GhostNet probers want Ottawa to thwart cyber spying

The Canadian government should move quickly to prevent improper use of the Internet by state agencies, businesses and organized crime rings across the world.

That’s an urgent plea being made by the group of researchers that recently uncovered a cyber spying network based in China.

“The Internet is being weaponized and militarized,” noted Rob Deibert, an associate professor of political science at the University of Toronto, and head of the Citizen Lab at the university’s Munk Centre for International Studies.

Read related stories
Canadian software tool blows away Net censorship, wins global award

Eavesdropping, fraud, denial of service can threaten IP telephony systems

Ineffective law enforcement, bad economy fueling cybercrime

The Citizen Lab – an Internet research outfit – is one of the organizations that exposed GhostNet, an electronic spy network responsible for infiltrating more than 1,295 computers in 103 countries, including machines in the private office of the Dalai Lama in Dharamsala, India.

When it comes to cyber spying, GhostNet isn’t the only evil spirit in town.

Deibert said  organized crime rings and even some governments steal personal information, eavesdrop on online correspondence, filter Internet traffic and launch denial of service attacks on opposing states or organizations.

Interesting information about GhostNet are provided in a report, Tracking GhostNet: Investigating a Cyber Espionage Network.

According to the report, three servers in China and one in the U.S. loaded Trojan viruses on to machines in the foreign ministries of Bangladesh, Barbados, Bhutan, Brunei, Indonesia, Iran, Latvia, the Philippines, and machines in the embassies of Cyprus, Germany, India, Malta, Pakistan, Portugal, Romania, South Korea, Thailand and Taiwan.

“Information stolen includes a list of foreign dignitaries who have contact with the Dalai Lama, e-mail correspondence, and an itinerary,” said Greg Walton, senior security researcher for the OpenNet Initiative and fellow at the Citizen Lab.

In another instance, he said, a Tibetan woman working for an NGO was recently picked up by Chinese authorities upon her return to her country.

The woman told researchers that her interrogators confronted her with details of her online correspondence.

It suggests a government was being targeted and the Chinese government may be involved, Walton said. But he added the evidence for this is circumstantial.

China, meanwhile, has denied involvement in running an online snooping network.

“Some people in foreign countries are keen to make up rumours about so-called Chinese Internet spies,” said Qin Gang, China’s foreign ministry spokesman. “Their statements are entirely fabricated.”

Qin said China opposes hacking and other attacks on computer networks.

Researchers who discovered the network said Ottawa has to act now to stop Internet filtering and snooping strategies by heavy-handed governments.

“This should serve as a call to action to government agencies around the world to develop policies around preventing these activities,” said Janice Stein, head of the Munk Centre.

“We believe Canada should play a critical — if not leading — role in this initiative since we have the expertise in the area.”  

Canadian government intervention is crucial, especially as private and university-funded organizations can’t take any action beyond conducting investigations, noted Rafal Rohozinski, principal and CEO of Ottawa-based SecDev.    
He said moving forward, evidence of online snooping would be submitted to the affected government agencies and organizations.

“It is up to the government agencies to act on this matter…We are constrained by our mandate and methods not to interfere.”  

GhostNet trackers, he said, were not commissioned by any party to carry out their investigation, nor did they break any laws or hack into any system.

The investigation began when the researchers were granted access to computers of Tibet’s government in exile. Tibetan NGOs and the office of the Dalai Lama were concerned about leaks of confidential information.

 “We were able to monitor activities on the network after we got our own machines infected by GhostNet,” said Deibert.

GhostNet’s existence came to light after a 10-month investigation that included field-based research in India by SecDev as well as “technical scouting and computer network interrogation carried out by researchers at the Toronto Munk Centre’s  Citizen Lab.

The report said the cyber spy ring primarily uses a malicious software program dubbed ghost RAT (Remote Access Tool) to steal sensitive documents, install key loggers and control computer devices, such as Webcams and infected computers.

“GhostNet represents a network of compromised computer residents in high-value political, economic and media locations spread across numerous countries worldwide,” according to the report.

“”These organizations,” it added, “are almost certainly oblivious to the compromised situation in which they find themselves.”  

The researchers said they have no confirmation if the information obtained by the network is of intrinsic value to the hackers, or if it’s being passed off as intelligence and sold for profit.

It said China’s focus on cyber capabilities is part of its “strategy of national asymmetric warfare.” It involves “developing capabilities to circumvent U.S. superiority in command-and-control warfare.”  

The group discovered that computers infected with malicious software allowed remote hackers to steal information. 

“What surprised me was the servers collecting stolen data were not password secured,” said Nart Villenueve, another Citizen Lab fellow and the researcher credited for finding the servers by doing a Google search on a data string.

Cyber criminals, he said, used spear phishing methods to infect someone’s computer.

In that scenario, victims would be sent a targeted e-mail with an embedded malicious exploit. Once they opened the e-mail, a Trojan horse virus would be dropped into the host machines, which allowed them to be controlled by a GhostNet server.

“It’s not a very complicated method. DIY kits can now enable almost anyone to do it,” Villenueve said.

A simple online search can reveal the source code for GhostNet’s unsophisticated software, according to Zhao Wei, CEO of KNowsec, a Beijing-based security firm.

Much more advanced — and more common in China — are mass attacks with “zero days”, or previously unknown software bugs, Zhao said.

Sophisticated attacks can hit millions of computers. Researchers at Zhao’s firm found four million computers infected in a single day during one recent attack.

China had 298 million Internet users at the end of last year, the most in any country, according to the country’s domain registry centre.

Bank accounts and online game passwords are popular targets for attackers in China. Items like armour and weapons stolen from game accounts are often sold back to other players for real-world cash.

The attackers make themselves hard to catch by stealing small amounts from many different people, Zhao said. An attacker might, for example, break into a huge number of bank accounts but steal just 10 yuan ($1.85) from each.

The amount is so negligible that victims are unlikely to report the loss. That makes collecting evidence difficult for police, as does the need for cooperation across districts if the attacker and victims are in different places, Zhao said.

China passed its first regulations protecting the public from cyber data theft last month. Changes to the country’s criminal law ban theft of digital information from any computer, lowering the bar from old rules that banned intrusions into government-supported networks.

The new law also prohibits designing programs to help attackers invade or gain control over other computers

The law’s protection from data theft extends to overseas computers such as those attacked by GhostNet, said Pi Yong, a law professor at Wuhan University.

But implementing the law could be difficult even in purely domestic cases. Chinese courts in remote areas may be unsure how to handle electronic evidence, Pi said.

China also remains a convenient routing point for attackers from other countries, who can hide their location by using a Chinese IP (Internet Protocol) address.

Registering a Chinese domain is cheap and hassle-free, giving attackers an easy way to spread malware, said Konstantin Sapronov, head of the Kaspersky virus lab in China.

Blocked domains are easily replaced, he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs