University of Toronto researchers uncover Chinese computer spy network

University of Toronto researchers announced that they have uncovered a cyberspying network based in China that has infected more than 1,295 computers in 103 countries, calling the discovery “a wake-up call.”

More than 30 per cent of the infected hosts of the malware-based network now called GhostNet are considered high-value targets and include computers located in various ministries of foreign affairs, embassies, international organizations, news media, non-government organizations and even the private office of the Dalai Lama, the head of Tibet’s government-in-exile, according to a report released by SecDev Group, a research organization based in Ottawa and Citizen Lab and Internet research team headquartered at the Munk Centre for International Studies at U of T.

Infected machines were found in the foreign ministries of Bangladesh, Barbados, Bhutan, Brunei, Indonesia, Iran, Latvia and the Philippines. Infected computers were also found at the embassies of Cyprus, Germany, India, Malta, Pakistan, Portugal, Romania, South Korea, Thailand and Taiwan, the report called “Tracking GhostNet: Investigating a Cyber Espionage Network,” said.

Although the researchers are careful to stress that the report should not be used to “point fingers” at any government, they say evidence indicate that the Chinese government may be involved.

“Among the information stolen were a list of foreign dignitaries that have contacts with the Dalai Lama, e-mail correspondences and intenirary,” said Greg Walton, senior security researcher for the OpenNet Initiative and fellow at the Citizen Lab.

In another instance, he said, a Tibetan woman who worked for an NGO was recently picked up by Chinese authorities upon her return to her country. The woman told researchers that authorities who interrogated her confronted her with details of her online correspondence.

“This would suggest that a government is being targeted and that the Chinese government may have a part. But this is circumstantial evidence,” he said at a press conference yesterday at the Munk Center in Toronto.

“This should serve as a call to action to government agencies around the world to develop policies around preventing these activities,” said Janice Stein, head of the Munk Centre.

“We believe Canada should play a critical if not leading role in this initiative since we have the expertise in the area,” she said.

The network had three servers based in the Chinese mainland and a fourth located in the United States, said Nart Villenueve, another Citizen Lab fellow and the researcher credited for finding the servers by doing a Google search on a data string.

The network was still in operation until Monday morning and it was only later in the afternoon that the connections to most of the infected computers “were gradually taken down,” he said.

“But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading,” according to Ron Deibert, an associate professor of political science at the U of T known as “The Hacker Prof,” and leader of the gang of Citizen Lab “hacktivists” that monitor repressive states that filter digital information.

It noted that China is currently hosts the world’s largest population of Internet users. “The sheer number of young digital natives online can more that account for the increase in Chinese malware … it’s expected that China (and Chinese individuals) will account for a larger population of cybercrime.”

Discovery of the network came after a 10-month investigation which included field-based research in India as well as “technical scouting and computer network interrogation” carried out in Toronto by SecDev and Citizen Lab researchers of the Munk Centre.

The report said GhostNet primarily uses a malicious software program called ghOst RAT (Remote Access Tool) to steal sensitive documents, control computer devices such as Webcams and control infected computers.

“GhostNet represents a network of compromised computer residents in high-value political, economic and media locations spread across numerous countries worldwide,” according to the report.

“These organizations are almost certainly oblivious to the compromised situation in which they find themselves,” the report added.

The researchers admitted, however, that they have no confirmation if the information obtained by the network is of intrinsic value to the hackers or if it is being passed off for intelligence and sold for profit.

The Citizen Lab has long been probing cyberespionage activities by China and other governments around the world, according to Deibert.

He said the discovery of GhostNet points to the “growing militarization and weaponization of the Internet.”

“But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading,” Deibert said.

He noted that China is currently hosts the world’s largest population of Internet users. “The sheer number of young digital natives online can more that account for the increase in Chinese malware…it’s expected that China (and Chinese individuals) will account for a larger population of cybercrime.”

Rafal Rohozinski, principal and CEO of the Ottawa-based SecDev said evidence of the online snooping will now be submitted to the affected government agencies and organization. “It is up to them to act on this matter…We are constrained by our mandate and methods not to interfere.”

Both Rohozinski and Deibert stressed that the researchers were not commissioned by any party to carry out the investigation nor did they break any laws or hack into any system. The investigation began when researchers were granted access to computers of Tibet’s government in exile. Tibetan NGOs and the office of the Dalai Lama were concerned about leaks of confidential information.

“We were able to monitor the activity of the activities of the network after we got our own machines infected by GhostNet,” said Deibert.

Existence of the network came after a 10-month investigation which included field-based research in India by SecDev as well as “technical scouting and computer network interrogation carried out in Toronto Citizen Lab researchers of the Munk Centre.

The report said GhostNet primarily uses a malicious software program called ghOst RAT (Remopte Access Tool) to steal sensitive documents, install key loggers, control computer devices such as Webcams and control infected computers. “GhostNet represents a network of compromised computer residents in high value political, economic and media locations spread across numerous countries worldwide,” according to the report.

“These organizations are almost certainly oblivious to the compromised situation in which they find themselves,” the report added.

The researchers however admitted that they have no confirmation if the information obtained by the network is of intrinsic value to the hackers or if it is being passed off for intelligence and sold for profit.

“The Chinese focus on cyber capabi



Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now