GhostNet: Huge Chinese Spy System Infects Computers Worldwide

Canadian researchers have uncovered a huge Chinese spying operation which has infiltrated computers in hundreds of government and private offices around the world, including those of the Dalai Lama.

In fact, according to a report in the New York Times, the search for answers began when the researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama to examine its computers for signs of malware.

The investigation eventually determined a widespread GhostNet, which according to the researchers, has infiltrated approximately 1,300 computers in government offices, foreign ministries, etc., as well as the offices belonging the Daiai Lama, in 103 countries. Most of these infiltrations appear to be in Southeast Asia.

The report, titled "Tracking GhostNet: Investigating a Cyber Espionage Network" is due to be released this weekend.

Besides what you might expect such a program to do, snooping and extracting data, perhaps including emails and documents, the researchers said that GhostNet can turn on any cameras or microsphones attached to an infected PC, turning into a bug. However, the researchers were unsure if this feature has been used.

As I said, the computers involved in this operation are, for the most part, in China, but the researchers were quick to point out that there is no solid evidence that the government of China itself is involved.

Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk told the NYT:

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms. This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”

Meanwhile, two researchers at Cambridge University in Britain, Shishir Nagaraja and Ross Anderson, who also worked on the part of the investigation related to the Tibetans released their own report (.PDF), "The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement," in which they indeed blame China for the attacks.

While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective.

Further, the researchers in the second report feel the tactics used by China may, in the future, be used by other, non-governmental groups.

Thus social malware is unlikely to remain a tool of governments. Certainly organisations of interest to governments should take proper precautions now, but other firms had better start to think about what it will mean for them when social malware attacks become widespread. What Chinese spooks did in 2008, Russian crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course.