Reports: Cyberspy network targets governments

The network was discovered after computers at the Dalai Lama's office were hacked, researchers say.
Nearly 1,300 computers in more than 100 countries have been attacked and have become part of an computer espionage network apparently based in China, security experts alleged in two reports Sunday.

Computers — including machines at NATO, governments and embassies — are infected with software that lets attackers gain complete control of them, according to the reports. One was issued by the University of Toronto’s Munk Centre for International Studies in conjunction with the Ottawa, Canada-based think tank The SecDev Group; the second came from the University of Cambridge Computer Laboratory. Researchers have dubbed the network GhostNet. The network can not only search a computer but see and hear the people using it, according to the Canadian report. “GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras,” the report says. The discovery of GhostNet grew out of suspicions that the office of the Dalai Lama had been hacked. His staff sent a foreign diplomat an e-mail invitation to meet the Tibetan spiritual leader, but before the Dalai Lama’s people could follow up with a phone call, “the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting,” according to the Cambridge report. An investigation resulted in both reports. Both found links to computers in China, but the researchers did not conclude who they thought was behind the “malware,” or malicious software. “Chinese cyber espionage is a major global concern … [b]ut attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading,” according to the Canadian report titled, “Tracking GhostNet: Investigating a Cyber Espionage Network.” “The sheer number of young digital natives online can more than account for the increase in Chinese malware,” it adds. But the report also points out that China is among a handful of countries, including the United States, Israel and United Kingdom, that are “assumed” to have considerable computer espionage capabilities. Attempts by CNN to contact the Chinese government in Beijing and its American embassy and consulate offices were unsuccessful on Sunday, as the offices were closed. However, a spokesman for the Chinese consulate in New York dismissed the idea China was involved when speaking to The New York Times. “These are old stories and they are nonsense,” Wenqi Gao told the Times. “The Chinese government is opposed to and strictly forbids any cyber crime.” Hackers gained access to computers in the Dalai Lama’s office by tricking computer users into downloading e-mail attachments that had been carefully engineered to appear safe, according to the authors of the Cambridge report, titled, “The Snooping Dragon: Social-malware Surveillance of the Tibetan Movement.” “The attackers took the trouble to write e-mails that appeared to come from fellow Tibetans and indeed from co-workers,” according to the report, authored by Shishir Nagaraja and Ross Anderson. Once the attackers gained an initial foothold, “they also stole mail in transit and replaced the attachments with toxic ones,” the report adds. The Dalai Lama investigation led to the discovery of hundreds more infected machines in locations from The Associated Press in Britain and Deloitte and Touche in New York, to the ministries of foreign affairs in Indonesia, Iran and the Philippines. The office of the prime minister of Laos was also snared, as was a single non-secure computer at NATO, according to the Canadian report. Infected computers “checked in” with control servers as early as May 2007 and as recently as March 12 of this year, the report adds. Attempts by CNN to verify the reports’ allegations with NATO, the Laotian government and the Dalai Lama’s organization in India were not immediately successful on Sunday. The attack has broader implications, Nagaraja and Anderson warn, since a single person could carry out a similar one. “Even a capable motivated individual could have carried out the attacks we describe here,” they say. The computer systems of businesses are almost certain to be hacked by similar means, if they have not been already, the experts claim. “Social malware will be used for fraud, and the typical company really has no defense against it,” since it is so expensive and inconvenient, for example, to keep sensitive information or processes on computers with no Internet access. “We expect that many crooks will get rich before effective countermeasures are widely deployed.” The Information Warfare Monitor Web site, where the Canadian report was released, was down Sunday afternoon. GhostNet is not affiliated with GhostNet Inc., a business technology company.