NEW YORK—On March 29, a Canadian research group unveiled a chilling report confirming fears that Chinese dissident communities have harbored for years—the presence of a vast, unrivaled online spy network that is able to track highly specific data and send it back to control servers based in China.
The research was conducted by the Information Warfare Monitor, a public-private research group that comprises researchers from two institutes in Canada: the SecDev Group, an operational think tank based in Ottawa, and the Citizen Lab at the Munk Center for International Studies, University of Toronto.
Their 53-page report, titled “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network,” documents their findings of a global online espionage network that relies on cleverly forged e-mails to infect target computers, control them, and then send reports back to control servers, most of which are based in China.
The group reported that their work started when they began investigating computers in Tibetan exile centers in Dharmasala, India, for possible compromises. The work they did “led to the discovery of insecure, web-based interfaces to four control servers” which allowed attackers to control compromised machines.
Scouting these control servers resulted in their finding a vast network of compromised computers across the world—the report counted “at least 1,295 infected computers in 103 countries.”
Most interestingly, a large number of compromised computers were extremely high-profile targets: close to 30 percent of the compromised computers belonged to “ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados, and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.”
Leveraging Social Means
The researchers found that GhostNet spread by infecting computers with a trojan known as “gh0st RAT” that gave the attackers complete control over the infected system. They found that the Trojan was capable of “taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.”
Such complete takeovers would allow the attackers to even hear and see events happening on the compromised computers.
The Trojans were obfuscated malware, resulting in their being difficult to detect in commercial anti-virus and anti-malware programs. “Only 11 of the 34 anti-virus programs provided by Virus Total recognized the malware embedded in the document. Attackers often use executable packers to obfuscate their malicious code in order to avoid detection by anti-virus software,” the report said.
The attackers used “social means” to spread the Trojan. For instance, “contextually relevant emails are sent to specific targets” and these e-mails, once opened, installed the Trojan on the unsuspecting user’s computer.
Targeting Chinese Dissidents?
The unearthed global Trojan network is only the latest in a series of massive cyber-attacks that have been based out of Communist-ruled China. In 2003, the United States Department of Defense (DoD) and numerous defense companies came under heavy attack in an operation that the DoD called “Titan Rain,” and has been under attack ever since.
Attacks originating from China have also targeted non-governmental groups and Chinese dissident groups. The report said that the attacks have targeted “organizations advocating on the conflict in the Darfur region of Sudan, Tibetan groups active in India, and the Falun Gong.”The Citizen Lab has previously been involved in other studies involved Chinese cyber espionage. In October 2008, they published a report called “Breaching Trust,” which focused on the behind-the-scenes surveillance of chat sessions by TOM-Skype in China. The lab is also behind “psiphon,” which allows uncensored Internet access in