8 February 2014. Updated.
6 February 2014
Jean-Jacques Quisquater on Alleged NSA-GCHQ Hack
Thanks to Jean-Jacques Quisquater.
Comments about "NSA-GCHQ Allegedly Hack Cryptographer Quisquater"
More info written by Jean-Jacques Quisquater.
This text was updated on February 8, 2014 in the afternoon (Belgian time).
Since February 1st 2014 many papers appeared in the newspapers and on internet
concerning the hack of the personal portable computer of Jean-Jacques
Quisquater (JJQ). See
Unfortunately many of these papers suffer from approximations and extrapolations
and some of them are wrong.
The following text is intended to clarify the context of the attack as much
as possible as the investigations are not complete at this stage.
-Facts: Yes, this portable computer was attacked. We don't know for sure
the vector of the attack in use. According to the Belgian Federal Police
the attack of this computer is strongly related to the attack of Belgacom
in Belgium allegedly hacked by NSA-GCHQ.
The only found vector of attack is related to an email spoofing a linkedin
email mentioning a name close to a name known by JJQ. From this email, JJQ
opened a link to a profile of the mentioned person and JJQ immediately
understood it was a spoof and closed his computer in one second. The computer
was later extensively scanned by several malware detectors without result.
Possibly another vector of attack was used but there is no trace of it.
-Data available on the computer: There was no sensitive data on the computer.
The main part of the JJQ's work is the design of (formal) methods related
to cryptography and computer security and this activity is twofold:
- Methods related to the academic world finally anyway published
in conferences, journals, patents and standards. Privacy concerning reviews
of scientific papers is important to write these reviews without external
pressure, the content is nevertheless not critical.
- Activities related to sensitive data of companies always follow
a very strict procedure which lead to a very strong level of security
(the use of safes, only in company rooms, dedicated computers without connection,
destruction of all the data at the end of the study). Therefore no sensitive
information related to companies is available on this personal computer.
Companies are only using the practical ideas of JJQ in the spirit of the
main principle of Kerckhoffs (« only the key is secret ») and
of Shannon (« The enemy knows the system »).
-The purpose of the attack: we don't know. Maybe the cryptography research
is under surveillance, maybe some people hope to find some interesting
information or contact, maybe there is another goal we will never know.
- September 16, 2013: the Belgian newspaper De Standard announced an attack
of Belgacom (main communication operator in Belgium) by the NSA (links in
- September 16, 2013 (same day in the afternoon): Jean-Jacques Quisquater
received an email spoofing a linkedin email,
opened a link to a profile of somebody he was thinking he knows, saw immediately
it was a spoof and closed in one second
his computer. The computer was strongly scanned by several malware detectors
JJQ comments: It is not sure that this attack was working and is related
to the main attack against the computer but the dates are matching. Other
people were also attacked in Belgium. We don't know the vector of the "winning"
attack (phishing, injection packet
through Quantum Insert, ... ?).
- September 20, 2013: Der Spiegel announced an attack of Belgacom by GCHQ
using tools from NSA, from the files of Snowden: see
- November 8, 2013: the Federal Police contacted JJQ to discuss with him.
- November 11, 2013: Der Spiegel announced that GCHQ used fake LinkedIn pages
to target Belgacom engineers:
- November 12, 2013: meeting with people from the Federal Police. They announced
that the computer was strongly attacked by a targeted attack (it means an
attack where there is only one target: it is nearly impossible to detect
it). The attack was directly related to the Belgacom attack. The used malware
is very clever, very difficult to detect, impossible to remove using currently
available antivirus. In fact the malware was only active when outside the
personal home. The communications between the malware in the computer and
the servers at Belgacom are encrypted: so only metadata are possibly usable
for the investigations. It is thus also impossible that any large content
from the computer was communicated. No confidential information (commercial
or not) was on this computer.
- December 2, 2013: The attack was confirmed and is still under investigation.
Later it was learnt that the malware is likely a variant of the malware miniduke:
This version of the malware is not detected by any currently available antivirus.
- January 28, 2014: A journalist from De Standaard (Belgian newspapers) contacted
JJQ in order to have a meeting because somebody spoke to the journalist about
an hacked well-known Belgian cryptographer speaking French (clearly JJQ).
This hacking was presented as directly related to the hacking of Belgacom.
- January 30, 2014: During the meeting the journalists announced that De
Standaard will publish a paper about this story on next Saturday.
- Saturday February 1st, 2014: Publication of their story by De Standaard:
(translation in English) and the buzz began. JJQ then answered questions
from the Belgian TVs RTBF and RTL.
There are also a lot of information about targeted attacks in:
Also read this paper from RAID 2012 (the research conference about intrusions):