Prominent cryptographer victim of malware attack related to Belgacom breach

Other cryptographers were also targeted by the same attackers, the researcher said

Belgian cryptographer Jean-Jacques Quisquater had his personal computer infected with malware as the result of a targeted attack that's believed to be related to a security breach discovered last year at Belgian telecommunications group Belgacom. According to him, other cryptographers have also been targeted by the same attackers.

Belgacom, whose customers include the European Commission, the European Parliament and the European Council, announced in September that it had discovered sophisticated malware on some of its internal systems.

German news magazine Der Spiegel reported at the time, based on documents leaked by former U.S. National Security Agency contractor Edward Snowden, that British intelligence agency Government Communications Headquarters (GCHQ) was responsible for the attack on Belgacom as part of a project code-named Operation Socialist.

The magazine later reported that GCHQ used packet injection technology called Quantum Insert developed by the NSA to target network engineers from Belgacom and other companies when they visited the LinkedIn and Slashdot websites. This technology can impersonate websites and can force the target's computer to visit an attack server that uses exploits to install malware.

According to Quisquater, his laptop was infected with a malware program that was different than the one used in the Belgacom attack. However, the malware on his PC communicated over an encrypted link with malware on Belgacom's servers, he said Monday via email.

Quisquater is a professor at Université Catholique de Louvain (UCL) in Belgium and is well known for his cryptography and security research, particularly in the area of smart card security. He has designed cryptographic algorithms, protocols and crypto processors used in electronic passports widely deployed around the world.

According to Quisquater, on Nov. 12 investigators from the Belgian Federal Computer Crime Unit (FCCU) informed him that he had been targeted in an attack directly related to the one at Belgacom. He provided them with his laptop and got it back on Dec. 2 with the confirmation that it had sophisticated malware on it.

Quisquater remembers having received a spoofed LinkedIn email on Sept. 16, the same day the Belgacom security breach was made public. The email was very well crafted and contained a link to the LinkedIn profile of a person he knew.

Quisquater said he clicked on the link, but quickly realized it was a spoof and shut down his computer. He claims he later ran scans with several anti-malware products, but they didn't find anything.

It's not clear if the LinkedIn attack was successful and installed the malware later found on the laptop or if some other attack vector was used, Quisquater said Monday via email.

"Why this attack? I don't know," Quisquater said via email. "Maybe cryptography research is under surveillance, maybe some people hope I have some interesting information or contacts or maybe there's another goal we'll never know."

The malware used encrypted communications so it's hard to tell what kind of information it stole, if any. However, the researcher says that no confidential data, commercial or otherwise, was stored on his computer. "I'm mainly doing my research on papers," he said.

Quisquater said that while he prefers privacy when preparing his research, the information is eventually made public. "The main part of my work is devising methods for security and cryptography: I'm a scientist and I'm publishing these methods in conferences, journals, patents and standards."

The researcher also performs audits of different commercial technologies, but according to him those are done using strong security precautions: only on the company's premises, on dedicated computers without network connection and with everything being destroyed at the end.

It's not clear what the attackers were after, but Quisquater said he wasn't the only target. Other cryptographers were targeted in attacks with the same source, but with different vectors, he said.

He declined to name any of the other persons who were targeted.

Quisquater believes it's premature to make any links between GCHQ or the NSA and the attack against him, or even the one against Belgacom.

Publicly, there is no proof today that GCHQ or the NSA were responsible for the attack reported at Belgacom in September, he said. "It is possible that there were several attacks and the attack from GCHQ-NSA was never detected."

Quisquater claims police investigators told him the malware found on his computer is likely variant of a threat called MiniDuke and that the attack might be Asian in origin. The malware is very clever, very difficult to detect and nearly impossible to remove, he said, adding that no antivirus program detects it at the moment.

The MiniDuke malware was originally discovered in February 2013 by researchers from antivirus firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics. At the time it had been used to infect 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries. The researchers declined to speculate about the possible origin of the malware, but noted that none of the victims were from China.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencyGovernment Communications HeadquartersspywareExploits / vulnerabilitiesdata protectionmalwarekaspersky labintrusionsecuritydata breachBelgacomDesktop securityencryptionUniversité catholique de Louvain

More about European CommissionEuropean ParliamentGCHQKasperskyKasperskyNational Security AgencyNSAQuantumSpiegelTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts