Fax Ext:
Tech Email:gilles.vincent@gmail.com
Name Server:C.DNS.GANDI.NET
Name Server:B.DNS.GANDI.NET
Name Server:A.DNS.GANDI.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

BenniFebruary 10, 2014 8:39 AM

@Snarki: "Who would hack a Belgian cryptographer? Why exactly would the US/UK bother?"

Well, who would hack and spy on medecins do monde, or Unicef? http://www.theguardian.com/uk-news/2013/dec/20/gchq-targeted-aid-agencies-german-government-eu-commissioner

These are healthcare providers. And the interesting thing is that Kapersky notes among the Miniduke targets are: healthcare organizations.

This idea to spy on healthcare providers comes without doubt from a government that simply wants to collect it all everywhere.

Someone who is making malware to spy on healthcare providers is perhaps also interested in math professors. Simply because he can do it, because he can and wants to collect it all.

Getting the newest math articles in realtime before they are published is perhaps a nice hobby for the many mathematicians at NSA.

AnonFebruary 10, 2014 8:57 AM

I think I have read somewhere that JJQ's computer contained information on companies and their cryptography policies and possibly some other security related info. Industrial espionage could be a part of the explanation.

Clive RobinsonFebruary 10, 2014 11:35 AM

@ 65536,

    I did a whois look up on techweekeurope(dot)co(dot)uk and got a sketchy ookup (from France to Denmark back to the UK, 241 Borough High Street London)

I know the address I've troged past it on a number of occasions because it's a very short walk from the 'world famous' --or so it claims-- Borough Market, and London Bridge, which for very peuliar reasons does not have underground platform to street level disabled access so you have to come up out of Borough underground St and trunddle around to london Bridge.

It's actually an office block called "prospero house" used by a very great number of small companies to rent rent meeting rooms and confrance facilities (IIRC from etc.Venue) and on it's third floor is a company doing amongst other things domain registration. I beleive if you are a member of a Business Club there you can also use it as accomodation offices to have mail delivered and forwarded.

It's got a nice sounding name and address but you could hide a thousand shell organisations there...

BenniFebruary 10, 2014 6:43 PM

given that the hack on quisquater was recently, is there a complete publication record for the last 5 years of him somewhere? wonder which papers exactly made him that interesting for spies. This one here is interesting, i think, but a bit old:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.140.9754&rep=rep1&type=pdf

Actually, hacking a professor who ultimately publishes anything he has anyway sometime, reminds me of the similarly silly infiltration of world of warcraft, because wow would be a "target-rich communications network" where intelligence targets could "hide in plain sight".
http://www.theguardian.com/world/2013/dec/09/nsa-spies-online-games-world-warcraft-second-life

Either the spys who came up with that absurd idea are gamers who wanted to get payment for their hobby, or they are games, who told to their group leader: "Hey, i usually play these mmorpgs. and there could be terrorists in the hiding.Lets invade these networks professionally". This is an idea so silly that it can only come from an online games addict.

Similarly it maybe with cryptographers. Perhaps some spy there was a mathematician, who told his group leader the brilliant idea that mathematicians publishing on cryptography would be an ideal sigint targets because then, the nsa might get an edge on advanced mathematical methods.

This is an idea so silly, that it can only be the brainchild of a real hardcore mathematician. I do not believe, that china has a budget large enough to hire as many people being so in love with mathematical information as it is necessary for such ideas to be born an actually put forward..

AlanSFebruary 10, 2014 7:28 PM

@Mesrik

From the OT Greenwald aricle cited by Mesrik:

“People get hung up that there’s a targeted list of people,” he says. “It’s really like we’re targeting a cell phone. We’re not going after people – we’re going after their phones, in the hopes that the person on the other end of that missile is the bad guy.” The Obama administration has repeatedly insisted that its operations kill terrorists with the utmost precision.

How the targeting is done and how precise it is aside, a senior British lawyer acting for the All Party Parliamentary Group on Drones recently pointed out the dodgy legal status under British and International law of drone assassinations undertaken outside the context of an international armed conflict:

"The US Government has sought to justify the attacks by reference to the doctrine of ‘anticipatory self-defence’....The doctrine of anticipatory self-defence, as argued by the US government, has not been widely accepted within international law. The doctrine of anticipatory self-defence provides that, where the target presents an ‘imminent’ or ‘immediate’ threat, a state may strike first in self-defence. In effect, the attacking party must strike or be struck. The US government relies on a broader formulation of that principle. They cannot know, or demonstrate, that the targets of any particular drone strike present an imminent threat to US interests. In effect, they rely on intelligence and other information to argue that the targets might present an imminent threat....However, in our opinion, current domestic (and international) law has not embraced the broader version of anticipatory self-defence. The United Kingdom government does not and could not lawfully carry out drone strikes outside Afghanistan [i.e. outside the context of an ‘international armed conflict’], such as those carried out by the US government in Yemen and Pakistan. Accordingly, in our view, if GCHQ transferred data to the NSA in the knowledge that it would or might be used for targeting drone strikes, that transfer is probably unlawful. The transferor would be an accessory to murder for the purposes of domestic law."

BenniFebruary 10, 2014 9:07 PM

@AlanS:
The problem is also where the pilotes of these drones are. The problem is that the middle east and africa is far away from the us. And to shoot a target requires a fast realtime information link from the pilot to the drone and back. NSA found that nobody in africa wanted such a pilot center. Now a large part of these attacks is piloted from germany, as revealed by süddeutsche.de. Obama recently said there would not be a launshing point for drone attacks in germany. This is true, the us were able to install their launshing point in Dschibuti on Camp Lemonnier, The pilots sit in the german US-Basis Ramstein. And in Stuttgart at the Africom headquater, the targets are getting nominated.

The US Army is fact stupid enough to offer publicly jobs for nominating targets for drone attacks in Stuttgart, as reported by Süddeutsche Zeitung.
http://www.sueddeutsche.de/politik/angriffe-in-afrika-drohnentod-aus-deutschland-1.1829921

The Hellfire rockets that are fired by these drones were originally designed against tanks. Therefore, their impact radius is large. And collateral damage is almost for sure.

As the targets are nominated in Stuttgart, germany could actually be sued because of murder of innocent people. Süddeutsche, for example, was able to track an innocent collateral damage, a father with family, down and got the name and location of the relatives in somalia. But one can assume there are hundreds of similar cases.

There is even something for fans of James Bond movies:

This model looks pretty nice: http://www.modelmayhem.com/2744895 A real Bond movie would be proud of her. She now goes under the model name "dead model 4 hire" and one can take photos her.

And that is her linkedin profile
http://de.linkedin.com/pub/danielle-moore/52/b97/5a3

Among her jobs were:
Task Leader, Intelligence, Surveillance, & Reconnaissance (ISR) Test Engineer bei TASC Inc.
Joint Conflict & Tactical Simulator (JCATS) Controller/Technician bei Northrop Grumman Corporation

Süddeutsche interviewed that woman:

http://www.youtube.com/watch?v=_4Ueq9ZKB3I

In the video, she would say that she is an "ace". More precisely she has 5 aces. with that it is ment that she killed 5 people for obama.

I believe I somewhere have seen her even mentioning on some website that she is looking forward work again for the agency and she would like, for example, to nominate targets for them.


01February 11, 2014 4:28 AM

As the targets are nominated in Stuttgart, germany could actually be sued because of murder of innocent people.

I'm not sure it works like that.

Was there ever a precedent of a successful lawsuit against a nation-state within context of drone strikes?
And who would be suing, exactly? The nation-state who was harboring the targets ? The angered relatives of the person who was in the wrong place, in the wrong time ? Some NGO ?

Clive RobinsonFebruary 11, 2014 4:44 AM

@ 01,

Whilst I am not aware of any "drone legislation" the UK has had to pay out under EU Human Rights legislation against the actions of UK forces in the middle east.

Thus it's got a fairly high probability of being the same for Germany, and German citizens and active armed forces under various visiting forign force legislation.

BenniFebruary 11, 2014 10:36 AM

@Clive, yes i would also support to move this drone thing to the squid thread.

@01: In fact,because of the findings of sueddeutsche.de, the public prosecutor general already makes a preliminary investigation wether he should open a formal investigation against these drone murders from germany :
http://www.sueddeutsche.de/politik/moeglicher-verstoss-gegen-voelkerrecht-in-deutschland-generalbundesanwalt-prueft-us-drohnenangriffe-1.1807072

The point is that if the german government did not know about what the americans were doing, then the public prosecutor general can not sue anybody, as the americans have diplomatically imunity at their bases. But now we know what the americans are doing in Stuttgart and Rammstein, thanks to Süddeutsche,de. From this, the german government has juristically, an obligation to stop these attacks if collateral damage happens.
It seems that what is needed now, is new information. One needs a new collateral damage of an innocent victim of a drone strike, and one needs to prove that this murder was done from the german drone base. Then, the german government has juristically, a huge problem, as it has been of assistance in murder. This is why the public prosecutor has set up a first "Beobachtungsvorgang" (monitoring procedure) of that.

AlanSFebruary 11, 2014 11:06 AM

@Clive

Agree about moving the thread. My bad. I should have posted my follow-up post to Mesrik on the Friday Squid thread with a link from here.

SchneieronSecurityFanFebruary 13, 2014 4:18 AM

@Snarki, child of Loki-

AES was developed from Rijndael, the work of two Belgian cryptographers.

Maybe, this researcher was attacked so that some party could start "breaking" a cipher as it is developed.

This researcher did work for a company that secured cellphones.

Of three cellphone used by Angela Merkel, the one that wasn't hacked was secured by this company.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..