Download Tracking GhostNet: Investigating a Cyber Espionage Network PDF

TitleTracking GhostNet: Investigating a Cyber Espionage Network
File Size5.8 MB
Total Pages53
Table of Contents
                            Title page
Foreword
Acknowledgements
Table of Contents
Summary
Introduction
Part One
Part Two
Part Three
Part Four
                        
Document Text Contents
Page 1

JR02-2009

Information Warfare Monitor

Tracking GhostNet:

http://www.infowar-monitor.net/ghostnet
http://www.tracking-ghost.nett

Investigating a Cyber Espionage Network

March 29, 2009

Page 2

March 29, 2009

Foreword
Cyber espionage is an issue whose time has come. In this second report from the Information Warfare
Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against
Tibetan institutions.

The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more.

The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries.
Up to 30% of the infected hosts are considered high-value targets and include computers located
at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The
Tibetan computer systems we manually investigated, and from which our investigations began,
were conclusively compromised by multiple infections that gave attackers unprecedented access to
potentially sensitive information.

But the study clearly raises more questions than it answers.

From the evidence at hand, it is not clear whether the attacker(s) really knew what they had
penetrated, or if the information was ever exploited for commercial or intelligence value.

Some may conclude that what we lay out here points definitively to China as the culprit. Certainly
Chinese cyber-espionage is a major global concern. Chinese authorities have made it clear that they
consider cyberspace a strategic domain, one which helps redress the military imbalance between
China and the rest of the world (particularly the United States). They have correctly identified
cyberspace as the strategic fulcrum upon which U.S. military and economic dominance depends.

But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by
the Chinese state is wrong and misleading. Numbers can tell a different story. China is presently
the world’s largest Internet population. The sheer number of young digital natives online can more
than account for the increase in Chinese malware. With more creative people using computers, it’s
expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.

Likewise, the threshold for engaging in cyber espionage is falling. Cybercrime kits are now available
online, and their use is clearly on the rise, in some cases by organized crime and other private actors.
Socially engineered malware is the most common and potent; it introduces Trojans onto a system,
and then exploits social contacts and files to propagate infections further.

Furthermore, the Internet was never built with security in mind. As institutions ranging from
governments through to businesses and individuals depend on 24-hour Internet connectivity, the
opportunities for exploiting these systems increases.

JR02-2009 Tracking GhostNet - FOREWORD

Page 26

25

In one case, the file the infected computer was requesting was not present and the
infected computer received a 404 error. However, successful connections were made
via HTTP to CGI scripts. The infected computer used HTTP POST to submit data to CGI
scripts hosted on the control server.

2) The malware made connections to a control server on 218.241.153.61 using the host name
www.macfeeresponse.org. The IP address 218.241.153.61 is assigned to BITNET (Beijing
Bitone United Networks) in Beijing, China. The malware on the infected computer used
HTTP to connect to a file to inform the control server of the infected computer’s status
and download commands. In addition, connections were made via HTTP to CGI scripts. The
infected computer used HTTP POST to submit data to CGI scripts hosted on the control
server. Connections to one CGI script appear to inform the control server of the presence of
particular documents, while connections to a second CGI script appear to cause the infected
computer to upload documents to the control server using HTTP POST.

Instances of malware that connect to control server locations www.lookbytheway.net and www.
macfeeresponse.org have been analysed by security companies.44 This network extends to a variety
of domain names including:

www.lookbytheway.com – 210.51.7.155•
www.macfeeresponse.com - 210.51.7.155•
www.msnppt.net - 221.5.250.98•
www.msnxy.net - 210.51.7.155•
www.msnyf.com - 221.5.250.98•
www.networkcia.com - 210.51.7.155 •
www.indexnews.org - 61.188.87.58•
www.indexindian.com - 210.51.7.155•

During the in situ investigation at the Dalai Lama’s private office we observed several documents
being exfiltrated from the computer network and uploaded to www.macfeeresponse.org, including
a document containing thousands of email addresses and one detailing and discussing the Dalai
Lama’s envoy’s negotiating position. (see Fig. 5 - p. 26)

Our investigators did not have access to the stolen documents for reasons of confidentiality.
However, we can assume their significance to Sino-Tibetan negotiations. One example is the fact
that GhostNet penetrated computers of organizations involved in China-TGIE negotiations.45

44 See, http://www.threatexpert.com/report.aspx?md5=79f7f4695b8878cf1760e8626129ca88 and http://www.threatexpert.com/report.
aspx?md5=ea03a7359505e19146994ad77b2a1e46

45 Lodi Gyari is the lead person designated by the Dalai Lama to coordinate negotiations with the Chinese government. Our invesigator
interviewed him in December 2008 in Delhi. We briefed him on our ongoing investigation and offered advice on information security
while engaged in negotiations in Beijing. Lodi Gyari is also the Executive Chairman of the Board of the International Campaign for
Tibet (ICT), an independent Washington-based human rights advocacy group. (Note that our investigation uncovered that seven of
ICT’s computers were compromised by GhostNet).

JR02-2009 Tracking GhostNet - PART TWO

Page 27

26JR02-2009 Tracking GhostNet - PART TWO

This screen capture of the Wireshark network analysis tool shows an infected computer at the Of�ce of His Holiness the Dalai Lama uploading a
sensitive document to one of the CGI network�s control servers.

Fig. 5
Malware retrieving a sensitive document.

Page 52

51

About the Information Warfare Monitor
http://infowar-monitor.net/

The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace
as a strategic domain. We are an independent research effort. Our mission is to build and broaden the
evidence base available to scholars, policymakers, and others. We aim to educate and inform.

The Information Warfare Monitor is a public-private venture between two Canadian institutions: The
SecDev Group, an operational think tank based in Ottawa (Canada), and the Citizen Lab at the Munk
Centre for International Studies, University of Toronto. The Principal Investigators and
co-founders of the Information Warfare Monitor are Rafal Rohozinski (The SecDev Group) and
Ronald Deibert (Citizen Lab).

The Information Warfare Monitor is supported by The SecDev Group which conducts field-based
investigations and data gathering. Our advanced research and analysis facilities are located at the
Citizen Lab. IWM is part of the Citizen Lab’s network of advanced research projects, which include the
OpenNet Initiative and ONI Asia.

The Information Warfare Monitor also benefits from donations from a variety of sponsors including
Psiphon Inc, and Palantir Technologies.

The Information Warfare Monitor engages in three primary activities:

1. Case Studies. We design and carry out active case study research. These are self-generated
activities consistent with our mission.

We employ a rigorous and multidisciplinary approach to all our case studies blending qualitative, technical,
and quantitative methods. As a general rule, our investigations consist of at least two components:

Field-based investigations. We engage in qualitative research among affected
target audiences and employ techniques that include interviews, long-term in situ
interaction with our partners, and extensive technical data collection involving
system monitoring, network reconnaissance, and interrogation. Our field-based teams
are supported by senior analysts and regional specialists, including social scientists,
computer security professionals, policy experts, and linguists, who provide additional
contextual support and substantive back-up.

Technical scouting and laboratory analysis. Data collected in the field is rigorously
analysed using a variety of advanced data fusion and visualization methods. Leads
developed on the basis of infield activities are pursued through “technical scouting,”
including computer network investigations, and the resulting data and analysis
is shared with our infield teams and partners for verification and for generating
additional entry points for follow-on investigations.

Page 53

52

2. Open Source Trend Analysis. We collect open-source information from the press and other
sources tracking global trends in cyberspace. These are published on our public website.

3. Analytical Workshops and Outreach. We work closely with academia, human rights
organizations, and the defense and intelligence community. We publish reports, and occasionally
conduct joint workshops. Our work is independent, and not subject to government classification. Our
goal is to encourage vigorous debate around critical policy issues. This includes engaging in ethical
and legal considerations of information operations, computer network attacks, and computer network
exploitation, including the targeted use of Trojans and malware, denial of service attacks, and
content filtering.

About The SecDev Group
http://www.secdev.ca

The SecDev Group is a Canadian-based operational consultancy focused on countries and regions at
risk from violence and insecurity. We deliver to our clients insights and access to a diverse range
of cultures, audiences, challenging environments and ungoverned spaces. Our approach combines
a field research capability with advanced techniques and methods for generating policy-relevant
analysis and solutions. As a think tank, we identify and communicate realistic options to enhance
effectiveness through evidence-based research on the causes, consequences and trajectories of
insecurity and violence. We are operational because we design and conduct activities in complex and
insecure environments.

About The Citizen Lab
http://www.citzenlab.org

The Citizen Lab is an interdisciplinary laboratory based at the Munk Centre for International Studies at
the University of Toronto, Canada focusing on advanced research and development at the intersection
of digital media and world politics. We are a hothouse that combines the disciplines of political
science, sociology, computer science, engineering, and graphic design. Our mission is to undertake
advanced research and engage in development that monitors, analyses, and impacts the exercise of
political power in cyberspace. The Citizen Lab’s ongoing research network includes the Information
Warfare Monitor and the OpenNet Initiative, ONI Asia, and benefits from collaborative partnerships
with academic institutions, NGOs, and other partners in all regions of the world.

Similer Documents