Cyber Espionage Ring Focuses on International Targets

An obviously well coordinated ring of cyberspies have struck at the heart of worldwide government. The spy network is alleged to be based mainly in China. Charmaine Noronha of the Associated Press reported from Toronto, that although the ring struck at the documents and information of over 103 agencies, one of their most prominent targets appeared to be the Dalai Lama and 13 Tibetan exiles. A group of researchers calling themselves the Information Warfare Monitor(IWM) was originally focusing on China's efforts at Cyber espionage against the Tibetan Government-in-exile. In a research effort that spanned 10 months and included the combined research efforts of Ottawa-based think tank SecDev Group and the University of Toronto's Munk Centre for International Studies as well as researchers from Britain's Cambridge University , known collectively as the IWM, discovered the extensive targets.

The IWM uncovered over 1295 compromised computers from numerous international embassies and foreign ministries. Among those compromised were the ministries in Iran, Bangladesh, Brunei and Bhutan along with embassies in India, South Korea, Thailand, Germany and Pakistan just to name a few.

The Snooping Dragon

In an abstract of a paper called "The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement," Shishir Nagaraja of the University of Illinois at Urbana-Champaign and Ross Anderson of Cambridge University write about the distinction of these incidences in comparison to other cyber attacks. "First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective."

While China is thought to be at the center of these attacks Nagaraja and Anderson did add, "Although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual. This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations." Nagaraja and Anderson seemed to intimate that though this appeared to be a high level attack that the technology employed would allow those in future to focus on more innocuous targets that deal with finance and accounts payable. Obviously, those involved in cybercrimes are constantly evolving the technology and techniques to separate people from information and money.

Tracking GhostNet

The researchers, of Information Warfare Monitor(IWM), initial findings are set to be released March 29, 2009. The paper entitled "Tracking GhostNet: Investigating a Cyber Espionage Network" covers the 10-month investigation by IWM. The investigation was in depth and far-reaching. The researchers utilized a combination of methods to elicit the information. These included field-based research in Dharamsala, India, with additional field research done in Brussels, London and New York. They installed network monitoring software that intercepted some of the malware used by the cyberspies. Other methods employed were computer based scouting, target selection and extensive data analysis. The paper is well researched and highly technical in nature. To read it in its entirety please click here.

The researchers cover the mechanics of the investigation and the techniques employed by the hackers that focused the researchers on China as the possible culprit. They are however quick to add that China may only be the operational headquarters of the cyberspy ring and share that they can not completely attribute these espionage activities to the Chinese. The paper concludes by offering that the identity of the culprit may not be as important as the methods that were employed by the ring. "ultimately, the question of who is behind the Ghostnet may matter less than the strategic significance of the collection of affected targets...It demonstrates that the subterranean layers of cyberspace, about which most users are unaware, are domains of active reconnaissance, surveillance and exploitation. Regardless of who or what is ultimately in control of Ghostnet, its capabilities of exploitation and strategic intelligence that can be harvested from it matter most."

Sources

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html

http://news.yahoo.com/s/ap/20090329/ap_on_re_ca/canada_cyber_spy_network_1

http://www.csamuel.org/2009/03/29/the-snooping-dragon-social-malware-surveillance-of-the-tibetan-movement

http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network