JR02-2009

Inormation Warare Monitor 

Tracking

GhostNet 

:

http://www.inowar-monitor.net/ghostnethttp://www.tracking-ghost.net

t

Investigating a

Cyber Espionage

Network

March 29, 2009

 

March 29, 2009

Foreword

Cyber espionage is an issue whose time has come. In this second report rom the Inormation WarareMonitor, we lay out the ndings o a 10-month investigation o alleged Chinese cyber spying againstTibetan institutions.The investigation, consisting o eldwork, technical scouting, and laboratory analysis, discovered a lot more.The investigation ultimately uncovered a network o over 1,295 inected hosts in 103 countries.Up to 30% o the inected hosts are considered high-value targets and include computers locatedat ministries o oreign aairs, embassies, international organizations, news media, and NGOs. TheTibetan computer systems we manually investigated, and rom which our investigations began,were conclusively compromised by multiple inections that gave attackers unprecedented access topotentially sensitive inormation.But the study clearly raises more questions than it answers.From the evidence at hand, it is not clear whether the attacker(s) really knew what they hadpenetrated, or i the inormation was ever exploited or commercial or intelligence value.Some may conclude that what we lay out here points denitively to China as the culprit. CertainlyChinese cyber-espionage is a major global concern. Chinese authorities have made it clear that theyconsider cyberspace a strategic domain, one which helps redress the military imbalance betweenChina and the rest o the world (particularly the United States). They have correctly identiedcyberspace as the strategic ulcrum upon which U.S. military and economic dominance depends.But attributing all Chinese malware to deliberate or targeted intelligence gathering operations bythe Chinese state is wrong and misleading. Numbers can tell a dierent story. China is presentlythe world’s largest Internet population. The sheer number o young digital natives online can morethan account or the increase in Chinese malware. With more creative people using computers, it’sexpected that China (and Chinese individuals) will account or a larger proportion o cybercrime.Likewise, the threshold or engaging in cyber espionage is alling. Cybercrime kits are now availableonline, and their use is clearly on the rise, in some cases by organized crime and other private actors.Socially engineered malware is the most common and potent; it introduces Trojans onto a system,and then exploits social contacts and les to propagate inections urther.Furthermore, the Internet was never built with security in mind. As institutions ranging romgovernments through to businesses and individuals depend on 24-hour Internet connectivity, theopportunities or exploiting these systems increases.

 JR02-2009 Tracking

GhostNet 

- FOREWORD

 

Ron Deibert, Director, the Citizen Lab,Munk Centre or International Studies,University o Toronto. JR02-2009 Tracking

GhostNet 

- FOREWORDRaal Rohozinski, Principal and CEO,The SecDev Group,Ottawa, Canada.

This report serves as a wake-up call. At the very least, a large percentage o high-value targetscompromised by this network demonstrate the relative ease with which a technically unsophisticatedapproach can quickly be harnessed to create a very eective spynet…These are major disruptivecapabilities that the proessional inormation security community, as well as policymakers, need tocome to terms with rapidly.These are major disruptive capabilities that the proessional inormation security community, as wellas policymakers, need to come to terms with rapidly.