Join our Mailing List

"Canada can, within a positive friendly atmosphere, ask the Chinese government to resolve the Tibetan situation."

Vast spy system loots computers in 103 countries

March 30, 2009

By John Markoff
The New York Times
Sunday, March 29, 2009

TORONTO -- A vast electronic spying operation has
infiltrated computers and has stolen documents
from hundreds of government and private offices
around the world, including those of the Dalai
Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the
researchers said that the system was being
controlled from computers based almost
exclusively in China, but that they could not say
conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center
for International Studies at the University of
Toronto, had been asked by the office of the
Dalai Lama, the exiled Tibetan leader whom China
regularly denounces, to examine its computers for
signs of malicious software, or malware.

Their sleuthing opened a window into a broader
operation that, in less than two years, has
infiltrated at least 1,295 computers in 103
countries, including many belonging to embassies,
foreign ministries and other government offices,
as well as the Dalai Lama's Tibetan exile centers
in India, Brussels, London and New York.

The researchers, who have a record of detecting
computer espionage, said they believed that in
addition to the spying on the Dalai Lama, the
system, which they called GhostNet, was focused
on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments,
including those of China, Russia and the United
States, and other parties use sophisticated
computer programs to covertly gather information.

The newly reported spying operation is by far the
largest to come to light in terms of countries affected.

This is also believed to be the first time
researchers have been able to expose the workings
of a computer system used in an intrusion of this magnitude.

Still going strong, the operation continues to
invade and monitor more than a dozen new
computers a week, the researchers said in their
report, "Tracking 'GhostNet': Investigating a
Cyber Espionage Network." They said they had
found no evidence that United States government
offices had been infiltrated, although a NATO
computer was monitored by the spies for half a
day and computers of the Indian Embassy in Washington were infiltrated.

The malware is remarkable both for its sweep ? in
computer jargon, it has not been merely
"phishing" for random consumers' information, but
"whaling" for particular important targets ? and
for its Big Brother-style capacities. It can, for
example, turn on the camera and audio-recording
functions of an infected computer, enabling
monitors to see and hear what goes on in a room.
The investigators say they do not know if this facet has been employed.

The researchers were able to monitor the commands
given to infected computers and to see the names
of documents retrieved by the spies, but in most
cases the contents of the stolen files have not
been determined. Working with the Tibetans,
however, the researchers found that specific
correspondence had been stolen and that the
intruders had gained control of the electronic
mail server computers of the Dalai Lama's organization.

The electronic spy game has had at least some
real-world impact, they said. For example, they
said, after an e-mail invitation was sent by the
Dalai Lama's office to a foreign diplomat, the
Chinese government made a call to the diplomat
discouraging a visit. And a woman working for a
group making Internet contacts between Tibetan
exiles and Chinese citizens was stopped by
Chinese intelligence officers on her way back to
Tibet, shown transcripts of her online
conversations and warned to stop her political activities.

The Toronto researchers said they had notified
international law enforcement agencies of the
spying operation, which in their view exposed
basic shortcomings in the legal structure of
cyberspace. The F.B.I. declined to comment on the operation.

Although the Canadian researchers said that most
of the computers behind the spying were in China,
they cautioned against concluding that China's
government was involved. The spying could be a
nonstate, for-profit operation, for example, or
one run by private citizens in China known as "patriotic hackers."

"We're a bit more careful about it, knowing the
nuance of what happens in the subterranean
realms," said Ronald J. Deibert, a member of the
research group and an associate professor of
political science at Munk. "This could well be
the C.I.A. or the Russians. It's a murky realm that we're lifting the lid on."

A spokesman for the Chinese Consulate in New York
dismissed the idea that China was involved.
"These are old stories and they are nonsense,"
the spokesman, Wenqi Gao, said. "The Chinese
government is opposed to and strictly forbids any cybercrime."

The Toronto researchers, who allowed a reporter
for The New York Times to review the spies'
digital tracks, are publishing their findings in
Information Warfare Monitor, an online
publication associated with the Munk Center.

At the same time, two computer researchers at
Cambridge University in Britain who worked on the
part of the investigation related to the
Tibetans, are releasing an independent report.
They do fault China, and they warned that other
hackers could adopt the tactics used in the malware operation.

"What Chinese spooks did in 2008, Russian crooks
will do in 2010 and even low-budget criminals
from less developed countries will follow in due
course," the Cambridge researchers, Shishir
Nagaraja and Ross Anderson, wrote in their
report, "The Snooping Dragon: Social Malware
Surveillance of the Tibetan Movement."

In any case, it was suspicions of Chinese
interference that led to the discovery of the spy
operation. Last summer, the office of the Dalai
Lama invited two specialists to India to audit
computers used by the Dalai Lama's organization.
The specialists, Greg Walton, the editor of
Information Warfare Monitor, and Mr. Nagaraja, a
network security expert, found that the computers
had indeed been infected and that intruders had
stolen files from personal computers serving several Tibetan exile groups.

Back in Toronto, Mr. Walton shared data with
colleagues at the Munk Center's computer lab.

One of them was Nart Villeneuve, 34, a graduate
student and self-taught "white hat" hacker with
dazzling technical skills. Last year, Mr.
Villeneuve linked the Chinese version of the
Skype communications service to a Chinese
government operation that was systematically
eavesdropping on users' instant-messaging sessions.

Early this month, Mr. Villeneuve noticed an odd
string of 22 characters embedded in files created
by the malicious software and searched for it
with Google. It led him to a group of computers
on Hainan Island, off China, and to a Web site
that would prove to be critically important.

In a puzzling security lapse, the Web page that
Mr. Villeneuve found was not protected by a
password, while much of the rest of the system uses encryption.

Mr. Villeneuve and his colleagues figured out how
the operation worked by commanding it to infect a
system in their computer lab in Toronto. On March
12, the spies took their own bait. Mr. Villeneuve
watched a brief series of commands flicker on his
computer screen as someone ? presumably in China
? rummaged through the files. Finding nothing of
interest, the intruder soon disappeared.

Through trial and error, the researchers learned
to use the system's Chinese-language "dashboard"
? a control panel reachable with a standard Web
browser ? by which one could manipulate the more
than 1,200 computers worldwide that had by then been infected.

Infection happens two ways. In one method, a
user's clicking on a document attached to an
e-mail message lets the system covertly install
software deep in the target operating system.
Alternatively, a user clicks on a Web link in an
e-mail message and is taken directly to a "poisoned" Web site.

The researchers said they avoided breaking any
laws during three weeks of monitoring and
extensively experimenting with the system's
unprotected software control panel. They
provided, among other information, a log of
compromised computers dating to May 22, 2007.

They found that three of the four control servers
were in different provinces in China ? Hainan,
Guangdong and Sichuan ? while the fourth was
discovered to be at a Web-hosting company based in Southern California.

Beyond that, said Rafal A. Rohozinski, one of the
investigators, "attribution is difficult because
there is no agreed upon international legal
framework for being able to pursue investigations
down to their logical conclusion, which is highly local."
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank