GhostNet (simplified Chinese: ; traditional Chinese: ; pinyin: ) is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009. The operation is likely associated with an Advanced Persistent Threat. Its command and control infrastructure is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.
GhostNet was discovered and named following a 10-month investigation by the Infowar Monitor (IWM), carried out after IWM researchers approached the Dalai Lama's representative in Geneva suspecting that their computer network had been infiltrated. The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the Citizen Lab, Munk Centre for International Studies at the University of Toronto; the research findings were published in the Infowar Monitor, an affiliated publication. Researchers from the University of Cambridge's Computer Laboratory, supported by the Institute for Information Infrastructure Protection, also contributed to the investigation at one of the three locations in Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.
Compromised systems were discovered in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan and the office of the Prime Minister of Laos. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted. No evidence was found that U.S. or UK government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C., were infiltrated.
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, drop a Trojan horse on to the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a Trojan known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows. Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling monitors to perform surveillance.
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network. However, a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.
Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime."
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to Chengdu. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China, and currently connected with the Chinese hacker underground.
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer instrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his representatives.
Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations. However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army. Furthermore, one of GhostNet's four control servers has been revealed to be a government server.
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.