"Shadow" Report Calls for Global SummitResearchers: Cyberspace at Risk from 'Perfect Storm' of Threats Security researchers have uncovered a complex ecosystem of cyber espionage made up of an unknown number of hackers that have systematically broken into computer networks worldwide.
In the new report ""Shadows in the Cloud", Information Warfare Monitor security researchers from the University of Toronto's Citizen Lab in the Munk School of Global Affairs and the SecDev Group in Ottowa, Canada and the Shadowserver Foundation, call for a global convention on cyberspace to build the mechanisms to share information across borders and institutions to stop further cyber espionage like that found perpetrated by the "Shadow" spy group.
The researchers say there is a real risk of a "perfect storm" erupting out of the vacuum that exists in cyberspace, where no rules exist. This lack of controls will subvert cyberspace either through a knee-jerk overreaction, a spiraling arms race, the placement of heavy controls or a possible exodus from cyberspace, as people disconnect out of fear of being harmed by cyber espionage.
The "Shadow" cyber espionage network compromised networks from all sectors -- government, business, academic and others -- in India, the Offices of the Dalai Lama, the United Nations and several other countries. The "Shadow" group's identity and motivation weren't uncovered, but the researchers traced the location of the network's base back to Chengdu, China. The researchers found that the cyber attackers used multiple redundant cloud computing systems, social networking platforms and free web hosting services to maintain around the clock control of core servers in Chengdu.
The report is the culmination of an investigation that lasted eight months. The researchers retrieved data stolen from politically sensitive targets, including the Dalai Lama and agencies of the Indian national security establishment. Data from numerous other countries and citizens, including personal, financial, and business information was also recovered.
Among the major findings of this new report:
- Complex cyber espionage network - Researchers point to documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. "Some of these institutions can be positively identified, while others cannot," the report states.
- Theft of classified and sensitive documents - Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence; two documents marked "SECRET"; six as "RESTRICTED"; and five as "CONFIDENTIAL." These documents are identified as belonging to the Indian government. "However, we do not have direct evidence that they were stolen from Indian government computers, and they may have been compromised as a result of being copied onto personal computers," says the report.
- Evidence of collateral compromise - Some of the data recovered by researchers included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. This finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.
- Command-and-control infrastructure that leverages cloud-based social media services - The researchers say the spy group used a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.
- Links to Chinese hacking community - The researchers say they uncovered evidence of links between the Shadow network and two individuals living in Chengdu, China to the underground hacking community in China.