GhostNet () is the name given by researchers at the
Information Warfare Monitor
The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The ...
to a large-scale
cyber spying operation discovered in March 2009. The operation is likely associated with an
advanced persistent threat
An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...
, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the
People's Republic of China
China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...
and GhostNet has infiltrated high-value political, economic and media locations
in 103 countries. Computer systems belonging to
embassies, foreign ministries and other government offices, and the
Dalai Lama
The Dalai Lama (, ; ) is the head of the Gelug school of Tibetan Buddhism. The term is part of the full title "Holiness Knowing Everything Vajradhara Dalai Lama" (圣 识一切 瓦齐尔达喇 达赖 喇嘛) given by Altan Khan, the first Shu ...
's
Tibet
Tibet (; ''Böd''; ), or Greater Tibet, is a region in the western part of East Asia, covering much of the Tibetan Plateau and spanning about . It is the homeland of the Tibetan people. Also resident on the plateau are other ethnic groups s ...
an exile centers in India, London and New York City were compromised.
Discovery
GhostNet was discovered and named following a 10-month investigation by the
Infowar Monitor (IWM), carried out after IWM researchers approached the
Dalai Lama
The Dalai Lama (, ; ) is the head of the Gelug school of Tibetan Buddhism. The term is part of the full title "Holiness Knowing Everything Vajradhara Dalai Lama" (圣 识一切 瓦齐尔达喇 达赖 喇嘛) given by Altan Khan, the first Shu ...
's representative in Geneva
suspecting that their computer network had been infiltrated.
The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the
Citizen Lab,
Munk School of Global Affairs
The Munk School of Global Affairs and Public Policy at the University of Toronto is an interdisciplinary academic centre located at the St. George campus in Downtown Toronto. It offers various research and educational programs in global affairs ...
at the
University of Toronto
The University of Toronto (UToronto or U of T) is a public university, public research university whose main campus is located on the grounds that surround Queen's Park (Toronto), Queen's Park in Toronto, Ontario, Canada. It was founded by ...
; the research findings were published in the ''Infowar Monitor'', an affiliated publication.
Researchers from the
University of Cambridge
The University of Cambridge is a Public university, public collegiate university, collegiate research university in Cambridge, England. Founded in 1209, the University of Cambridge is the List of oldest universities in continuous operation, wo ...
's
Computer Laboratory, supported by the
Institute for Information Infrastructure Protection,
also contributed to the investigation at one of the three locations in
Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''
The New York Times
''The New York Times'' (''NYT'') is an American daily newspaper based in New York City. ''The New York Times'' covers domestic, national, and international news, and publishes opinion pieces, investigative reports, and reviews. As one of ...
'' on March 29, 2009.
Investigators focused initially on allegations of Chinese cyber-espionage against the
Tibetan exile community, such as instances where email correspondence and other data were extracted.
[China-based spies target Thailand](_blank)
Bangkok Post
The ''Bangkok Post'' is an English-language daily newspaper published in Bangkok, Thailand. It is published in broadsheet and digital formats. The first issue was sold on 1 August 1946. It had four pages and cost one baht, a considerable amount ...
, March 30, 2009. Retrieved on March 30, 2009.
Compromised systems were discovered in the
embassies of
India
India, officially the Republic of India, is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area; the List of countries by population (United Nations), most populous country since ...
,
South Korea
South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...
,
Indonesia
Indonesia, officially the Republic of Indonesia, is a country in Southeast Asia and Oceania, between the Indian Ocean, Indian and Pacific Ocean, Pacific oceans. Comprising over List of islands of Indonesia, 17,000 islands, including Sumatra, ...
,
Romania
Romania is a country located at the crossroads of Central Europe, Central, Eastern Europe, Eastern and Southeast Europe. It borders Ukraine to the north and east, Hungary to the west, Serbia to the southwest, Bulgaria to the south, Moldova to ...
,
Cyprus
Cyprus (), officially the Republic of Cyprus, is an island country in the eastern Mediterranean Sea. Situated in West Asia, its cultural identity and geopolitical orientation are overwhelmingly Southeast European. Cyprus is the List of isl ...
,
Malta
Malta, officially the Republic of Malta, is an island country in Southern Europe located in the Mediterranean Sea, between Sicily and North Africa. It consists of an archipelago south of Italy, east of Tunisia, and north of Libya. The two ...
,
Thailand
Thailand, officially the Kingdom of Thailand and historically known as Siam (the official name until 1939), is a country in Southeast Asia on the Mainland Southeast Asia, Indochinese Peninsula. With a population of almost 66 million, it spa ...
,
Taiwan
Taiwan, officially the Republic of China (ROC), is a country in East Asia. The main geography of Taiwan, island of Taiwan, also known as ''Formosa'', lies between the East China Sea, East and South China Seas in the northwestern Pacific Ocea ...
,
Portugal
Portugal, officially the Portuguese Republic, is a country on the Iberian Peninsula in Southwestern Europe. Featuring Cabo da Roca, the westernmost point in continental Europe, Portugal borders Spain to its north and east, with which it share ...
,
Germany
Germany, officially the Federal Republic of Germany, is a country in Central Europe. It lies between the Baltic Sea and the North Sea to the north and the Alps to the south. Its sixteen States of Germany, constituent states have a total popu ...
and
Pakistan
Pakistan, officially the Islamic Republic of Pakistan, is a country in South Asia. It is the List of countries and dependencies by population, fifth-most populous country, with a population of over 241.5 million, having the Islam by country# ...
and the office of the Prime Minister of
Laos
Laos, officially the Lao People's Democratic Republic (LPDR), is the only landlocked country in Southeast Asia. It is bordered by Myanmar and China to the northwest, Vietnam to the east, Cambodia to the southeast, and Thailand to the west and ...
. The
foreign ministries of
Iran
Iran, officially the Islamic Republic of Iran (IRI) and also known as Persia, is a country in West Asia. It borders Iraq to the west, Turkey, Azerbaijan, and Armenia to the northwest, the Caspian Sea to the north, Turkmenistan to the nort ...
,
Bangladesh
Bangladesh, officially the People's Republic of Bangladesh, is a country in South Asia. It is the List of countries and dependencies by population, eighth-most populous country in the world and among the List of countries and dependencies by ...
,
Latvia
Latvia, officially the Republic of Latvia, is a country in the Baltic region of Northern Europe. It is one of the three Baltic states, along with Estonia to the north and Lithuania to the south. It borders Russia to the east and Belarus to t ...
,
Indonesia
Indonesia, officially the Republic of Indonesia, is a country in Southeast Asia and Oceania, between the Indian Ocean, Indian and Pacific Ocean, Pacific oceans. Comprising over List of islands of Indonesia, 17,000 islands, including Sumatra, ...
,
Philippines
The Philippines, officially the Republic of the Philippines, is an Archipelagic state, archipelagic country in Southeast Asia. Located in the western Pacific Ocean, it consists of List of islands of the Philippines, 7,641 islands, with a tot ...
,
Brunei
Brunei, officially Brunei Darussalam, is a country in Southeast Asia, situated on the northern coast of the island of Borneo. Apart from its coastline on the South China Sea, it is completely surrounded by the Malaysian state of Sarawak, with ...
,
Barbados
Barbados, officially the Republic of Barbados, is an island country in the Atlantic Ocean. It is part of the Lesser Antilles of the West Indies and the easternmost island of the Caribbean region. It lies on the boundary of the South American ...
and
Bhutan
Bhutan, officially the Kingdom of Bhutan, is a landlocked country in South Asia, in the Eastern Himalayas between China to the north and northwest and India to the south and southeast. With a population of over 727,145 and a territory of , ...
were also targeted.
No evidence was found that
U.S.
The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 states and a federal capital district, Washington, D.C. The 48 contiguous ...
or
U.K. government offices were infiltrated, although a
NATO
The North Atlantic Treaty Organization (NATO ; , OTAN), also called the North Atlantic Alliance, is an intergovernmental organization, intergovernmental Transnationalism, transnational military alliance of 32 Member states of NATO, member s ...
computer was monitored for half a day and the computers of the
Indian embassy in
Washington, D.C.
Washington, D.C., formally the District of Columbia and commonly known as Washington or D.C., is the capital city and federal district of the United States. The city is on the Potomac River, across from Virginia, and shares land borders with ...
, were infiltrated.
[
Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.]
Technical functionality
Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a Trojan horse
In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...
to access the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a Trojan known as Gh0st Rat that allows attackers to gain complete, real-time control of computers running Microsoft Windows
Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
.
Origin
The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network.[ However, a report from researchers at the ]University of Cambridge
The University of Cambridge is a Public university, public collegiate university, collegiate research university in Cambridge, England. Founded in 1209, the University of Cambridge is the List of oldest universities in continuous operation, wo ...
says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.[
The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to ]Chengdu
Chengdu; Sichuanese dialects, Sichuanese pronunciation: , Standard Chinese pronunciation: ; Chinese postal romanization, previously Romanization of Chinese, romanized as Chengtu. is the capital city of the Chinese province of Sichuan. With a ...
. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China
A university () is an institution of tertiary education and research which awards academic degrees in several academic disciplines. ''University'' is derived from the Latin phrase , which roughly means "community of teachers and scholars". Uni ...
, and currently connected with the Chinese hacker underground.
Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama
The Dalai Lama (, ; ) is the head of the Gelug school of Tibetan Buddhism. The term is part of the full title "Holiness Knowing Everything Vajradhara Dalai Lama" (圣 识一切 瓦齐尔达喇 达赖 喇嘛) given by Altan Khan, the first Shu ...
from his representatives.[Tracking GhostNet: Investigating a Cyber Espionage Network](_blank)
. Munk Centre for International Studies. March 29, 2009 However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means.
IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of Hainan
Hainan is an island provinces of China, province and the southernmost province of China. It consists of the eponymous Hainan Island and various smaller islands in the South China Sea under the province's administration. The name literally mean ...
, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.
''The Globe and Mail
''The Globe and Mail'' is a Newspapers in Canada, Canadian newspaper printed in five cities in Western Canada, western and central Canada. With a weekly readership of more than 6 million in 2024, it is Canada's most widely read newspaper on week ...
''March 29, 2009
See also
* Advanced persistent threat
An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...
* Chinese intelligence activity abroad
* Chinese cyberwarfare
* Chinese espionage in the United States
* Cyber-warfare
Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic w ...
* Economic and industrial espionage
* Honker Union
* Internet censorship in China
The People's Republic of China (PRC) internet censorship, censors both the publishing and viewing of online material. Many controversial events are censored from news coverage, preventing many Chinese citizens from knowing about the actions of ...
* Operation Aurora
* RedHack (from Turkey)
* Titan Rain
* Shadow Network
* 14th Dalai Lama
The 14th Dalai Lama (born 6 July 1935; full spiritual name: Jetsun Jamphel Ngawang Lobsang Yeshe Tenzin Gyatso, shortened as Tenzin Gyatso; ) is the incumbent Dalai Lama, the highest spiritual leader and head of Tibetan Buddhism. He served a ...
References
External links
The SecDev Group
Citizen Lab
at the University of Toronto
Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citizen Lab), March 29, 2009)
Mirror of the report PDF
Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)
Twitter: InfowarMonitor
*
*
* Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ,
{{Hacking in the 2000s
Open-source intelligence
Spyware
Espionage projects
Cyberwarfare by China
2009 in China
Mass intelligence-gathering systems
Cyberattacks
Cyberwarfare
Cyberattack gangs
Chinese advanced persistent threat groups
Cybercrime in India
China–India relations
Chinese information operations and information warfare
Tibetan diaspora in India
14th Dalai Lama
Hacking in the 2000s
Political repression in China
2009 crimes in India
2000s in Himachal Pradesh
Dharamshala
Central Tibetan Administration
Internet mysteries