• Home
• GOVERNMENT CXO
• E-GOVERNMENT
• CITIZEN ENGAGEMENT
• TAX AND REVENUE MANAGEMENT
• GOVERNMENT PROCUREMENT
• GREEN GOVERNMENT
• GOVERNMENT DATA MANAGEMENT
• GOVERNMENT SECURITY
• GOVERNMENT CLOUD
• GOVERNMENT ANALYTICS
• GOVERNMENT GIS
• CONNECTED GOVERNMENT
• DIGITAL INCLUSION
• EDUCATION IT
• HEALTHCARE IT

Central Government, Government Security

Chinese cyber spy network revealed

By Alice Kok | 30 March 2009

A cyber spy network based mainly in China has tapped into classified documents from government and private organisations in 103 countries, according to a report by a Canadian research group released on Sunday (29 March 2009).

Photos

View photos

Related Articles

• Chinese province starts visitor tax refund
• World City Prize winner revealed
• Chinese prefecture pushes for rural services
• Chinese city goes wireless

Related Categories

• CENTRAL GOVERNMENT
• GOVERNMENT SECURITY

From this Section

• NEWS

The spy system, dubbed GhostNet, is alleged to have compromised 1295 machines at Nato and foreign ministries, embassies, banks and news organisations across the world, as well as computers used by the Dalai Lama and Tibetan exiles.

GhostNet primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents, control Web cams and control infected computers. “These instances of Ghost Rat are consistently controlled from commercial internet access accounts located on the island of Hainan, in the People’s Republic of China,” reads the report by Information Warfare Monitor.

IWM investigators initially focused on allegations of Chinese cyber-espionage against the Tibetan exile community, but led to a much wider network of compromised machines. While China appeared to be the main source of the network, IWM had not been able conclusively to identify the hackers.

Throughout this 10-month investigation, foreign ministries of Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados and Bhutan had been spied on remotely, and the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan hacked.

The IWM report said: “GhostNet represents a network of compromised computers in high-value political, economic and media locations in numerous countries worldwide. These organisations are almost certainly oblivious to the compromised situation in which they find themselves. The computers of diplomats, military attachés, private assistants, secretaries to prime ministers, journalists and others are under the concealed control of unknown assailant(s).”

“In Dharamsala (the headquarters of the Tibetan government in exile) and elsewhere, we have witnessed machines being profiled and sensitive documents being removed. Almost certainly, documents are being removed without the targets’ knowledge, key-strokes logged, web cameras are being silently triggered and audio inputs surreptitiously activated.”

Investigators conducted field research in India, Europe and North America, including in the private office of the Dalai Lama, the Tibetan government-in-exile and several Tibetan NGOs.

“We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama,” Investigator Greg Walton said.

During the second phase of the investigation, the data led to the discovery of insecure, web-based interfaces to four control servers.

“What we found is not so much unprecedented in scope and sophistication,” said Nart Villeneuve, a senior IWM analyst. “But the relatively small size of the network and concentration of high-value targets is significant. It does not fit the profile for a typical cyber crime network.”

Principal investigators Ron Deibert and Rafal Rohozinski said: “This report serves as a wake-up call. Futhermore, the Internet was never built with security in mind.”

“The large percentage of high-value targets compromised by this network demonstrates the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet.”

The report however, was cautious about attributing the spinet to the Chinese government, reasoning that China has a fifth of the world’s Internet users, which may include hackers who have goals aligning with official Chinese political positions.

Information Warfare Monitor is a joint effort of the SecDev Group in Ottawa and the Citizen Lab at the University of Toronto.