China dismisses cyber-espionage claims

The network was discovered after computers at the Dalai Lama's office were hacked, researchers say.
Analysts in China are dismissing claims that nearly 1,300 computers in more than 100 countries have been attacked, and have become part of a cyber-espionage network apparently based in China.

“This is purely another political issue that the West is trying to exaggerate,” Song Xiaojun, a Beijing-based strategy and military analyst, told the state-run news agency, Xinhua. Zhu Feng, a professor with the school of international studies at Peking University, added: “Cyber security has been a global issue, but this time those who see China as an emerging threat again have picked the subject as a new weapon.” Computers — including machines at NATO, governments and embassies — are infected with software that lets attackers gain complete control of them, cyber-security experts alleged in two reports Sunday. One report was issued by the University of Toronto’s Munk Centre for International Studies in conjunction with the Ottawa, Canada-based think tank The SecDev Group; the second came from the University of Cambridge Computer Laboratory. Watch CNN’s John Vause report on the network ยป Researchers have dubbed the cyber-espionage network GhostNet. The network can not only search a computer but see and hear the people using it, according to the Canadian report.

Don’t Miss
Pentagon report: China’s military expanding its capabilities

‘Smart Grid’ may be vulnerable to hackers

“GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras,” the report says. The discovery of GhostNet grew out of suspicions that the office of the Dalai Lama had been hacked. His staff sent a foreign diplomat an e-mail invitation to meet the Tibetan spiritual leader, but before the Dalai Lama’s people could follow up with a phone call, “the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting,” according to the Cambridge report. The investigation resulted in both reports. Both found links to computers in China, but the researchers did not conclude who they thought was behind the “malware,” or malicious software. “Chinese cyber espionage is a major global concern… (b)ut attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading,” says the Canadian report, titled, “Tracking GhostNet: Investigating a Cyber Espionage Network.” “The sheer number of young digital natives online can more than account for the increase in Chinese malware,” it adds. But the report also points out that China is among a handful of countries, also including the United States, Israel and the United Kingdom, which are “assumed” to have considerable cyber-espionage capabilities. Attempts by CNN to contact the Chinese government in Beijing, and its American embassy and consulate offices were unsuccessful. Hackers gained access to computers in the Dalai Lama’s office by tricking computer users into downloading attachments in e-mail which had been carefully engineered to appear safe, according to the authors of the Cambridge report, titled, “The snooping dragon: social-malware surveillance of the Tibetan movement.” “The attackers took the trouble to write e-mails that appeared to come from fellow Tibetans and indeed from co-workers,” say the report’s authors, Shishir Nagaraja and Ross Anderson. Once the attackers gained an initial foothold, “they also stole mail in transit and replaced the attachments with toxic ones,” they add. The Dalai Lama investigation led to the discovery of hundreds more infected machines in locations from The Associated Press in Britain and Deloitte and Touche in New York, to the ministries of foreign affairs in Indonesia, Iran and the Philippines. The office of the prime minister of Laos was also snared, as was a single non-secure computer at NATO, “Tracking GhostNet” claims. Infected computers “checked in” with control servers as early as May 2007 and as recently as March 12 of this year, the report adds. Attempts by CNN to verify the reports’ allegations with NATO, the Laotian government and the Dalai Lama’s organization in India were not immediately successful on Sunday. The attack has broader implications, Nagaraja and Anderson warn, since a single person could carry out a similar one. “Even a capable motivated individual could have carried out the attacks we describe here,” they say. “Russian crooks will do (it) in 2010, and even low budget-criminals from less developed countries will follow in due course.” The computer systems of businesses are almost certain to be hacked by similar means, if they have not been already, the experts claim. “Social malware will be used for fraud, and the typical company really has no defense against it,” since it is so expensive and inconvenient, for example, to keep sensitive information or processes on computers with no Internet access. “We expect that many crooks will get rich before effective countermeasures are widely deployed.”

The Information Warfare Monitor web site, where the Canadian report was released, was down Sunday afternoon. GhostNet is not affiliated with GhostNet Inc., a business technology company.