Join our Mailing List

"On my part, I remain committed to the process of dialogue. It is my firm belief that dialogue and a willingness to look with honesty and clarity at the reality of Tibet can lead us to a viable solution."

China Cyberspying Alleged

April 11, 2010

Friday, April 09, 2010

Computer security researchers in Canada have monitored a China-based
cyber-spying organization over the last eight months, as the group attempted
to steal sensitive information from foreign governments.

The researchers, from the Citizen Lab at the University of Toronto's Munk
Center and the Ottawa-based SecDev Group, said Tuesday in a joint report
that while several documents were stolen from the Indian Defense Ministry,
the hackers were unable to gain access to sensitive information stored on
the computer system of the Tibetan government-in-exile.

Documents stolen from the Indian Defense Ministry included classified
assessments of security in several Indian states, and confidential embassy
documents about Indian international policy, the researchers said.

But the hacker group, referred to as the Shadow Network, succeeded only in
retrieving a year's worth of the Dalai Lama's personal e-mail messages.

Greg Walton, a fellow at Citizen Lab, said that computers at the office of
the Tibetan government-in-exile have been storing sensitive information
offline following last year's discovery of the Ghostnet hacking breach that
was also traced back to servers in China.

"The correspondence that were exfiltrated-the e-mails that were stolen and
taken back to servers in China-really weren't all that sensitive," he said.

Walton added that the Dalai Lama, Tibet's exiled spiritual leader, had
instructed his government to work with researchers to avoid future security
compromises following last year's atacks.

"His Holiness has insisted throughout this process on transparency and
provided access to independent academic researchers and scholars to perform
a thorough and independent examination of his systems," Walton said.

China-based attacks

The researchers said the Shadow Network attacks appear to have originated in
China's southwestern Sichuan province, and that given the sophistication of
the spy ring and their targets, it is possible Beijing had given the hackers
a green light to proceed.

Nart Villeneuve, a senior fellow at Citizen Lab, said researchers were able
to trace email addresses they discovered from the attacks back to
"individuals associated with the underground hacking community in China."

But he said that it remains unclear what relationship the Shadow Network
has, if any, with the Chinese government.

"We did not find any hard evidence that links these attacks to the Chinese
government. In fact, we've actually had very healthy cooperation with the
Chinese CERT," Villeneuve said, referring to China's Computer Emergency
Response Team.

"[They] are actively working to understand what we've uncovered and have
indicated that they will work to deal with this botnet the way they deal
with any other botnet, and that is to investigate it and to try to shut it

Ye Lao, a propaganda official in the Sichuan capital of Chengdu, said the
Chinese government played no role in the attacks, adding that Beijing
considers hacking a serious social problem that must be eliminated.

Search engine giant Google claimed earlier this year that its China
operations, and those of several other companies, had come under attack from
hackers located within the country.

The researchers said China has recently become the source of many attacks
because of lax security practices by local infrastructure providers, adding
that there is growing evidence to suggest a number of hackers have moved to
the country from countries including Russia and Ukraine to exploit this

False e-mails

The researchers explained that the Shadow Network was able to gain remote
control of its victims' computers by gaining the trust of e-mail recipients.

E-mails were sent including URL address links with newsworthy themes or
specific information that related to the recipient gleaned from a previous

Alternatively, Word documents, ZIP files, or PDF files would be sent as
attachments in e-mails.

When the recipient clicks on a link or opens an attachment, a virus is
activated that tries to exploit flaws in the software used to view it, and
if the user is running a version that lacks the necessary security update,
the hacker can gain access to the system.

The virus then notifies the hacker that the software can be remotely
controlled and used to send files to external servers.

The system is similar to that used by Ghostnet servers, believed to be based
on the southeastern Chinese island of Hainan, to steal documents from the
Dalai Lama and governments and corporations in more than 100 countries last

Ron Diebert, director of Citizen Lab, said the scope of both attacks shows
the need for a more effective international effort to study and combat

"We believe that there needs to be action taken at a global level to ensure
that information between law enforcement, intelligence and researchers on
investigations like this can make its way to the right parties," he said.

"The fact of the matter is that in many developing countries, the dividing
line between organized crime and the government is not clear ... but we are
eager to work with those parts of the Chinese government that want to try to
solve this problem."

Original reporting by Joshua Lipes. Edited by Sarah Jackson-Han. Copyright c
1998-2009, RFA. Used with the permission of Radio Free Asia, 2025 M St. NW,
Suite 300, Washington DC 20036.
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank