Canadian researchers say they have uncovered a global cyberspy network that snoops into government computers, and is based mainly in China. The researchers say they have no evidence Beijing is behind the ring and authorities have denied it, too, but their report is bound to stir up old suspicions, and especially as it was prompted by a request from the Dalai Lama to check whether the computers of his exiled organization had been hacked.
What the subsequent 10-month investigation by Information Warfare Monitor, which comprises researchers from Ottawa-based think tank SecDev Group and the University of Toronto’s Munk Centre for International Studies, found was that 1,295 computers in 103 countries had been infiltrated, including machines in the foreign ministries of eight countries and various embassies of 11 more. The cyberattacks were mainly against Asian governments. Computers of international organizations, non-government organizations and news media were also hacked, the researchers say.
The cyberspies were able to take control of compromised computers and to send and receive classified data from them, creating a surveillance system the researchers dubbed GhostNet after the ghOst RAT trojan horse malware that was used, and which they traced back to commercial internet access accounts located on Hainan Island.
From the IWM report:
While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured.
Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. Indeed, although the Achilles’ heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesize that it is neither the first nor the only one of its kind.