Jump to content

GhostNet: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m →‎Origin: clean up, typo(s) fixed: ’s → 's
m added link to countries pages and fixed typo error
(28 intermediate revisions by 21 users not shown)
Line 1: Line 1:
{{Short description|Electronic spy operation}}
{{For|the fishing net|Ghost net}}
{{For|the fishing net|Ghost net}}
{{Use mdy dates|date=June 2013}}
{{Use mdy dates|date=June 2013}}


'''GhostNet''' ({{zh|t=幽靈網|s=幽灵网|p=YōuLíngWǎng}}) is the name given by researchers at the [[Information Warfare Monitor]] to a large-scale [[cyber spying]]<ref name="bbc" /><ref name="guardian">{{cite news|last=Glaister|first=Dan|title=China Accused of Global Cyberspying|work=[[The Guardian Weekly]]|volume=180|issue=16|page=5|date=March 30, 2009|url=https://www.theguardian.com/world/2009/mar/30/china-dalai-lama-spying-computers|accessdate=April 7, 2009 | location=London}}</ref><!-- correct print title --> operation discovered in March 2009. The operation is likely associated with an [[Advanced Persistent Threat]], or a network actor that spies undetected.<ref>{{Cite book |title=[[Reverse Deception: Organized Cyber Threat Counter-Exploitation]] |author=Sean Bodmer |author2=Dr. Max Kilger |author3=Gregory Carpenter |author4=Jade Jones |year=2012 |publisher=McGraw-Hill Osborne Media |isbn=978-0071772495}}</ref> Its command and control infrastructure is based mainly in the [[China|People's Republic of China]] and GhostNet has infiltrated high-value political, economic and media locations<ref name="nato"/> in 103 countries. Computer systems belonging to [[embassy|embassies]], foreign ministries and other government offices, and the [[14th Dalai Lama|Dalai Lama]]'s [[Tibet]]an exile centers in India, London and New York City were compromised.
'''GhostNet''' ({{zh|t=幽靈網|s=幽灵网|p=YōuLíngWǎng}}) is the name given by researchers at the [[Information Warfare Monitor]] to a large-scale [[cyber spying]]<ref name="bbc" /><ref name="guardian">{{Cite news |last=Glaister |first=Dan |date=March 30, 2009 |title=China Accused of Global Cyberspying |volume=180 |page=5 |work=[[The Guardian Weekly]] |issue=16 |location=London |url=https://www.theguardian.com/world/2009/mar/30/china-dalai-lama-spying-computers |access-date=April 7, 2009 |archive-date=June 6, 2024 |archive-url=https://web.archive.org/web/20240606131225/https://www.theguardian.com/world/2009/mar/30/china-dalai-lama-spying-computers |url-status=live }}</ref><!-- correct print title --> operation discovered in March 2009. The operation is likely associated with an [[advanced persistent threat]], or a network actor that spies undetected.<ref>{{Cite book |last1=Sean Bodmer |title=[[Reverse Deception: Organized Cyber Threat Counter-Exploitation]] |last2=Dr. Max Kilger |last3=Gregory Carpenter |last4=Jade Jones |publisher=McGraw-Hill Osborne Media |year=2012 |isbn=978-0071772495}}</ref> Its command and control infrastructure is based mainly in the [[China|People's Republic of China]] and GhostNet has infiltrated high-value political, economic and media locations<ref name="nato" /> in 103 countries. Computer systems belonging to [[embassy|embassies]], foreign ministries and other government offices, and the [[14th Dalai Lama|Dalai Lama]]'s [[Tibet]]an exile centers in India, London and New York City were compromised.


==Discovery==
==Discovery==
GhostNet was discovered and named following a 10-month investigation by the [[Infowar Monitor]] (IWM), carried out after IWM researchers approached the [[14th Dalai Lama|Dalai Lama]]'s representative in Geneva<ref name="Tracking_Ghostnet">{{cite news|url=https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network |title=Tracking GhostNet: Investigating a Cyber Espionage Network}}</ref> suspecting that their computer network had been infiltrated.<ref name="BBC_3003">{{cite news|url=http://news.bbc.co.uk/1/hi/world/americas/7972702.stm|title=China denies spying allegations|work=[[BBC News]]|date=March 30, 2009|accessdate=March 31, 2009}}</ref> The IWM is composed of researchers from [[The SecDev Group]] and Canadian consultancy and the [[Citizen Lab]], [[Munk Centre for International Studies]] at the [[University of Toronto]]; the research findings were published in the ''Infowar Monitor'', an affiliated publication.<ref name="NY-TIMES">{{cite news| title=Vast Spy System Loots Computers in 103 Countries | url=https://www.nytimes.com/2009/03/29/technology/29spy.html | work = [[New York Times]] | date=March 28, 2009 | accessdate=March 29, 2009 | first=John | last=Markoff}}</ref> Researchers from the [[University of Cambridge]]'s [[University of Cambridge Computer Laboratory|Computer Laboratory]], supported by the [[Institute for Information Infrastructure Protection]],<ref name="Cambridge_p2">{{cite web|url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf|title=The snooping dragon: social-malware surveillance of the Tibetan movement|author=Shishir Nagaraja, Ross Anderson|publisher=[[University of Cambridge]]|date=March 2009|page=2|accessdate=March 31, 2009}}</ref> also contributed to the investigation at one of the three locations in [[Dharamshala]], where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''[[The New York Times]]'' on March 29, 2009.<ref name="NY-TIMES"/><ref>{{cite news| title=Researchers: Cyber spies break into govt computers | url=https://www.google.com/hostednews/ap/article/ALeqM5jQLLlzAwWMnd6PID1d_id1LYOwfwD977GQ0G0 | work=[[Associated Press]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref> Investigators focused initially on allegations of Chinese cyber-espionage against the [[Tibetan exile]] community, such as instances where email correspondence and other data were extracted.<ref name=bp>[http://www.bangkokpost.com/news/world/138995/china-based-spies-target-us China-based spies target Thailand]. [[Bangkok Post]], March 30, 2009. Retrieved on March 30, 2009.</ref>
GhostNet was discovered and named following a 10-month investigation by the [[Infowar Monitor]] (IWM), carried out after IWM researchers approached the [[14th Dalai Lama|Dalai Lama]]'s representative in Geneva<ref name="Tracking_Ghostnet">{{Cite news |title=Tracking GhostNet: Investigating a Cyber Espionage Network |url=https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network |access-date=September 9, 2017 |archive-date=July 3, 2017 |archive-url=https://web.archive.org/web/20170703003717/https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network |url-status=live }}</ref> suspecting that their computer network had been infiltrated.<ref name="BBC_3003">{{Cite news |date=March 30, 2009 |title=China denies spying allegations |work=[[BBC News]] |url=http://news.bbc.co.uk/1/hi/world/americas/7972702.stm |access-date=March 31, 2009 |archive-date=March 31, 2009 |archive-url=https://web.archive.org/web/20090331094221/http://news.bbc.co.uk/1/hi/world/americas/7972702.stm |url-status=live }}</ref> The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the [[Citizen Lab]], [[Munk Centre for International Studies|Munk School of Global Affairs]] at the [[University of Toronto]]; the research findings were published in the ''Infowar Monitor'', an affiliated publication.<ref name="NY-TIMES">{{Cite news |last=Markoff |first=John |date=March 28, 2009 |title=Vast Spy System Loots Computers in 103 Countries |work=[[New York Times]] |url=https://www.nytimes.com/2009/03/29/technology/29spy.html |access-date=March 29, 2009 |archive-date=April 1, 2009 |archive-url=https://web.archive.org/web/20090401224950/http://www.nytimes.com/2009/03/29/technology/29spy.html |url-status=live }}</ref> Researchers from the [[University of Cambridge]]'s [[University of Cambridge Computer Laboratory|Computer Laboratory]], supported by the [[Institute for Information Infrastructure Protection]],<ref name="Cambridge_p2">{{Cite web |last=Shishir Nagaraja, Ross Anderson |date=March 2009 |title=The snooping dragon: social-malware surveillance of the Tibetan movement |url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf |access-date=March 31, 2009 |publisher=[[University of Cambridge]] |page=2 |archive-date=April 20, 2009 |archive-url=https://web.archive.org/web/20090420015054/http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf |url-status=live }}</ref> also contributed to the investigation at one of the three locations in [[Dharamshala]], where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''[[The New York Times]]'' on March 29, 2009.<ref name="NY-TIMES" /><ref>{{Cite news |date=March 29, 2009 |title=Researchers: Cyber spies break into govt computers |agency=[[Associated Press]] |url=https://www.google.com/hostednews/ap/article/ALeqM5jQLLlzAwWMnd6PID1d_id1LYOwfwD977GQ0G0 |access-date=March 29, 2009 |archive-date=March 31, 2009 |archive-url=https://web.archive.org/web/20090331054557/http://www.google.com/hostednews/ap/article/ALeqM5jQLLlzAwWMnd6PID1d_id1LYOwfwD977GQ0G0 |url-status=dead }}</ref> Investigators focused initially on allegations of Chinese cyber-espionage against the [[Tibetan exile]] community, such as instances where email correspondence and other data were extracted.<ref name="bp">[http://www.bangkokpost.com/news/world/138995/china-based-spies-target-us China-based spies target Thailand]. [[Bangkok Post]], March 30, 2009. Retrieved on March 30, 2009.</ref>


Compromised systems were discovered in the [[Embassy|embassies]] of India, [[South Korea]], [[Indonesia]], [[Romania]], [[Cyprus]], [[Malta]], [[Thailand]], [[Taiwan]], [[Portugal]], Germany and Pakistan and the office of the Prime Minister of [[Laos]]. The [[Foreign ministry|foreign ministries]] of [[Iran]], [[Bangladesh]], [[Latvia]], [[Indonesia]], [[Philippines]], [[Brunei]], [[Barbados]] and [[Bhutan]] were also targeted.<ref name=bbc>{{cite news| title=Major cyber spy network uncovered | url=http://news.bbc.co.uk/1/hi/world/americas/7970471.stm | work=[[BBC News]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref><ref name=Reuters>{{cite news| title=Canadians find vast computer spy network: report | url=https://www.reuters.com/article/newsOne/idUSTRE52R2HQ20090328 | work=[[Reuters]] | date=March 28, 2009 | accessdate=March 29, 2009}}</ref> No evidence was found that U.S. or UK government offices were infiltrated, although a [[NATO]] computer was monitored for half a day and the computers of the [[Embassy of India in Washington, D.C.|Indian embassy]] in [[Washington, D.C.]], were infiltrated.<ref name="nato">{{cite news| title=Chinese hackers 'using ghost network to control embassy computers' | url=http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece | work=[[The Times]] | date=March 29, 2009 | accessdate=March 29, 2009 | location=London | first=Mike | last=Harvey}}</ref><ref name=Reuters/><ref>{{cite news | title=Spying operation by China infiltrated computers: Report | url=http://www.thehindubusinessline.com/blnus/10291335.htm | work=[[The Hindu]] | date=March 29, 2009 | accessdate=March 29, 2009 | url-status=dead | archiveurl=https://web.archive.org/web/20090401191213/http://www.thehindubusinessline.com/blnus/10291335.htm | archivedate=April 1, 2009 | df=mdy-all }}</ref>
Compromised systems were discovered in the [[Embassy|embassies]] of [[India]], [[South Korea]], [[Indonesia]], [[Romania]], [[Cyprus]], [[Malta]], [[Thailand]], [[Taiwan]], [[Portugal]], [[Germany]] and [[Pakistan]] and the office of the Prime Minister of [[Laos]]. The [[Ministry of Foreign Affairs|foreign ministries]] of [[Iran]], [[Bangladesh]], [[Latvia]], [[Indonesia]], [[Philippines]], [[Brunei]], [[Barbados]] and [[Bhutan]] were also targeted.<ref name="bbc">{{Cite news |date=March 29, 2009 |title=Major cyber spy network uncovered |work=[[BBC News]] |url=http://news.bbc.co.uk/1/hi/world/americas/7970471.stm |access-date=March 29, 2009 |archive-date=March 30, 2009 |archive-url=https://web.archive.org/web/20090330150735/http://news.bbc.co.uk/1/hi/world/americas/7970471.stm |url-status=live }}</ref><ref name="Reuters">{{Cite news |date=March 28, 2009 |title=Canadians find vast computer spy network: report |work=[[Reuters]] |url=https://www.reuters.com/article/newsOne/idUSTRE52R2HQ20090328 |access-date=March 29, 2009 |archive-date=March 29, 2009 |archive-url=https://web.archive.org/web/20090329153512/http://www.reuters.com/article/newsOne/idUSTRE52R2HQ20090328 |url-status=live }}</ref> No evidence was found that [[United States|U.S.]] or [[United Kingdom|U.K.]] government offices were infiltrated, although a [[NATO]] computer was monitored for half a day and the computers of the [[Embassy of India in Washington, D.C.|Indian embassy]] in [[Washington, D.C.]], were infiltrated.<ref name="nato">{{Cite news |last=Harvey |first=Mike |date=March 29, 2009 |title=Chinese hackers 'using ghost network to control embassy computers' |work=[[The Times]] |location=London |url=http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece |access-date=March 29, 2009 |archive-date=March 30, 2009 |archive-url=https://web.archive.org/web/20090330033154/http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece |url-status=live }}</ref><ref name=Reuters/><ref>{{Cite news |date=March 29, 2009 |title=Spying operation by China infiltrated computers: Report |work=[[The Hindu]] |url=http://www.thehindubusinessline.com/blnus/10291335.htm |url-status=dead |access-date=March 29, 2009 |archive-url=https://web.archive.org/web/20090401191213/http://www.thehindubusinessline.com/blnus/10291335.htm |archive-date=April 1, 2009 |df=mdy-all}}</ref>


Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.<ref name=cbc>{{cite news| title=Foreign hackers attack Canadian government | url=http://www.cbc.ca/politics/story/2011/02/16/pol-weston-hacking.html | work=[[CBC News]] | date=February 17, 2011 | accessdate= February 17, 2011}}</ref>
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.<ref name="cbc">{{Cite news |date=February 17, 2011 |title=Foreign hackers attack Canadian government |work=[[CBC News]] |url=http://www.cbc.ca/politics/story/2011/02/16/pol-weston-hacking.html |access-date=February 17, 2011 |archive-date=February 18, 2011 |archive-url=https://web.archive.org/web/20110218145804/http://www.cbc.ca/politics/story/2011/02/16/pol-weston-hacking.html |url-status=live }}</ref>


==Technical functionality==
==Technical functionality==
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, drop a Trojan horse on to the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a [[Trojan horse (computing)|Trojan]] known as [[Gh0st Rat]] that allows attackers to gain complete, real-time control of computers running [[Microsoft Windows]].<ref name="nato"/> Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling monitors to perform surveillance.<ref name="NY-TIMES"/>
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a [[trojan horse (computing)|Trojan horse]] to access the system.{{Citation needed|date=July 2020}} This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a Trojan known as [[Gh0st Rat]] that allows attackers to gain complete, real-time control of computers running [[Microsoft Windows]].<ref name="nato" /> Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling attackers to perform surveillance.<ref name="NY-TIMES" />


==Origin==
==Origin==
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.<ref name=uoft/> However, a report from researchers at the [[University of Cambridge]] says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.<ref name=snoop>{{cite web | url = http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf | title = The snooping dragon: social-malware surveillance of the Tibetan movement | first = Shishir | last = Nagaraja |author2=Anderson, Ross| publisher = Computer Laboratory, University of Cambridge | date = March 2009 }}</ref>
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.<ref name=uoft/> However, a report from researchers at the [[University of Cambridge]] says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.<ref name="snoop">{{Cite web |last1=Nagaraja |first1=Shishir |last2=Anderson, Ross |date=March 2009 |title=The snooping dragon: social-malware surveillance of the Tibetan movement |url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf |publisher=Computer Laboratory, University of Cambridge |access-date=March 29, 2009 |archive-date=April 20, 2009 |archive-url=https://web.archive.org/web/20090420015054/http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf |url-status=live }}</ref>


Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.<ref name="NY-TIMES"/> The Chinese government has stated that China "strictly forbids any cyber crime."<ref name=bbc/><ref name=bp/>
Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.<ref name="NY-TIMES" /> The Chinese government has stated that China "strictly forbids any cyber crime."<ref name=bbc/><ref name=bp/>


The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to [[Chengdu]]. He identifies the hacker as a 27-year-old man who had attended the [[University of Electronic Science and Technology of China]], and currently connected with the Chinese hacker [[Subculture|underground]].<ref>{{Cite web|last=Henderson|first=Scott|date=April 2, 2009|title=Hunting the GhostNet Hacker|url=http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/|publisher=The Dark Visitor|accessdate=April 2, 2009|archive-url=https://web.archive.org/web/20090406034247/http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/|archive-date=April 6, 2009|url-status=dead}}</ref>
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to [[Chengdu]]. He identifies the hacker as a 27-year-old man who had attended the [[University of Electronic Science and Technology of China]], and currently connected with the Chinese hacker [[Subculture|underground]].<ref>{{Cite web |last=Henderson |first=Scott |date=April 2, 2009 |title=Hunting the GhostNet Hacker |url=http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/ |url-status=dead |archive-url=https://web.archive.org/web/20090406034247/http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/ |archive-date=April 6, 2009 |access-date=April 2, 2009 |publisher=The Dark Visitor}}</ref>


Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the [[14th Dalai Lama|Dalai Lama]] from his representatives.<ref name="snoop"/>
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the [[14th Dalai Lama|Dalai Lama]] from his representatives.<ref name="snoop" />


Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.<ref name=uoft>[http://www.f-secure.com/weblog/archives/ghostnet.pdf Tracking GhostNet: Investigating a Cyber Espionage Network]. [[Munk Centre for International Studies]]. March 29, 2009</ref><ref>[https://www.thestar.com/article/610071 U of T team tracks China-based cyber spies] [[Toronto Star]] March 29, 2009 {{webarchive |url=https://web.archive.org/web/20090331165041/http://www.thestar.com/article/610071 |date=March 31, 2009 }}</ref> However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.<ref>[http://www.nartv.org/mirror/breachingtrust.pdf BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform]</ref>
Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.<ref name="uoft">[http://www.f-secure.com/weblog/archives/ghostnet.pdf Tracking GhostNet: Investigating a Cyber Espionage Network] {{Webarchive|url=https://web.archive.org/web/20090408010301/http://www.f-secure.com/weblog/archives/ghostnet.pdf |date=April 8, 2009 }}. [[Munk Centre for International Studies]]. March 29, 2009</ref><ref>[https://www.thestar.com/article/610071 U of T team tracks China-based cyber spies] [[Toronto Star]] March 29, 2009 {{webarchive |url=https://web.archive.org/web/20090331165041/http://www.thestar.com/article/610071 |date=March 31, 2009 }}</ref> However, there are other possible explanations for this event. Drelwa uses [[Tencent QQ|QQ]] and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.<ref>{{Cite web |url=http://www.nartv.org/mirror/breachingtrust.pdf |title=BREACHING TRUST: An analysis of surveillance and security practices on China's TOM-Skype platform |access-date=June 24, 2009 |archive-date=March 24, 2012 |archive-url=https://web.archive.org/web/20120324055810/http://www.nartv.org/mirror/breachingtrust.pdf |url-status=live }}</ref>


IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of [[Hainan]], China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.<ref name="nato"/> Furthermore, one of GhostNet's four control servers has been revealed to be a government server.<ref>[https://www.theglobeandmail.com/news/technology/meet-the-canadians-who-busted-ghostnet/article732409/ Meet the Canadians who busted Ghostnet] ''[[The Globe and Mail]]''March 29, 2009</ref>
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of [[Hainan]], China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.<ref name="nato" /> Furthermore, one of GhostNet's four control servers has been revealed to be a {{cl-span|government server|date=July 2020}}.<ref>[https://www.theglobeandmail.com/news/technology/meet-the-canadians-who-busted-ghostnet/article732409/ Meet the Canadians who busted Ghostnet] {{Webarchive|url=https://web.archive.org/web/20111209132840/http://www.theglobeandmail.com/news/technology/meet-the-canadians-who-busted-ghostnet/article732409/ |date=December 9, 2011 }} ''[[The Globe and Mail]]''March 29, 2009</ref>


==See also==
==See also==
* [[Advanced Persistent Threat]]
* [[Advanced persistent threat]]
* [[Chinese intelligence activity abroad]]
* [[Chinese intelligence activity abroad]]
* [[Chinese cyberwarfare]]
* [[Chinese cyberwarfare]]
* [[Chinese espionage in the United States]]
* [[Chinese espionage in the United States]]
* [[Cyber-warfare]]
* [[Cyber-warfare]]
* [[Industrial espionage|Economic and Industrial Espionage]]
* [[Industrial espionage|Economic and industrial espionage]]
* [[Honker Union]]
* [[Honker Union]]
* [[Internet censorship in China]]
* [[Internet censorship in China]]
Line 52: Line 53:
* [https://web.archive.org/web/20080424011010/http://infowar-monitor.net/index.php Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)]
* [https://web.archive.org/web/20080424011010/http://infowar-monitor.net/index.php Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)]
* [https://twitter.com/InfowarMonitor Twitter: InfowarMonitor]
* [https://twitter.com/InfowarMonitor Twitter: InfowarMonitor]
* {{Cite news|url=https://www.thestar.com/News/World/Article/610860|title=Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments|periodical=Toronto Star (Canada)|date=March 31, 2009|accessdate=April 4, 2009 | first=Cathal | last=Kelly|journal=|location=Toronto, Ontario, Canada }}
* {{Cite news |last=Kelly |first=Cathal |date=March 31, 2009 |title=Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments |work=Toronto Star (Canada) |location=Toronto, Ontario, Canada |url=https://www.thestar.com/News/World/Article/610860 |access-date=April 4, 2009}}
* {{Cite web |url=http://www.atimes.com/atimes/China/KD08Ad01.html |title=Cyber-skirmish at the top of the world |first=Peter |last=Lee |work=[[Asia Times Online]] |date=April 8, 2009 |accessdate=April 9, 2009}}
* {{Cite web |last=Lee |first=Peter |date=April 8, 2009 |title=Cyber-skirmish at the top of the world |url=http://www.atimes.com/atimes/China/KD08Ad01.html |url-status=unfit |archive-url=https://web.archive.org/web/20090410070427/http://www.atimes.com/atimes/China/KD08Ad01.html |archive-date=April 10, 2009 |access-date=April 9, 2009 |website=[[Asia Times Online]]}}
* Bodmer, Kilger, Carpenter, & Jones (2012). [[Reverse Deception: Organized Cyber Threat Counter-Exploitation]]. New York: McGraw-Hill Osborne Media. {{ISBN|0071772499}}, {{ISBN|978-0071772495}}
* Bodmer, Kilger, Carpenter, & Jones (2012). [[Reverse Deception: Organized Cyber Threat Counter-Exploitation]]. New York: McGraw-Hill Osborne Media. {{ISBN|0071772499}}, {{ISBN|978-0071772495}}


Line 61: Line 62:
[[Category:Spyware]]
[[Category:Spyware]]
[[Category:Espionage projects]]
[[Category:Espionage projects]]
[[Category:Cyberwarfare in China]]
[[Category:Cyberwarfare by China]]
[[Category:2009 in China]]
[[Category:2009 in China]]
[[Category:Mass intelligence-gathering systems]]
[[Category:Mass intelligence-gathering systems]]
[[Category:Cyberattacks]]
[[Category:Cyberattacks]]
[[Category:Cyberwarfare]]
[[Category:Cyberwarfare]]
[[Category:Advanced persistent threat]]
[[Category:Cyberattack gangs]]
[[Category:Cyberattack gangs]]
[[Category:Chinese advanced persistent threat groups]]
[[Category:Cybercrime in India]]
[[Category:China–India relations]]

Revision as of 08:29, 3 July 2024

For the fishing net, see Ghost net.

GhostNet (simplified Chinese: 幽灵网; traditional Chinese: 幽靈網; pinyin: YōuLíngWǎng) is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying[1][2] operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected.[3] Its command and control infrastructure is based mainly in the People's Republic of China and GhostNet has infiltrated high-value political, economic and media locations[4] in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.

Discovery

GhostNet was discovered and named following a 10-month investigation by the Infowar Monitor (IWM), carried out after IWM researchers approached the Dalai Lama's representative in Geneva[5] suspecting that their computer network had been infiltrated.[6] The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the Citizen Lab, Munk School of Global Affairs at the University of Toronto; the research findings were published in the Infowar Monitor, an affiliated publication.[7] Researchers from the University of Cambridge's Computer Laboratory, supported by the Institute for Information Infrastructure Protection,[8] also contributed to the investigation at one of the three locations in Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times on March 29, 2009.[7][9] Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.[10]

Compromised systems were discovered in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan and the office of the Prime Minister of Laos. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted.[1][11] No evidence was found that U.S. or U.K. government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C., were infiltrated.[4][11][12]

Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.[13]

Technical functionality

Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a Trojan horse to access the system.[citation needed] This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a Trojan known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows.[4] Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling attackers to perform surveillance.[7]

Origin

The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.[14] However, a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.[15]

Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.[7] The Chinese government has stated that China "strictly forbids any cyber crime."[1][10]

The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China, and currently connected with the Chinese hacker underground.[16]

Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his representatives.[15]

Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.[14][17] However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.[18]

IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.[4] Furthermore, one of GhostNet's four control servers has been revealed to be a government server[clarify].[19]

See also

References

  1. ^ a b c "Major cyber spy network uncovered". BBC News. March 29, 2009. Archived from the original on March 30, 2009. Retrieved March 29, 2009.
  2. ^ Glaister, Dan (March 30, 2009). "China Accused of Global Cyberspying". The Guardian Weekly. Vol. 180, no. 16. London. p. 5. Archived from the original on June 6, 2024. Retrieved April 7, 2009.
  3. ^ Sean Bodmer; Dr. Max Kilger; Gregory Carpenter; Jade Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill Osborne Media. ISBN 978-0071772495.
  4. ^ a b c d Harvey, Mike (March 29, 2009). "Chinese hackers 'using ghost network to control embassy computers'". The Times. London. Archived from the original on March 30, 2009. Retrieved March 29, 2009.
  5. ^ "Tracking GhostNet: Investigating a Cyber Espionage Network". Archived from the original on July 3, 2017. Retrieved September 9, 2017.
  6. ^ "China denies spying allegations". BBC News. March 30, 2009. Archived from the original on March 31, 2009. Retrieved March 31, 2009.
  7. ^ a b c d Markoff, John (March 28, 2009). "Vast Spy System Loots Computers in 103 Countries". New York Times. Archived from the original on April 1, 2009. Retrieved March 29, 2009.
  8. ^ Shishir Nagaraja, Ross Anderson (March 2009). "The snooping dragon: social-malware surveillance of the Tibetan movement" (PDF). University of Cambridge. p. 2. Archived (PDF) from the original on April 20, 2009. Retrieved March 31, 2009.
  9. ^ "Researchers: Cyber spies break into govt computers". Associated Press. March 29, 2009. Archived from the original on March 31, 2009. Retrieved March 29, 2009.
  10. ^ a b China-based spies target Thailand. Bangkok Post, March 30, 2009. Retrieved on March 30, 2009.
  11. ^ a b "Canadians find vast computer spy network: report". Reuters. March 28, 2009. Archived from the original on March 29, 2009. Retrieved March 29, 2009.
  12. ^ "Spying operation by China infiltrated computers: Report". The Hindu. March 29, 2009. Archived from the original on April 1, 2009. Retrieved March 29, 2009.
  13. ^ "Foreign hackers attack Canadian government". CBC News. February 17, 2011. Archived from the original on February 18, 2011. Retrieved February 17, 2011.
  14. ^ a b Tracking GhostNet: Investigating a Cyber Espionage Network Archived April 8, 2009, at the Wayback Machine. Munk Centre for International Studies. March 29, 2009
  15. ^ a b Nagaraja, Shishir; Anderson, Ross (March 2009). "The snooping dragon: social-malware surveillance of the Tibetan movement" (PDF). Computer Laboratory, University of Cambridge. Archived (PDF) from the original on April 20, 2009. Retrieved March 29, 2009.
  16. ^ Henderson, Scott (April 2, 2009). "Hunting the GhostNet Hacker". The Dark Visitor. Archived from the original on April 6, 2009. Retrieved April 2, 2009.
  17. ^ U of T team tracks China-based cyber spies Toronto Star March 29, 2009 Archived March 31, 2009, at the Wayback Machine
  18. ^ "BREACHING TRUST: An analysis of surveillance and security practices on China's TOM-Skype platform" (PDF). Archived (PDF) from the original on March 24, 2012. Retrieved June 24, 2009.
  19. ^ Meet the Canadians who busted Ghostnet Archived December 9, 2011, at the Wayback Machine The Globe and MailMarch 29, 2009
Retrieved from "https://en.wikipedia.org/w/index.php?title=GhostNet&oldid=1232348114"