China on Tuesday denied suggestions it could be involved in a cyberespionage ring that attacked computers worldwide from servers mostly based in the country.
GhostNet, a network that affected 1,295 computers in more than 100 countries through malware and social engineering, was described in a study last weekend by the SecDev Group’s Information Warfare Monitor and the Munk Center for International Studies at the University of Toronto.
“Some people in foreign countries are keen to make up rumors about so-called Chinese Internet spies,” foreign ministry spokesman Qin Gang said at a briefing Tuesday. “Their statements are entirely fabricated.”
China opposes hacking and other attacks on computer networks, Qin said.
Attackers used GhostNet to steal documents from targets including international institutions and foreign ministries of other countries, according to the report. The attackers gained full access to affected computers, including control of attached microphones and Web cams that could have been used to monitor nearby activity.
The report drew attention to cybercrime in China at a time when observers say it is growing. GhostNet’s highly targeted attacks against foreign government networks are unique, but its scale is tiny and its malware code outdated compared to other recent attacks, analysts say.
A simple online search can reveal the source code for GhostNet’s unsophisticated malicious software, said Zhao Wei, CEO of Knownsec, a Beijing security firm. Much more advanced — and more common in China — are mass attacks with “zero days,” or previously unknown software bugs, Zhao said.
Sophisticated attacks can hit millions of computers. Researchers at Zhao’s firm found 4 million computers infected in a single day during one recent attack.
China had 298 million Internet users at the end of last year, the most in any country, according to the country’s domain registry center.
Bank accounts and online game passwords are popular targets for attackers in China. Items like armor and weapons stolen from game accounts are often sold back to other players for real-world cash.
The attackers can make themselves hard to catch by stealing small amounts from many different people, Zhao said. An attacker might, for example, break into a huge number of bank accounts but steal just 10 yuan (US$1.47) from each, an amount victims are unlikely to report. That makes collecting evidence difficult for police, as does the need for cooperation across districts if the attacker and victims are in different places, Zhao said.
China passed its first regulations protecting the public from cyber data theft last month. The revisions to the country’s criminal law ban digital theft of information from any computer, lowering the bar from old rules that banned intrusions into government-supported networks. The new law also prohibits designing programs to help attackers invade or gain control over other computers.
The law’s protection from data theft extends to overseas computers like those attacked by GhostNet, said Pi Yong, a law professor at Wuhan University.
But implementing the law could be difficult even in purely domestic cases. Chinese courts in remote areas may be unsure how to handle electronic evidence, Pi said.
China also remains a convenient routing point for attackers from other countries, who can hide their location by using a Chinese IP (Internet Protocol) address.
Registering a Chinese domain is cheap and hassle-free, giving attackers an easy way to spread malware, said Konstantin Sapronov, head of the Kaspersky virus lab in China.
Blocked domains are easily replaced, he said.
“If it will be blocked, it doesn’t matter. You can use another, and you can buy a lot of these,” he said.