March 29, 2= 009
By JOHN MARKOFF
TORONTO &#=
8212; A vast electronic spying operation has infiltrated computers and has =
stolen documents from hundreds of government and private offices around the=
world, including those of the
In a repor= t to be issued this weekend, the = <= /SPAN>researchers said that the system was being controlled from computers based almost exclusiv= ely in <= SPAN LANG="en-us">Ch= ina<= /SPAN>, but that they could not say conclusively th= at the Chinese government was involved.
The researchers, who are based at the Munk Center for International Studie= s at the University of Toronto, had been asked b= y the office of the Dalai Lama, the exiled Tibetan leader whom China regula= rly denounces, to examine its computers for signs of malicious software, or= malware.
Their sleuthing opened a window into a broader operation that, in = less than two years, has infiltrated at least 1,295 computers in 103 countr= ies, including many belonging to embassies, foreign ministries and other go= vernment offices, as well as the Dalai Lama’s Tibetan exile centers i= n India, Brussels, London and New York.
The researchers, who have a record of detecting computer espionage= , said they believed that in addition to the spying on the Dalai Lama, the = system, which they called GhostNet, was focused on the governments of South= Asian and Southeast Asian countries.
Intelligence analysts say many governments, including those of Chi= na, Russia and the United States, and other parties use sophisticated compu= ter programs to covertly gather information.
The newly reported spying operation is by far the largest to come = to light in terms of countries affected.
This is also believed to be the first time researchers have been a= ble to expose the workings of a computer system used in an intrusion of thi= s magnitude.
Still going strong, the operation continues to invade and monitor =
more than a dozen new computers a week, the researchers said in their repor=
t, “Tracking ‘GhostNet’: Investigating a Cyber Espionage =
Network.” They said they had found no evidence that United States gov=
ernment offices had been infiltrated, although a NATO=
The malware is remarkable both for its sweep — in computer j= argon, it has not been merely “phishing” for random consumers&#= 8217; information, but “whaling” for particular important targe= ts — and for its Big Brother-style capacities. It can, for example, t= urn on the camera and audio-recording functions of an infected computer, en= abling monitors to see and hear what goes on in a room. The investigators s= ay they do not know if this facet has been employed.
The researchers were able to monitor the commands given to infecte= d computers and to see the names of documents retrieved by the spies, but i= n most cases the contents of the stolen files have not been determined. Wor= king with the Tibetans, however, the researchers found that specific corres= pondence had been stolen and that the intruders had gained control of the e= lectronic mail server computers of the Dalai Lama’s organization.
The electronic spy game has had at least some real-world impact, t= hey said. For example, they said, after an e-mail invitation was sent by th= e Dalai Lama’s office to a foreign diplomat, the Chinese government m= ade a call to the diplomat discouraging a visit. And a woman working for a = group making Internet contacts between Tibetan exiles and Chinese citizens = was stopped by Chinese intelligence officers on her way back to Tibet, show= n transcripts of her online conversations and warned to stop her political = activities.
The Toronto researchers said they had notified international law e=
nforcement agencies of the spying operation, which in their view exposed ba=
sic shortcomings in the legal structure of cyberspace. The
Although the Canadian researchers said that most of the computers = behind the spying were in China, they cautioned against concluding that Chi= na’s government was involved. The spying could be a nonstate, for-pro= fit operation, for example, or one run by private citizens in China known a= s “patriotic hackers.”
“We’re a bit more careful about it, knowing the nuance=
of what happens in the subterranean realms,” said Ronald J. Deibert,=
a member of the research group and an associate professor of political sci=
ence at Munk. “This could well be the
A spokesman for the Chinese Consulate in New York dismissed the id= ea that China was involved. “These are old stories and they are nonse= nse,” the spokesman, Wenqi Gao, said. “The Chinese government i= s opposed to and strictly forbids any cybercrime.”
The Toronto researchers, who allowed a reporter for The New York T= imes to review the spies’ digital tracks, are publishing their findin= gs in Information Warfare Monitor, an online publication associated with th= e Munk Center.
At the same time, two computer researchers at Cambridge Universit= y in Britain who worked on the part of the inves= tigation related to the Tibetans, are releasing an independ= ent report. They do fault China, and they warn= ed that other hackers could adopt the tactics used in the malware operation= .
“What Chinese spooks did in 2008, Russian crooks will do in = 2010 and even low-budget criminals from less developed countries will follo= w in due course,” the Cambridge researchers, Shishir Nagaraja and Ros= s Anderson, wrote in their report, “The Snooping Dragon: Social Malwa= re Surveillance of the Tibetan Movement.”
In any case, it was suspicions of Chinese interference that led to= the discovery of the spy operation. Last summer, the office of the Dalai L= ama invited two specialists to India to audit computers used by the Dalai L= ama’s organization. The specialists, Greg Walton, the editor of Infor= mation Warfare Monitor, and Mr. Nagaraja, a network security expert, found = that the computers had indeed been infected and that intruders had stolen f= iles from personal computers serving several Tibetan exile groups. <= /SPAN>
Back in Toronto, Mr. Walton shared data with colleagues at the Mun= k Center’s computer lab.
One of them was Nart Villeneuve, 34, a graduate student and self-t= aught “white hat” hacker with dazzling technical skills. Last y= ear, Mr. Villeneuve linked the Chinese version of the Skype communications = service to a Chinese government operation that was systematically eavesdrop= ping on users’ instant-messaging sessions.
Early this month, Mr. Villeneuve noticed an odd string of 22 chara= cters embedded in files created by the malicious software and searched for = it with Google. It led him to a group of computers on Hainan Island, of= f China, and to a Web site that would prove to be critically important.
In a puzzling security lapse, the Web page that Mr. Villeneuve fou= nd was not protected by a password, while much of the rest of the system us= es encryption.
Mr. Villeneuve and his colleagues figured out how the operation wo= rked by commanding it to infect a system in their computer lab in Toronto. = On March 12, the spies took their own bait. Mr. Villeneuve watched a brief = series of commands flicker on his computer screen as someone — presum= ably in China — rummaged through the files. Finding nothing of intere= st, the intruder soon disappeared.
Through trial and error, the researchers learned to use the system= ’s Chinese-language “dashboard” — a control panel r= eachable with a standard Web browser — by which one could manipulate = the more than 1,200 computers worldwide that had by then been infected.
Infection happens two ways. In one method, a user’s clicking= on a document attached to an e-mail message lets the system covertly insta= ll software deep in the target operating system. Alternatively, a user clic= ks on a Web link in an e-mail message and is taken directly to a “poi= soned” Web site.
The researchers said they avoided breaking any laws during three w= eeks of monitoring and extensively experimenting with the system’s un= protected software control panel. They provided, among other information, a= log of compromised computers dating to May 22, 2007.
They found that three of the four control servers were in differen= t provinces in China — Hainan, Guangdong and Sichuan — while th= e fourth was discovered to be at a Web-hosting company based in Southern Ca= lifornia.
Beyond that, said Rafal A. Rohozinski, one of the investigators, &= #8220;attribution is difficult because there is no agreed upon internationa= l legal framework for being able to pursue investigations down to their log= ical conclusion, which is highly local.”
Received on Sat Mar 02 2024 - 00:57:19 CST
This archive was generated by hypermail 2.3.0 : Sat Mar 02 2024 - 01:11:44 CST