GhostNet
Encyclopedia
GhostNet is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying
operation discovered in March 2009. The operation is likely associated with an Advanced Persistent Threat
. Its command and control infrastructure is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama
's Tibet
an exile centers in India, London and New York City were compromised. Although the activity is mostly based in China, there is no conclusive evidence that the Chinese government
is involved in its operation.
(IWM), carried out after IWM researchers approached the Dalai Lama's representative in Geneva suspecting that their computer network had been infiltrated. The IWM is composed of researchers from Secdev Group and Canadian consultancy and the Citizen Lab
, Munk Centre for International Studies
at the University of Toronto
; the research findings were published in the Infowar Monitor, an affiliated publication. Researchers from the University of Cambridge
's Computer Laboratory
, supported by the Institute for Information Infrastructure Protection
, also contributed to the investigation at one of the three locations in Dharamsala
, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times
on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.
Compromised systems were discovered in the embassies of India
, South Korea
, Indonesia
, Romania
, Cyprus
, Malta
, Thailand
, Taiwan
, Portugal
, Germany
and Pakistan
and the office of the Prime Minister of Laos
. The foreign ministries of Iran
, Bangladesh
, Latvia
, Indonesia
, Philippines
, Brunei
, Barbados
and Bhutan
were also targeted. No evidence was found that U.S. or U.K. government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C.
, were infiltrated.
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.
known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows. Such a computer can be controlled or inspected by attackers, and even has the ability to turn on camera and audio-recording functions of infected computers, enabling monitors to perform surveillance.
says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.
Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime."
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu
. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China
, and currently connected with the Chinese hacker underground
.
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer instrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama
from his representatives.
Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations. However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through this means.
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan
, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army. Furthermore, one of GhostNet's four control servers has been revealed to be a government server.
The Chinese embassy in London has denied the involvement of its government, stating that there is no evidence that his government was involved. A spokesman called the accusation part of a "propaganda campaign" and "just some video footage pieced together from different sources to attack China." Foreign Ministry spokesman Qin Gang said that his country was committed to security of the computer network.
Cyber spying
Cyber spying or Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information , from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on...
operation discovered in March 2009. The operation is likely associated with an Advanced Persistent Threat
Advanced Persistent Threat
Advanced persistent threat usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies...
. Its command and control infrastructure is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama
14th Dalai Lama
The 14th Dalai Lama is the 14th and current Dalai Lama. Dalai Lamas are the most influential figures in the Gelugpa lineage of Tibetan Buddhism, although the 14th has consolidated control over the other lineages in recent years...
's Tibet
Tibet
Tibet is a plateau region in Asia, north-east of the Himalayas. It is the traditional homeland of the Tibetan people as well as some other ethnic groups such as Monpas, Qiang, and Lhobas, and is now also inhabited by considerable numbers of Han and Hui people...
an exile centers in India, London and New York City were compromised. Although the activity is mostly based in China, there is no conclusive evidence that the Chinese government
Government of the People's Republic of China
All power within the government of the People's Republic of China is divided among three bodies: the People's Republic of China, State Council, and the People's Liberation Army . This article is concerned with the formal structure of the state, its departments and their responsibilities...
is involved in its operation.
Discovery
GhostNet was discovered and named following a 10-month investigation by the Infowar MonitorInfowar Monitor
The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. It is a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa , and the Citizen Lab at the Munk School of...
(IWM), carried out after IWM researchers approached the Dalai Lama's representative in Geneva suspecting that their computer network had been infiltrated. The IWM is composed of researchers from Secdev Group and Canadian consultancy and the Citizen Lab
Citizen Lab
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. Founded Professor Ronald Deibert, the Citizen Lab focuses on advanced research and development at the intersection of digital media, global security, and human...
, Munk Centre for International Studies
Munk Centre for International Studies
The Munk School for Global Affairs at the University of Toronto is an interdisciplinary academic centre on global issues that integrates research with teaching and public education...
at the University of Toronto
University of Toronto
The University of Toronto is a public research university in Toronto, Ontario, Canada, situated on the grounds that surround Queen's Park. It was founded by royal charter in 1827 as King's College, the first institution of higher learning in Upper Canada...
; the research findings were published in the Infowar Monitor, an affiliated publication. Researchers from the University of Cambridge
University of Cambridge
The University of Cambridge is a public research university located in Cambridge, United Kingdom. It is the second-oldest university in both the United Kingdom and the English-speaking world , and the seventh-oldest globally...
's Computer Laboratory
University of Cambridge Computer Laboratory
The Computer Laboratory is the computer science department of the University of Cambridge. As of 2007, it employs 35 academic staff, 25 support staff, 35 affiliated research staff, and about 155 research students...
, supported by the Institute for Information Infrastructure Protection
Institute for Information Infrastructure Protection
The Institute for Information Infrastructure Protection is a consortium of national cyber security institutions, including academic research centers, government laboratories and non-profit organizations, all of which have long-standing, widely recognized expertise in cyber security research and...
, also contributed to the investigation at one of the three locations in Dharamsala
Dharamsala
Dharamshala or Dharamsala is a city in northern India. It was formerly known as Bhagsu; it is the winter seat of government of the state of Himachal Pradesh and the district headquarters of the Kangra district....
, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times
The New York Times
The New York Times is an American daily newspaper founded and continuously published in New York City since 1851. The New York Times has won 106 Pulitzer Prizes, the most of any news organization...
on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.
Compromised systems were discovered in the embassies of India
India
India , officially the Republic of India , is a country in South Asia. It is the seventh-largest country by geographical area, the second-most populous country with over 1.2 billion people, and the most populous democracy in the world...
, South Korea
South Korea
The Republic of Korea , , is a sovereign state in East Asia, located on the southern portion of the Korean Peninsula. It is neighbored by the People's Republic of China to the west, Japan to the east, North Korea to the north, and the East China Sea and Republic of China to the south...
, Indonesia
Indonesia
Indonesia , officially the Republic of Indonesia , is a country in Southeast Asia and Oceania. Indonesia is an archipelago comprising approximately 13,000 islands. It has 33 provinces with over 238 million people, and is the world's fourth most populous country. Indonesia is a republic, with an...
, Romania
Romania
Romania is a country located at the crossroads of Central and Southeastern Europe, on the Lower Danube, within and outside the Carpathian arch, bordering on the Black Sea...
, Cyprus
Cyprus
Cyprus , officially the Republic of Cyprus , is a Eurasian island country, member of the European Union, in the Eastern Mediterranean, east of Greece, south of Turkey, west of Syria and north of Egypt. It is the third largest island in the Mediterranean Sea.The earliest known human activity on the...
, Malta
Malta
Malta , officially known as the Republic of Malta , is a Southern European country consisting of an archipelago situated in the centre of the Mediterranean, south of Sicily, east of Tunisia and north of Libya, with Gibraltar to the west and Alexandria to the east.Malta covers just over in...
, Thailand
Thailand
Thailand , officially the Kingdom of Thailand , formerly known as Siam , is a country located at the centre of the Indochina peninsula and Southeast Asia. It is bordered to the north by Burma and Laos, to the east by Laos and Cambodia, to the south by the Gulf of Thailand and Malaysia, and to the...
, Taiwan
Taiwan
Taiwan , also known, especially in the past, as Formosa , is the largest island of the same-named island group of East Asia in the western Pacific Ocean and located off the southeastern coast of mainland China. The island forms over 99% of the current territory of the Republic of China following...
, Portugal
Portugal
Portugal , officially the Portuguese Republic is a country situated in southwestern Europe on the Iberian Peninsula. Portugal is the westernmost country of Europe, and is bordered by the Atlantic Ocean to the West and South and by Spain to the North and East. The Atlantic archipelagos of the...
, Germany
Germany
Germany , officially the Federal Republic of Germany , is a federal parliamentary republic in Europe. The country consists of 16 states while the capital and largest city is Berlin. Germany covers an area of 357,021 km2 and has a largely temperate seasonal climate...
and Pakistan
Pakistan
Pakistan , officially the Islamic Republic of Pakistan is a sovereign state in South Asia. It has a coastline along the Arabian Sea and the Gulf of Oman in the south and is bordered by Afghanistan and Iran in the west, India in the east and China in the far northeast. In the north, Tajikistan...
and the office of the Prime Minister of Laos
Laos
Laos Lao: ສາທາລະນະລັດ ປະຊາທິປະໄຕ ປະຊາຊົນລາວ Sathalanalat Paxathipatai Paxaxon Lao, officially the Lao People's Democratic Republic, is a landlocked country in Southeast Asia, bordered by Burma and China to the northwest, Vietnam to the east, Cambodia to the south and Thailand to the west...
. The foreign ministries of Iran
Iran
Iran , officially the Islamic Republic of Iran , is a country in Southern and Western Asia. The name "Iran" has been in use natively since the Sassanian era and came into use internationally in 1935, before which the country was known to the Western world as Persia...
, Bangladesh
Bangladesh
Bangladesh , officially the People's Republic of Bangladesh is a sovereign state located in South Asia. It is bordered by India on all sides except for a small border with Burma to the far southeast and by the Bay of Bengal to the south...
, Latvia
Latvia
Latvia , officially the Republic of Latvia , is a country in the Baltic region of Northern Europe. It is bordered to the north by Estonia , to the south by Lithuania , to the east by the Russian Federation , to the southeast by Belarus and shares maritime borders to the west with Sweden...
, Indonesia
Indonesia
Indonesia , officially the Republic of Indonesia , is a country in Southeast Asia and Oceania. Indonesia is an archipelago comprising approximately 13,000 islands. It has 33 provinces with over 238 million people, and is the world's fourth most populous country. Indonesia is a republic, with an...
, Philippines
Philippines
The Philippines , officially known as the Republic of the Philippines , is a country in Southeast Asia in the western Pacific Ocean. To its north across the Luzon Strait lies Taiwan. West across the South China Sea sits Vietnam...
, Brunei
Brunei
Brunei , officially the State of Brunei Darussalam or the Nation of Brunei, the Abode of Peace , is a sovereign state located on the north coast of the island of Borneo, in Southeast Asia...
, Barbados
Barbados
Barbados is an island country in the Lesser Antilles. It is in length and as much as in width, amounting to . It is situated in the western area of the North Atlantic and 100 kilometres east of the Windward Islands and the Caribbean Sea; therein, it is about east of the islands of Saint...
and Bhutan
Bhutan
Bhutan , officially the Kingdom of Bhutan, is a landlocked state in South Asia, located at the eastern end of the Himalayas and bordered to the south, east and west by the Republic of India and to the north by the People's Republic of China...
were also targeted. No evidence was found that U.S. or U.K. government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C.
Washington, D.C.
Washington, D.C., formally the District of Columbia and commonly referred to as Washington, "the District", or simply D.C., is the capital of the United States. On July 16, 1790, the United States Congress approved the creation of a permanent national capital as permitted by the U.S. Constitution....
, were infiltrated.
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.
Technical functionality
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, drop a Trojan horse on to the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a TrojanTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows. Such a computer can be controlled or inspected by attackers, and even has the ability to turn on camera and audio-recording functions of infected computers, enabling monitors to perform surveillance.
Origin
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network. However, a report from researchers at the University of CambridgeUniversity of Cambridge
The University of Cambridge is a public research university located in Cambridge, United Kingdom. It is the second-oldest university in both the United Kingdom and the English-speaking world , and the seventh-oldest globally...
says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.
Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime."
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu
Chengdu
Chengdu , formerly transliterated Chengtu, is the capital of Sichuan province in Southwest China. It holds sub-provincial administrative status...
. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China
University of Electronic Science and Technology of China
-Academic schools:Built on the MIT model and as a member of "Project 985", UESTC is an electronics-centred multidisciplinary leading research university located in Chengdu China, currently enrolling over 10,000 research students and about 14,000 undergraduates in 14 academic Schools:*School of...
, and currently connected with the Chinese hacker underground
Subculture
In sociology, anthropology and cultural studies, a subculture is a group of people with a culture which differentiates them from the larger culture to which they belong.- Definition :...
.
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer instrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama
14th Dalai Lama
The 14th Dalai Lama is the 14th and current Dalai Lama. Dalai Lamas are the most influential figures in the Gelugpa lineage of Tibetan Buddhism, although the 14th has consolidated control over the other lineages in recent years...
from his representatives.
Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations. However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through this means.
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan
Hainan
Hainan is the smallest province of the People's Republic of China . Although the province comprises some two hundred islands scattered among three archipelagos off the southern coast, of its land mass is Hainan Island , from which the province takes its name...
, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army. Furthermore, one of GhostNet's four control servers has been revealed to be a government server.
The Chinese embassy in London has denied the involvement of its government, stating that there is no evidence that his government was involved. A spokesman called the accusation part of a "propaganda campaign" and "just some video footage pieced together from different sources to attack China." Foreign Ministry spokesman Qin Gang said that his country was committed to security of the computer network.
See also
- Honker Union
- Cyber-warfareCyber-warfareCyberwarfare refers to politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare although this analogy is controversial for both its accuracy and its political motivation.Government security expert...
- Advanced Persistent ThreatAdvanced Persistent ThreatAdvanced persistent threat usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies...
- Titan RainTitan RainTitan Rain was the designation given by the federal government of the United States to a series of coordinated attacks on American computer systems since 2003...
- Operation AuroraOperation AuroraOperation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China...
- Chinese intelligence activity in other countriesChinese intelligence activity in other countriesChinese intelligence is believed to be highly active outside of the People's Republic of China. China is the largest intelligence collector in the Netherlands, as well as in several other EU countries, and one of the top five intelligence collectors in the United States...
- Internet censorship in the People's Republic of ChinaInternet censorship in the People's Republic of ChinaInternet censorship in the People's Republic of China is conducted under a wide variety of laws and administrative regulations. There are no specific laws or regulations which the censorship follows...
- Economic and Industrial EspionageIndustrial espionageIndustrial espionage, economic espionage or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security purposes...
External links
- The SecDev Group Ottawa, Canada
- Citizen Lab at the University of Toronto
- Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citize Lab), March 29, 2009)
- F-Secure Mirror of the report PDF
- Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)
- Twitter: InfowarMonitor