The presentation is based upon the report SHADOWS IN THE CLOUD made public by the

Shadow Server Foundation

By

ANUPAM TIWARI
The Shadows in the Cloud report
illustrates the increasingly dangerous
ecosystem of crime and espionage and
its embeddedness in the fabric of
global cyberspace.

REASON BEHIND…….
Public institutions have adopted new
technologies faster than procedures
and rules have been created to deal
with the radical transparency and
accompanying vulnerabilities they
introduce.
 Before we start……..

EXECUTIVE SUMMARY
Complex ecosystem of cyber espionage that systematically compromised government,
business, academic, and other computer network systems .

Analysis of data stolen from politically sensitive targets and recovered during the course of
the investigation .

Data containing sensitive information of numerous third-party countries, as well as

personal, financial, and business information, were also exfiltrated & recovered.

Analysis of malware ecosystem employed in order to maintain persistent control while

operating core servers located in the People’s Republic of China (PRC).

Effort of an eight month collaborative activity between the Information Warfare Monitor
(Citizen Lab and SecDev) and the Shadowserver Foundation.
 OVER ALL SUMMARY

Complex Cyber Espionage Network

Theft of classified and sensitive documents

Evidence of collateral compromise

Command-and-control infrastructure that leverages

cloud-based social media services

Links to Chinese hacking community

Large degree of organized malware networks.

Misuse of social networking sites like

Google,Baidu,Yahoo & Twitter.

Continuation of TRACKING GHOSTNET with

more nuance

Fusion Methodology : Combines network

based Technical interrogation & Fd Based
Contextual investigations

Follow-up of Unexplored Ghostnet Paths

DNS Sinkhole

Tibetan org who thought they were being spied

Dalai Lama

Beyond Tracking GHOSTNET

Follow-up of Unexplored Ghostnet Paths

Shadow server Foundation was only involved– Tracking Ghostnet
Information warfare monitor & Shadow Server Foundation– Shadows in the Cloud

Monitoring of Exfiltration of sensitive documents – Tracking Ghostnet

Recover Stolen documents – Shadows in the Cloud
Observation and Characterization of the
Ecosystem of Malware

From Criminal Exploitation to Political

Espionage?

Collateral Compromise

Actionable Intelligence around Exfiltrated

Data

Attribution
 Field Victim
Data Recovery
Investigation Identification

Technical Command &

Investigative Control server
Activities Topography

DNS Sinking Malware

Hole Analysis
 What was related to and still operational from Tracking
Look Back Ghostnet Report
Closed and offline domains current state
Re registration of these closed/expired domains

Multi Cyber Involvement of at least two confirm distinct cyber

Complex configured Command & Control Server
Espionage Multi Malware Intrusion
Attempts

Focus only on one network named SHADOW NETWORK

Focus Leveraged social networking sites & free web hosting servers
Systems & Servers reverse engineered to loc at PRC
Recovery of data from compromised
computers

Attack Vectors/Malware

Malicious Documents & Command and

Controls

Malicious Binaries found on Command and

Controls

Malware connected to Yahoo Mail Accounts

TROJAN ENFAL

IP Address Relationships

Malware File path Relationships

Malware connection Relationships

Van Horenbeeck
Web-based interface that lists cursory information on compromised
computers located on one command and control server

Text files in web-accessible directories on three command and control

servers that list detailed information on compromised computers

Information obtained from email accounts used for command and

control of compromised computers

Information obtained from one command and control server from which
we retrieved exfiltrated documents

Information obtained from our DNS sinkhole

SINK HOLE

Relation between DNS Sinkhole & Live

Command and Control Centre

PALANTIR Screenshots

Notable distribution of Compromised

computers across countries

Recover IP Addresses
ENTITIES OF INTEREST FROM RECOVERED IP ADDRESSES
GEOGRAPHIC DISTRIBUTION OF COMPROMISED HOTS
Diplomatic Missions and Government Entities

National Security and Defence

• Pechora Missile System

• ƒƒ Iron Dome Missile System
• ƒƒ Project Shakti

Institute for Defence Studies and Analyses

(IDSA)

SP’s Land Forces 2008

Personal info regarding a member of the

Directorate General of Military Intelligence
 Institute for Defence Studies and Analyses,
National Security Council Secretariat, India
India

Diplomatic Missions, India Defence-oriented publications, India

Military Engineer Services, India Corporations, India

Military Personnel, India Maritime, India

Military Educational Institutions, India United Nations

Malware samples used by the attackers, which were primarily PDFs
that exploited vulnerabilities in Adobe Acrobat and Adobe Reader

Glacier : Godfather of the Chinese Trojan

Attacker used Yahoo! Mail accounts as command and control servers

PATRIOTIC HACKING

No direct control of PRC Government

China relies on a broad informal network of students, tourists, teachers, and foreign workers
inside of host nations to collect small bits of information to form a composite picture of the
environment. Rather than set a targeted goal for collection, they instead rely on sheer weight
of information to form a clear understanding of the situation.
Little evidence exists in open sources to establish firm ties between the PLA and China’s
hacker community, however, research did uncover limited cases of apparent collaboration
between more elite individual hackers and the PRC’s civilian security services. The caveat to
this is that amplifying details are extremely limited and these relationships are difficult to
corroborate.
 Website Virtual Asset
Masters/Crackers Stealers/Sellers

• Focus on acquiring
• Motivated by profit username and
malware authors • Provide the password pairs,
leverage their infrastructure for known as envelopes, • Purchase compromised
technical skills to cybercrime by through the use of credentials from envelopes
create and distribute maintaining malicious malware kits, which stealers and sell virtual
exploits as well as websites, xploiting are then sold. assets to online games
trojan horse vulnerable websites players, QQ users and
programs. & providing hosting others who drive the
for the command and demand for stolen virtual
control capabilities of goods
Malware Authors trojans. Envelopes
Stealers
Complex task

Analysis tracks back directly to the PRC and to known

entities within the criminal underground of the PRC

Shadow network is based out of the PRC by one or

more individuals with strong connections to the
Chinese criminal underground.

Information collected by the Shadow network may

end up in the possession of some entity of the
Chinese government
Embryonic nature of the field of inquiry as a whole.

Grappled issues with in the aftermath of the Tracking

GhostNet report

Illustrate the intricate, nuanced and often confusing

landscape of global cyber security notification
practices.

Contingent on the informal connections among

professional communities
FOR ppt/pptx SOFT COPY OF THIS PRESENTATION….write to me at
anupam_tiwari@yahoo.com

Aim of this presentation is to spread awareness on the report made public by the Shadow
server Foundation : SHADOWS IN THE CLOUD

The ppt is under improvement and the fresh ppt will be uploaded in some time.

Suggestions are welcome