A network mostly based in China caught in cyber hacking

[Damiano]

A shadowy cyber-espionage network based mostly in China has infiltrated government and private computers around the world, including those of the Dalai Lama, Canadian researchers said Sunday.

The network, known as GhostNet, infected 1,295 computers in 103 countries and penetrated systems containing sensitive information in top political, economic and media offices, the researchers said in a report.

Many of the compromised computers were found in the embassies of Asian countries, such as India, Indonesia, Malaysia, Pakistan, Thailand and Taiwan.
The embassies of Cyprus, Germany, Malta, Portugal and Romania as well as the foreign ministries of Bangladesh, Bhutan, Iran and Latvia were also targeted, and in most cases staff remained unaware that their systems had been attacked.

"Up to 30 percent of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media and NGOs," the report said.

The report, by the group Information Warfare Monitor, was commissioned by the Dalai Lama's office alarmed by possible breaches of security.

The 10-month investigation by specialists based at the University of Toronto found the spying was being done from computers based almost exclusively in China.

But researchers said while its findings were disturbing there was no conclusive evidence the Chinese government was involved, highlighting that China now had the world's highest number of Internet users.

"We do not know the motivation or the identity of the attackers or how to accurately characterize this network of infections as a whole," the report said.

"Attributing all Chinese malware to deliberate or intelligence gathering operations by the Chinese state is wrong and misleading," the report said.

"The sheer number of young digital natives online can more than account for the increase in Chinese malware."

In London, Chinese embassy spokesman Liu Weimin suggested the report was part of a Tibetan media and propaganda campaign.

[Damiano]

"In China, it is against the law to hack into the computers of others, and we are victims of such cyber attack," Liu said. "It is a global challenge that requires global cooperation. China is an active participant in such cooperation in the world."

The investigation between June 2008 and March 2009 focused on the Tibetan community, thanks to the unparalleled access the team was given to Tibetan missions in Dharamsala as well as in London, Brussels and New York.

"The Tibetan computer systems we manually investigated ... were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information," the report said.

Their work led them to a broader operation that had infiltrated at least 1,295 computers in less than two years.

By installing malware on the computers, the China-based hackers were able to get the infected systems to send them top-secret information.

The researchers set up a "honey pot computer" to track down some of the malicious servers by monitoring the traffic that was generated from the honey pot once it was infected.

They found that three of the four control servers commanding infected computers to download secret files were located in China in Hainan, Guangdong and Sichuan. The fourth was located in the United States.

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value," the report said.

"This report serves as a wake up call," the authors pointed out. "At the very least a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet."

[Johnny]

Cyberpsace has empowered individuals and small groups of non-state actors to do many things, including executing sophisticated computer network operations that were previously only the domain of state intelligence agencies.

[Dr.Jones]

The researchers warned GhostNet continues to invade and monitor more than a dozen new computers a week.
However, they found no evidence that US government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.