New York Times
By JOHN MARKOFF
Vast Spy System Loots Computers in 103 Countries
TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama , Canadian researchers have concluded.
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China , but that they could not say conclusively that the Chinese government was involved.
They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California.
The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.
Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.
The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.
Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.
The newly reported spying operation is by far the largest to come to light in terms of countries affected.
This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.
Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.
The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room.
The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.
The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.
“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”
At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report . They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation.
“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.”
Back in Toronto, Mr. Walton shared data with colleagues at the Munk Center’s computer lab.
One of them was Nart Villeneuve, 34, a graduate student and self-taught “white hat” hacker with dazzling technical skills. Last year, Mr. Villeneuve linked the Chinese version of the Skype communications service to a Chinese government operation that was systematically eavesdropping on users’ instant-messaging sessions.
Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google . It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important.
In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.
Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.
Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected.
Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.
The researchers said they avoided breaking any laws during three weeks of monitoring and extensively experimenting with the system’s unprotected software control panel. They provided, among other information, a log of compromised computers dating to May 22, 2007.
Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.”
By Malcolm Moore
The study revealed that almost a third of the targets infected by GhostNet are “considered high-value and include computers located at ministries of foreign affairs, embassies, international organisations, news media and NGOs”. This global web of espionage has been constructed in the last two years.
the US Defence department has repeatedly warned of China’s increasing capabilities in electronic warfare. A report from the Pentagon, issued last week, said that the Chinese army “often cites the need in modern warfare to control information, sometimes termed ‘information dominance’.”
The report added: “China has made steady progress in recent years in developing offensive nuclear, space and cyber-warfare capabilities, the only aspects of China’s armed forces that, today, have the potential to be truly global.”
The Chinese government decided long ago to make control of information a central plank of the country’s policy. At the 10th National People’s Congress, in 2003, the Chinese army announced the creation of “information warfare units”. General Dai Qingmin said internet attacks would run in advance of any military operation to cripple enemies.
But on Sunday night the Chinese government denied any involvement in cyber-spying. Liu Weimin, a spokesman for the Chinese embassy in London, said Beijing had also fallen victim to hackers
Rebuilding America’s Defenses PNAC report:
“It is now commonly understood that information and other new technologies… are creating a dynamic that may threaten America’s ability to exercise its dominant military power.” – pg 4 (PDF page 16)
“Control of space and cyberspace. Much as control of the high seas – and the protection of international commerce – defined global powers in the past, so will control of the new ‘international commons’ be a key to world power in the future. An America incapable of protecting its interests or that of its allies in space or the ‘infosphere’ will find it difficult to exert global political leadership.” – pg 51 (PDF page 63)
The project for a New American Century (PNAC) was founded in 1997 with many members that later became the nucleus of the George W. Bush administration. The list includes: Jeb Bush, Dick Cheney, I. Lewis Libby, Donald Rumsfeld, and Paul Wolfowitz among many other powerful but less well know names.