Highlights
– Researchers from two universities discovered a network of compromised computer systems being searched for valuable data
– Investigation began at the Indian offices of the Dalai Lama and led researchers to unprotected servers controlling the compromised computers
– Governments and hacker gangs are expected to increase cyber espionage operations
Two independent reports detailing the inner workings of a vast electronic spy network, which has been stealing information from computer systems in 103 different countries for the past two years, were released on March 29, 2009 by researchers at two separate universities in conjunction with the Ottawa-based think tank, SecDev Group. Researchers from the University of Toronto’s Munk Center for International Studies teamed up with two researchers from Cambridge University in the United Kingdom to investigate the electronic spy operation dubbed GhostNet. The reports stated that 1,295 computers belonging to embassies, foreign ministries, and other government offices in countries such as Romania, Cyprus, Germany and a host of Asian countries had been compromised.
The discovery of this electronic spy operation highlights the increased level of sophistication employed by hackers who are developing malware more resistant to detection by anti-virus software and network security personnel. In the near to medium-term, we expect hackers in China, Russia, and other Asian and European nations to deploy more malware aimed at stealing sensitive information from commercial and governmental computer systems. The information gleaned from stolen documents and electronic communications can prove to be of extreme value to political, economic, and military decision makers.
Investigation Began At The Indian Offices Of The Dalai Lama
In June 2008, officials working with the Dalai Lama, the exiled Tibetan spiritual leader, contacted researchers at Cambridge University to request an audit of their computer systems for any malicious software after becoming suspicious that their computers might have been compromised. Their suspicions arose after a foreign diplomat the office had contacted by e-mail requesting a meeting with the Dalai Lama received a phone call from the Chinese government discouraging the proposed meeting.
The discovery prompted a more in-depth investigation by the researchers who focused their 10-month two-phased investigation on allegations of Chinese cyber espionage against the Tibetan community. During the first-phase, the researchers conducted field-based investigations in India, Europe, and North America. The fieldwork generated extensive evidence of malware that had penetrated computer systems of the Tibetan community.
Following close examination of this evidence, the researchers discovered four servers, three located in China and one in the United States (US), used to control the compromised systems in search of valuable documents and electronic communications. The researchers were able to log into the poorly secured web-based control system and through trial and error discovered how the system – written in Chinese – worked. They also discovered a log of compromised computers dating back to May 2007.
Chinese Government Denies Any Involvement
A spokesman for the Chinese Consulate in New York dismissed the idea that the Chinese government was in any way involved stating that, “the Chinese government is opposed to and strictly forbids any cybercrime.” The Chinese government has repeatedly denied past allegations of cyber attacks and espionage despite testimony to the contrary from a US Congressional panel during a hearing in November 2008.
According to testimony from the commission’s chairman, “China is stealing vast amounts of sensitive information from US computer networks.” The 393-page report issued by the panel showed that over 250 hacker groups are often tolerated, and may even be encouraged, by Beijing to invade computer networks. It was also discovered that individual hackers are being trained in cyber operations at Chinese military bases.
Governments Are Expected To Increase Cyber Espionage Operations
We expect the number of viruses and personnel dedicated to electronic espionage to increase dramatically due to low cost in generating the viruses and their high rate of payoff in the sensitive information that is gleaned. The difficulty of tracing the perpetrators back to a particular group or sponsoring government with a high degree of certainty is another benefit to the attacker, which will help fuel this growth.
According to researchers at MessageLabs, a division of the computer security vendor Symantec Corp., the number of targeted espionage attempts jumped from one to two per week in 2005 to an average of 53 per day in 2008. This number is expected to continue to increase in the near term.
The GhostNet researchers stated that the electronic espionage operation is continuing to invade and monitor more than a dozen new computer systems every week, despite alerts provided to international law enforcement agencies, including the Federal Bureau of Investigation (FBI). Even if international law enforcement agencies are successful at shutting down GhostNet, we believe a new wave of more sophisticated malware will be produced by hackers, allowing theft of valuable information from the computing systems of political, economic, and military targets.