GhostNet Cyber Espionage Probe Still Has Loose Ends

Nearly three months after a report detailed an extensive, worldwide cyber espionage operation, many countries that were hacked may not have been formally notified yet.

Legal barriers have hampered efforts to contact many countries whose computers in embassies and ministries of foreign affairs were infected with malicious software capable of stealing data, said Nart Villeneuve, one of the authors of a detailed 53-page report that shed new light on the extent of cyber spying.

The report was written by analysts with the Information Warfare Monitor, a research project of the SecDev Group, a think tank, and the Munk Center for International Studies at the University of Toronto.

The analysts uncovered an operation nicknamed "GhostNet" that infected computers belonging Tibetan nongovernmental organizations and the private office of the Dalai Lama.

Further investigation showed the computers of 103 countries were infected as well as organizations such as the ASEAN (Association of Southeast Asian Nations) secretariat and the Asian Development Bank. Data was shipped to remote servers, many of which were located in China.

The report was one of the first publicly revealed investigations that showed how easy it was for hackers to target organizations through social engineering and malware attacks.

The hackers used commonly available malware, a remote access tool called gh0st RAT (Remote Access Tool), to steal sensitive documents, operate Web cams and completely control infected computers. In the case of the Tibetan NGOs, staffers received e-mail containing a Microsoft Word document that if opened exploited a known vulnerability that wasn't patched in the application.

A number of mistakes by the hackers allowed investigators to pinpoint servers used to collect data and the extent of the probes, Villeneuve said.

Villeneuve said detailed information on compromised computers has only been given to the Canadian Cyber Incident Response Center (CCIRC), the country's national cyber reporting center. The CCIRC is in the process of contacting some of the groups affected, he said.

The analysts who wrote the report felt that was the safest option, since they did not want to reveal exactly what computers had been compromised to countries that could potentially abuse the sensitive information.

"If you can imagine handing over this list of infected computers to the Chinese CERT (Computer Emergency Response Team), [that] would just be something I wouldn't be comfortable with," said Villeneuve, who spoke on the sidelines of the Conference on Cyber Warfare on Thursday in Tallinn, Estonia. "We felt we were kind of in this sort of legal vacuum."

Since the report named the nations affected, they are likely aware of what happened, Villeneuve said. But the fact that all have not been notified underscores the concerns over the sharing of information about cyber incidents.

Villeneuve said he was "paranoid and scared" about going to jail over his research, even though all of it was done in line with ethical standards and that a simple Google search turned up some of the most damning information about how GhostNet collected data.

"I'd rather not spook the authorities with having all of this information about infected, sensitive hosts," Villeneuve said. "We felt it was necessary to go through the proper channels, which as best we could tell was the Cyber Incident Response Center."

The report has served as a wake-up call to organizations about security. However, smaller NGOs often don't have the expertise to implement more thorough computer security even though a lack of it is a threat, Villeneuve said.

Since the report became public in March, GhostNet has vaporized. The servers collecting data went offline with a day of the report's release. China officially denied any connection to the operation, and those responsible for running it have never been identified, Villeneuve said.

Subscribe to the Security Watch Newsletter

Comments