A screenshot of the
GhostNet report released by the Information Warfare Monitor group in Canada. (Suman Srinivasan/Epoch Times)
The people who uncovered GhostNet, an extensive cyber espionage network that targeted the Tibetan exile community, are back with a sequel. Starting with an infected machine that was found during that investigation, an international team of researchers has uncovered a completely separate network that primarily targeted the Indian government, and turned up some classified documents that had been obtained by the hackers. By reconstructing the network, the team was able to trace things back to the hacking community in Chengdu, China. The work involved a collaboration between the Information Warfare Monitor and the Shadowserver Foundation, but, over the course of its work, involved dozens of other security groups and experts. It also benefitted from extensive cooperation with the Office of His Holiness the Dalai Lama, which had previously approached the security researchers in response to security lapses that unearthed GhostNet. The researchers take what they term a "fusion methodology," which is basically a combination of fieldwork—studying infected systems in situ—with standard security approaches.
The investigation grew out of GhostNet in two ways. As part of their efforts to help the Tibetan exile community secure its systems, the researchers were monitoring the network used by the OHHDL. As part of that monitoring, they uncovered an malware-infected machine that attempted to transfer documents to a control server.
Separately, they found that most of the control servers identified through the GhostNet investigation were taken down after their report on it was released. As the domain registrations on these servers lapsed, the researchers grabbed them for themselves, and created what's termed a DNS sinkhole, in which requests from compromised machines were directed to one under the researchers' control, allowing a study of the command-and-control communications.
Over time, the authors were able to trace communications back and develop a reasonable picture of a computer espionage network that was separate from, but partially overlapped with, the GhostNet. It turns out that, just as hackers count on regular users having moments of carelessness, they suffer from the same problem, which allowed the researchers to view the complete list of infected systems four times, and obtain documents stolen by the hackers twice.
In general, machines were compromised using low-tech methods, primarily via malware that travelled as Microsoft Office or PDF files, and used relatively well-known exploits. Once on a machine, however, the malware would communicate with a specific Yahoo Mail account, which allowed it to receive more sophisticated software via attachments, and alert the network to its identity.
The command-and-control network operated primarily through free webhosting services, many of them operating from within the US. As these systems came and went, various social networking services—Google and Baidu blogs, Twitter, etc.—were used to supply the infected systems with a list of alternate hosts. Fortunately for the researchers, at times when a lot of the free webhosts were taken out of action, the social networking updates revealed a core of servers that remained constant; these were exclusively hosted within China.
The list of infected systems was pretty variable, and included US institutions like NYU and Honeywell, and at least one machine in China that the researchers think was used for testing the system. But the majority of infected machines were associated with India. Some of these were commercial, like the Times of India and the New Delhi rail station, but the list included Indian embassies and consulates.
The documents retrieved by the researchers include everything from information on missile systems being developed by India to a list of visas issued by Indian embassies. That latter item may have implications for NATO's Afghanistan mission, since many of the officials from NATO countries travel via India. Several of these were marked classified or confidential, and some provided internal security evaluations in regions where India is dealing with armed insurgency.
Aside from the fact that the core of the network resides in China, there is some circumstantial evidence linking the network to the hacking community that exists in Chengdu. A blog that follows Chinese hacking activity independently identified the e-mail address used to register one of the domains that turned up as part of the new espionage network. The address turned up in several popular Chinese hacking forums, but also showed up in association with advertisements for apartment rentals in Chengdu. Several of the command-and-control e-mails sent to the Yahoo account also originated from computers in the region.
So, does that mean the Chinese government is behind the espionage? Chengdu is the site of an Army technical reconnaissance bureau, which would be consistent with direct involvement. But, it's quite near Chongquing, a city with thriving criminal syndicates, and several of the servers were also traced to that city.
Complicating matters further, China is one of the governments that has been accused of hiring digital privateers, private citizens that engage in hacking while remaining independent of the central government. The report notes that private citizens might engage in these activities under the expectation that the documents, once obtained, could be sold to the government, even if the government didn't authorize the intrusions.
In any case, the report's authors mentioned that the Chinese CERT organization was cooperating with attempts to shut down the network.
In addition to providing an interesting window into the world of cyberespionage, the authors use the report to argue that the chaotic mix of private hackers and government interests highlights the need to develop some international norms that govern acceptable online behavior. In that sense, they seem to be on the same page as the authors of the National Academies of Science report on cyberdeterrance we covered over the weekend.
cyber security seriously ????
The Chinese have a history of unleashing their cyber spies on the rest of the world. In March 2009 its biggest ever spying operation - Ghostnet - was exposed, and was found to have infiltrated vital systems in 103 countries, including India. One of the targets of Ghostnet was the Tibetan leader, the Dalai Lama.
Therefore, it is not surprising that a Canadian-led research team has uncovered another Chinese cyber spying ring based in Sichuan province that was doing exactly the same.
This time around, the operation was even more damaging to Indian interests than Ghostnet, as it routinely gained access to key Indian government departments and embassies around the world and hacked several sensitive documents.
What is surprising is that the Indian government, given the gravity of the situation created by Ghostnet, had not even been aware that such a spy ring existed and had not learned any lesson from China's previous incursions into our computer systems.
In the 21st century and beyond, a war's theatre of operation will not be restricted to the physical battlefields. This is not an epiphany; but an obvious fact. Yet, it has to be reiterated that the government of India faces a greater challenge in securing its key documents and data that are stored in our now- shown- to- be vulnerable computer systems.
Now that the spy ring's existence and its activity has been proven, it is up to the National Technical Research Organisation which reportedly has some of the best trained personnel, as well as the most effective equipment, to nullify any gains that would have accrued to the Chinese spy ring.
It is also incumbent upon the Indian government as well as the defence ministry to ensure that no further damage is caused by securing all its locations and data. This time around, we had better learn our lessons well.
GhostNet: Massive China-Based Internet Spy Network Unearthed
NEW YORK—On March 29, a Canadian research group unveiled a chilling report confirming fears that Chinese dissident communities have harbored for years—the presence of a vast, unrivaled online spy network that is able to track highly specific data and send it back to control servers based in China.
The research was conducted by the Information Warfare Monitor, a public-private research group that comprises researchers from two institutes in Canada: the SecDev Group, an operational think tank based in Ottawa, and the Citizen Lab at the Munk Center for International Studies, University of Toronto.
Their 53-page report, titled “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network,” documents their findings of a global online espionage network that relies on cleverly forged e-mails to infect target computers, control them, and then send reports back to control servers, most of which are based in China.
The group reported that their work started when they began investigating computers in Tibetan exile centers in Dharmasala, India, for possible compromises. The work they did “led to the discovery of insecure, web-based interfaces to four control servers” which allowed attackers to control compromised machines.
Scouting these control servers resulted in their finding a vast network of compromised computers across the world—the report counted “at least 1,295 infected computers in 103 countries.”
Most interestingly, a large number of compromised computers were extremely high-profile targets: close to 30 percent of the compromised computers belonged to “ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados, and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.”
Leveraging Social Means
The researchers found that GhostNet spread by infecting computers with a trojan known as “gh0st RAT” that gave the attackers complete control over the infected system. They found that the Trojan was capable of “taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.”
Such complete takeovers would allow the attackers to even hear and see events happening on the compromised computers.
The Trojans were obfuscated malware, resulting in their being difficult to detect in commercial anti-virus and anti-malware programs. “Only 11 of the 34 anti-virus programs provided by Virus Total recognized the malware embedded in the document. Attackers often use executable packers to obfuscate their malicious code in order to avoid detection by anti-virus software,” the report said.
The attackers used “social means” to spread the Trojan. For instance, “contextually relevant emails are sent to specific targets” and these e-mails, once opened, installed the Trojan on the unsuspecting user’s computer.
Targeting Chinese Dissidents?
The unearthed global Trojan network is only the latest in a series of massive cyber-attacks that have been based out of Communist-ruled China. In 2003, the United States Department of Defense (DoD) and numerous defense companies came under heavy attack in an operation that the DoD called “Titan Rain,” and has been under attack ever since.
Attacks originating from China have also targeted non-governmental groups and Chinese dissident groups. The report said that the attacks have targeted “organizations advocating on the conflict in the Darfur region of Sudan, Tibetan groups active in India, and the Falun Gong.”
The Citizen Lab has previously been involved in other studies involved Chinese cyber espionage. In October 2008, they published a report called “Breaching Trust,” which focused on the behind-the-scenes surveillance of chat sessions by TOM-Skype in China. The lab is also behind “psiphon,” which allows uncensored Internet access in countries where the Internet is filtered.
