2009-04-01
Abstract
Researchers uncover significant cyber espionage network.
Copyright © 2009 Virus Bulletin
Last month saw the publication of a research paper reporting on a 10-month investigation of an alleged Chinese spy operation against Tibetan organizations. The investigation not only uncovered evidence of tampering with the Tibetan systems, but also evidence of a more widespread cyber espionage network of over 1,295 infected computers in more than 100 countries – dubbed GhostNet.
The research, conducted by the Information Warfare Monitor, consisted of field-based operations in India, Europe and North America, followed by lab-based data analysis. It was the data analysis phase of the investigation that led to the discovery of insecure, web-based interfaces controlling four servers. The interfaces allow attackers to communicate with compromised computers (sending instructions and receiving data). Further investigation of the servers revealed an extensive network of at least 1,295 compromised computers in 103 countries. Furthermore, the team determined that almost 30% of the infected computers could be considered ‘high-value targets’ – including those of ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The researchers are careful to point out that, although circumstantial evidence points to the Chinese state as being the main source of the network, they are unable to reliably ascertain either the motivation or the identity of the attackers/controllers of the network.
The full report can be downloaded at http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network. A report by researchers Shishir Nagaraja and Ross Anderson detailing their part of the Tibetan investigation can be read at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf.
