GhostNet
   HOME

TheInfoList



OR:

GhostNet () is the name given by researchers at the
Information Warfare Monitor The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The ...
to a large-scale
cyber spying Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information from individuals, competitors, rivals, groups, governments and enemies for personal, ...
operation discovered in March 2009. The operation is likely associated with an
advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the
People's Republic of China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
and GhostNet has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to
embassies A diplomatic mission or foreign mission is a group of people from a state or organization present in another state to represent the sending state or organization officially in the receiving or host state. In practice, the phrase usually deno ...
, foreign ministries and other government offices, and the
Dalai Lama Dalai Lama (, ; ) is a title given by the Tibetan people to the foremost spiritual leader of the Gelug or "Yellow Hat" school of Tibetan Buddhism, the newest and most dominant of the four major schools of Tibetan Buddhism. The 14th and current Dal ...
's
Tibet Tibet (; ''Böd''; ) is a region in East Asia, covering much of the Tibetan Plateau and spanning about . It is the traditional homeland of the Tibetan people. Also resident on the plateau are some other ethnic groups such as Monpa people, ...
an exile centers in India, London and New York City were compromised.


Discovery

GhostNet was discovered and named following a 10-month investigation by the
Infowar Monitor The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The ...
(IWM), carried out after IWM researchers approached the
Dalai Lama Dalai Lama (, ; ) is a title given by the Tibetan people to the foremost spiritual leader of the Gelug or "Yellow Hat" school of Tibetan Buddhism, the newest and most dominant of the four major schools of Tibetan Buddhism. The 14th and current Dal ...
's representative in Geneva suspecting that their computer network had been infiltrated. The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the
Citizen Lab The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness ...
,
Munk Centre for International Studies The Munk School of Global Affairs and Public Policy at the University of Toronto is an interdisciplinary academic centre with various research and educational programs committed to the field of globalization. Located in Toronto, Ontario, it offers ...
at the
University of Toronto The University of Toronto (UToronto or U of T) is a public research university in Toronto, Ontario, Canada, located on the grounds that surround Queen's Park. It was founded by royal charter in 1827 as King's College, the first institution ...
; the research findings were published in the ''Infowar Monitor'', an affiliated publication. Researchers from the
University of Cambridge , mottoeng = Literal: From here, light and sacred draughts. Non literal: From this place, we gain enlightenment and precious knowledge. , established = , other_name = The Chancellor, Masters and Schola ...
's
Computer Laboratory A computer lab is a space where computer services are provided to a defined community. These are typically public libraries and academic institutions. Generally, users must follow a certain user policy to retain access to the computers. This us ...
, supported by the
Institute for Information Infrastructure Protection The Institute for Information Infrastructure Protection (I3P) is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have lon ...
, also contributed to the investigation at one of the three locations in
Dharamshala Dharamshala (; also spelled Dharamsala) is the winter capital of Himachal Pradesh, India. It serves as administrative headquarters of the Kangra district after being relocated from Kangra, a city located away from Dharamshala, in 1855. The ...
, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''
The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'' on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the
Tibetan exile The Tibetan diaspora are the diaspora of Tibetan people living outside Tibet. Tibetan emigration has three separate stages. The first stage was in 1959 following the 14th Dalai Lama's defection to Dharamshala in Himachal Pradesh, India. The s ...
community, such as instances where email correspondence and other data were extracted.China-based spies target Thailand
Bangkok Post The ''Bangkok Post'' is an English-language daily newspaper published in Bangkok, Thailand. It is published in broadsheet and digital formats. The first issue was sold on 1 August 1946. It had four pages and cost one baht, a considerable amount ...
, March 30, 2009. Retrieved on March 30, 2009.
Compromised systems were discovered in the
embassies A diplomatic mission or foreign mission is a group of people from a state or organization present in another state to represent the sending state or organization officially in the receiving or host state. In practice, the phrase usually deno ...
of
India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...
,
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...
,
Indonesia Indonesia, officially the Republic of Indonesia, is a country in Southeast Asia and Oceania between the Indian and Pacific oceans. It consists of over 17,000 islands, including Sumatra, Java, Sulawesi, and parts of Borneo and New Guine ...
,
Romania Romania ( ; ro, România ) is a country located at the crossroads of Central Europe, Central, Eastern Europe, Eastern, and Southeast Europe, Southeastern Europe. It borders Bulgaria to the south, Ukraine to the north, Hungary to the west, S ...
,
Cyprus Cyprus ; tr, Kıbrıs (), officially the Republic of Cyprus,, , lit: Republic of Cyprus is an island country located south of the Anatolian Peninsula in the eastern Mediterranean Sea. Its continental position is disputed; while it is geo ...
,
Malta Malta ( , , ), officially the Republic of Malta ( mt, Repubblika ta' Malta ), is an island country in the Mediterranean Sea. It consists of an archipelago, between Italy and Libya, and is often considered a part of Southern Europe. It lies ...
,
Thailand Thailand ( ), historically known as Siam () and officially the Kingdom of Thailand, is a country in Southeast Asia, located at the centre of the Indochinese Peninsula, spanning , with a population of almost 70 million. The country is bo ...
,
Taiwan Taiwan, officially the Republic of China (ROC), is a country in East Asia, at the junction of the East and South China Seas in the northwestern Pacific Ocean, with the People's Republic of China (PRC) to the northwest, Japan to the nort ...
,
Portugal Portugal, officially the Portuguese Republic ( pt, República Portuguesa, links=yes ), is a country whose mainland is located on the Iberian Peninsula of Southwestern Europe, and whose territory also includes the Atlantic archipelagos of ...
, Germany and Pakistan and the office of the Prime Minister of
Laos Laos (, ''Lāo'' )), officially the Lao People's Democratic Republic ( Lao: ສາທາລະນະລັດ ປະຊາທິປະໄຕ ປະຊາຊົນລາວ, French: République démocratique populaire lao), is a socialist ...
. The
foreign ministries A foreign affairs minister or minister of foreign affairs (less commonly minister for foreign affairs) is generally a Cabinet (government), cabinet Minister (government), minister in charge of a sovereign state, state's foreign policy and foreign ...
of
Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkmeni ...
,
Bangladesh Bangladesh (}, ), officially the People's Republic of Bangladesh, is a country in South Asia. It is the eighth-most populous country in the world, with a population exceeding 165 million people in an area of . Bangladesh is among the mos ...
,
Latvia Latvia ( or ; lv, Latvija ; ltg, Latveja; liv, Leţmō), officially the Republic of Latvia ( lv, Latvijas Republika, links=no, ltg, Latvejas Republika, links=no, liv, Leţmō Vabāmō, links=no), is a country in the Baltic region of ...
,
Indonesia Indonesia, officially the Republic of Indonesia, is a country in Southeast Asia and Oceania between the Indian and Pacific oceans. It consists of over 17,000 islands, including Sumatra, Java, Sulawesi, and parts of Borneo and New Guine ...
,
Philippines The Philippines (; fil, Pilipinas, links=no), officially the Republic of the Philippines ( fil, Republika ng Pilipinas, links=no), * bik, Republika kan Filipinas * ceb, Republika sa Pilipinas * cbk, República de Filipinas * hil, Republ ...
,
Brunei Brunei ( , ), formally Brunei Darussalam ( ms, Negara Brunei Darussalam, Jawi alphabet, Jawi: , ), is a country located on the north coast of the island of Borneo in Southeast Asia. Apart from its South China Sea coast, it is completely sur ...
,
Barbados Barbados is an island country in the Lesser Antilles of the West Indies, in the Caribbean region of the Americas, and the most easterly of the Caribbean Islands. It occupies an area of and has a population of about 287,000 (2019 estimate). ...
and
Bhutan Bhutan (; dz, འབྲུག་ཡུལ་, Druk Yul ), officially the Kingdom of Bhutan,), is a landlocked country in South Asia. It is situated in the Eastern Himalayas, between China in the north and India in the south. A mountainous ...
were also targeted. No evidence was found that U.S. or UK government offices were infiltrated, although a
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two No ...
computer was monitored for half a day and the computers of the Indian embassy in
Washington, D.C. ) , image_skyline = , image_caption = Clockwise from top left: the Washington Monument and Lincoln Memorial on the National Mall, United States Capitol, Logan Circle, Jefferson Memorial, White House, Adams Morgan, ...
, were infiltrated. Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.


Technical functionality

Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a
trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
to access the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a trojan known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
. Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling attackers to perform surveillance.


Origin

The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network. However, a report from researchers at the
University of Cambridge , mottoeng = Literal: From here, light and sacred draughts. Non literal: From this place, we gain enlightenment and precious knowledge. , established = , other_name = The Chancellor, Masters and Schola ...
says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama. Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime." The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to
Chengdu Chengdu (, ; Simplified Chinese characters, simplified Chinese: 成都; pinyin: ''Chéngdū''; Sichuanese dialects, Sichuanese pronunciation: , Standard Chinese pronunciation: ), Chinese postal romanization, alternatively Romanization of Chi ...
. He identifies the hacker as a 27-year-old man who had attended the
University of Electronic Science and Technology of China The University of Electronic Science and Technology of China (UESTC) is a national public research university in Chengdu, Sichuan, China. It was founded in 1956 instructed by the Premier Zhou Enlai. UESTC was established on the basis of the incorp ...
, and currently connected with the Chinese hacker
underground Underground most commonly refers to: * Subterranea (geography), the regions beneath the surface of the Earth Underground may also refer to: Places * The Underground (Boston), a music club in the Allston neighborhood of Boston * The Underground (S ...
. Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the
Dalai Lama Dalai Lama (, ; ) is a title given by the Tibetan people to the foremost spiritual leader of the Gelug or "Yellow Hat" school of Tibetan Buddhism, the newest and most dominant of the four major schools of Tibetan Buddhism. The 14th and current Dal ...
from his representatives. Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.Tracking GhostNet: Investigating a Cyber Espionage Network
Munk Centre for International Studies The Munk School of Global Affairs and Public Policy at the University of Toronto is an interdisciplinary academic centre with various research and educational programs committed to the field of globalization. Located in Toronto, Ontario, it offers ...
. March 29, 2009
However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means. IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of
Hainan Hainan (, ; ) is the smallest and southernmost province of the People's Republic of China (PRC), consisting of various islands in the South China Sea. , the largest and most populous island in China,The island of Taiwan, which is slightly l ...
, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army. Furthermore, one of GhostNet's four control servers has been revealed to be a .Meet the Canadians who busted Ghostnet
''
The Globe and Mail ''The Globe and Mail'' is a Canadian newspaper printed in five cities in western and central Canada. With a weekly readership of approximately 2 million in 2015, it is Canada's most widely read newspaper on weekdays and Saturdays, although it ...
''March 29, 2009


See also

*
Advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
*
Chinese intelligence activity abroad The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA); ( ...
*
Chinese cyberwarfare Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries. Organization Wh ...
*
Chinese espionage in the United States The United States has often accused the government of the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companiesFinkle, J. Menn, J., Viswan ...
* Cyber-warfare * Economic and industrial espionage *
Honker Union Honker () or red hacker is a group known for hacktivism, mainly present in China. Literally the name means "Red Guest", as compared to the usual Chinese transliteration of hacker (黑客, hēikè, literally ''Black Guest'' as in black hat). ...
* Internet censorship in China *
Operation Aurora Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a ...
*
RedHack RedHack is a Turkish Marxist-Leninist computer hacker group founded in 1997. The group has claimed responsibility for hacking the websites of institutions which include the Council of Higher Education, Turkish police forces, the Turkish Army ...
(from Turkey) *
Titan Rain Titan Rain was a series of coordinated attacks on computer systems in the United States since 2003; they were known to have been ongoing for at least three years. The attacks originated in Guangdong, China. The activity is believed to be associat ...
*
Shadow Network The Shadow Network is a Chinese intelligence activity abroad, China-based computer espionage operation that stole classified documents and emails from the Indian government, the office of the Dalai Lama, and other high-level government networks. Th ...
*
14th Dalai Lama The 14th Dalai Lama (spiritual name Jetsun Jamphel Ngawang Lobsang Yeshe Tenzin Gyatso, known as Tenzin Gyatso (Tibetan: བསྟན་འཛིན་རྒྱ་མཚོ་, Wylie: ''bsTan-'dzin rgya-mtsho''); né Lhamo Thondup), known as ...


References


External links


The SecDev Group

Citizen Lab
at the University of Toronto
Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citize Lab), March 29, 2009)


Mirror of the report PDF
Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)

Twitter: InfowarMonitor
* * * Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. , {{Hacking in the 2000s Open-source intelligence Spyware Espionage projects Cyberwarfare by China 2009 in China Mass intelligence-gathering systems Cyberattacks Cyberwarfare Cyberattack gangs Chinese advanced persistent threat groups Cybercrime in India