A cyberespionage network, known as GhostNet, possibly operating out of China, is making use of malicious websites and phishing emails to take control of hundreds of sensitive government machines across 103 countries, researchers revealed this weekend.
A pair of Canadian researchers at the Munk Center for International Studies at the University of Toronto said GhostNet struck "high-value targets," such as foreign embassies and ministries, and even a NATO network. So far, some 1,300 computers have been infected by servers that trace back to China. The researchers, Ron Deibert and Rafal Rohozinski, released their 53-page report Sunday after 10 months of investigation.“The attacker(s) are able to exploit several infection vectors,” the researchers wrote. “First, they create web pages that contain drive-by exploit code that infects the computers of those who visit the page. Second, the attacker(s) have also shown that they engage in spear phishing in which contextually relevant emails are sent to targets with PDF and DOC attachments.”
In the spear-phishing attacks, when the attachments are downloaded, they create backdoors that “cause the infected computer to connect to a control server and await further instructions,” the researchers wrote. The compromised machines then can be directed to download and install a remote administration trojan.
The attackers seem to be a cut above the average hacker, considering some of the techniques they used to spread the infection.“Some of the things they did indicate that they were very sophisticated,” Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. “The machines were told to send the data stolen using a Tor network in an encrypted form. Also, the way the trojans communicated with the command servers made use of a complex control program that enabled them to completely control users' PCs.”
The GhostNet operation is still operating and continues to hit more than a dozen additional computers per week, according to the University of Toronto researchers. Other targets of the attacks included foreign ministries and embassies of countries such as of Bangladesh, Bhutan, Cyprus, Germany, Iran, India, Indonesia, The Philippines, and Romania, among 103 others.
“These organizations are almost certainly oblivious to the compromised situation in which they find themselves,” the researchers said. “The computers of diplomats, military attachés, private assistants, secretaries to prime ministers, journalists and others are under the concealed control of unknown assailant(s).”
The researchers were careful to say that no real evidence exists that the government of China was directly involved, though they did say that GhostNet does not appear to be a typical cybercrime network.
“The potential political fallout is enormous,” they wrote. “But ultimately, the question of who is behind the GhostNet may matter less than the strategic significance of the collection of affected targets…GhostNet represents a network of compromised computers resident in high-value political, economic and media locations spread across numerous countries worldwide.”
Not everyone agrees that China is uninvolved – speculation abounds that the Chinese government has some responsibility, even though it has officially denied any link.
“The IP addresses go back to China,” Rick Howard, intelligence director for VeriSign iDefense, told SCMagazineUS.com Monday. "This attack seems to target specific organizations – government organizations. That adds credence to the possibility that some government espionage organization was doing this.”
The impetus for investigating the reports of GhostNet was, in part, a request from Tibet's government-in-exile, on behalf of the Dalai Lama, Tibet's exiled spiritual leader.
"The investigation was able to conclude," the researchers wrote, "that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama."