GhostNet
GhostNet (
Discovery
GhostNet was discovered and named following a 10-month investigation by the
Compromised systems were discovered in the
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.[13]
Technical functionality
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a
Origin
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.[14] However, a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.[15]
Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.[7] The Chinese government has stated that China "strictly forbids any cyber crime."[1][10]
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China, and currently connected with the Chinese hacker underground.[16]
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his representatives.[15]
Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.[14][17] However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.[18]
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.[4] Furthermore, one of GhostNet's four control servers has been revealed to be a government server[clarify].[19]
See also
- Advanced persistent threat
- Chinese intelligence activity abroad
- Chinese cyberwarfare
- Chinese espionage in the United States
- Cyber-warfare
- Economic and industrial espionage
- Honker Union
- Internet censorship in China
- Operation Aurora
- RedHack (from Turkey)
- Titan Rain
- Shadow Network
- 14th Dalai Lama
References
- ^ a b c "Major cyber spy network uncovered". BBC News. March 29, 2009. Retrieved March 29, 2009.
- ^ Glaister, Dan (March 30, 2009). "China Accused of Global Cyberspying". The Guardian Weekly. Vol. 180, no. 16. London. p. 5. Retrieved April 7, 2009.
- ISBN 978-0071772495.
- ^ a b c d Harvey, Mike (March 29, 2009). "Chinese hackers 'using ghost network to control embassy computers'". The Times. London. Retrieved March 29, 2009.
- ^ "Tracking GhostNet: Investigating a Cyber Espionage Network".
- ^ "China denies spying allegations". BBC News. March 30, 2009. Retrieved March 31, 2009.
- ^ New York Times. Retrieved March 29, 2009.
- ^ Shishir Nagaraja, Ross Anderson (March 2009). "The snooping dragon: social-malware surveillance of the Tibetan movement" (PDF). University of Cambridge. p. 2. Retrieved March 31, 2009.
- ^ "Researchers: Cyber spies break into govt computers". Associated Press. March 29, 2009. Retrieved March 29, 2009.
- ^ a b China-based spies target Thailand. Bangkok Post, March 30, 2009. Retrieved on March 30, 2009.
- ^ a b "Canadians find vast computer spy network: report". Reuters. March 28, 2009. Retrieved March 29, 2009.
- ^ "Spying operation by China infiltrated computers: Report". The Hindu. March 29, 2009. Archived from the original on April 1, 2009. Retrieved March 29, 2009.
- ^ "Foreign hackers attack Canadian government". CBC News. February 17, 2011. Retrieved February 17, 2011.
- ^ Munk Centre for International Studies. March 29, 2009
- ^ a b Nagaraja, Shishir; Anderson, Ross (March 2009). "The snooping dragon: social-malware surveillance of the Tibetan movement" (PDF). Computer Laboratory, University of Cambridge.
- ^ Henderson, Scott (April 2, 2009). "Hunting the GhostNet Hacker". The Dark Visitor. Archived from the original on April 6, 2009. Retrieved April 2, 2009.
- ^ U of T team tracks China-based cyber spies Toronto Star March 29, 2009 Archived March 31, 2009, at the Wayback Machine
- ^ BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform
- ^ Meet the Canadians who busted Ghostnet The Globe and MailMarch 29, 2009
External links
- The SecDev Group
- Citizen Lab at the University of Toronto
- Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citize Lab), March 29, 2009)
- F-Secure Mirror of the report PDF
- Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)
- Twitter: InfowarMonitor
- Kelly, Cathal (March 31, 2009). "Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments". Toronto Star (Canada). Toronto, Ontario, Canada. Retrieved April 4, 2009.
- Lee, Peter (April 8, 2009). "Cyber-skirmish at the top of the world". )
- Bodmer, Kilger, Carpenter, & Jones (2012). ISBN 978-0071772495