Is China Behind Cyber Spy Network?Attacks Originated From Chinese Island, Researchers Say Canadian cybersecurity researches revealed this weekend the existence of a cyber espionage network, likely based in China, called GhostNet that employs malware when breaching computers worldwide, including those they consider high-value diplomatic, political, economic and military targets.
The GhostNet system directs a Trojan known as gh0st RAT that allows attackers to gain complete and real-time control of infected computers, the researchers say. These instances of gh0st RAT are controlled from commercial Internet access accounts located on the Chinese island of Hainan, according to Information Warfare Monitor, a venture between the SecDev Group think tank in Ottawa and the Citizen Lab at the University of Toronto's Munk Centre for International Studies.
The researchers did not provide any evidence that the Chinese government was directly involved, but some American government leaders believe the Chinese government is behind political and economic espionage hacks of U.S. and other nations' and businesses' computer systems. A Pentagon report issued last week said China has likely targeted computer systems around the world, including those operated by the U.S. government.
According to Information Warfare Monitor, GhostNet can take full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras, meaning attackers can listen in and watch those in a room where a hacked computer is located.
Between June and March, the Information Warfare Monitor conducted a two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community.
The researchers said they conducted field-based investigations in India, Europe and North America, working directly with affected Tibetan organizations, including the Dalai Lama's office, the Tibetan government-in-exile and its missions in London, Brussels and New York. "The fieldwork generated extensive data that allowed us to examine Tibetan information security practices, as well as capture real-time evidence of malware that had penetrated Tibetan computer systems," the Information Warfare Monitor report says.
In a second part of its investigation, researchers analyzing data discovered insecure, web-based interfaces to four control servers, allowing attackers to send instructions to, and receive data from, compromised computers. "Our research team successfully scouted these servers, revealing a wide-ranging network of compromised computers," the report said. "This extensive network consists of at least 1,295 infected computers in 103 countries."
The researchers characterized nearly 30 percent of the infected computers as high valued. They included computers housed in the ministries of foreign affairs in Bangladesh, Barbados, Bhutan, Brunei, Indonesia, Iran, Latvia and the Philippines; embassies of Cyprus, Germany, India, Indonesia, Malta, Pakistan, Portugal, Romania, South Korea, Taiwan and Thailand; Asian Development Bank, Association of Southeast Asian Nations secretariat and South Asian Association for Regional Cooperation; news organizations; and an unclassified computer located at NATO headquarters.
How does GhostNet infect computers? Researchers say contextually relevant e-mails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programs designed to take advantage of vulnerabilities in software installed on the target's computer. "Once compromised, files located on infected computers may be mined for contact information, and used to spread malware through e-mail and document attachments that appear to come from legitimate sources, and contain legitimate documents and messages," the report says. "It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental, spread by contact between individuals who previously communicated through e-mail.
"Nonetheless the existence of the GhostNet network is a significant fact in and of itself. At the very least, it demonstrates the ease by which computer-based malware can be used to build a robust, low-cost intelligence capability and infect a network of potentially high-value targets."