Canada unmasks Chinese spy network
http://www.neowin.net/news/main/09/03/30/canada-unmasks-chinese-spy-network
by Mitchell LeBlanc
Researchers at the University of Toronto traced pieces of malicious code found on more than 1,200 computers worldwide and discovered that it originated from China.
The Globe and Mail reported that the software had tapped into top secret documents from governments in 103 countries. Most troubling was the discovery of said software on the computers of Tibetan exiles, leading to the presumption that a goal of this spy campaign was to acquire information regarding the Dalai Lama.
The spy network, dubbed "GhostNet" was uncovered by Canadian researches at the Munk Institute for International Studies in the University of Toronto.
The researchers have notified international intelligence agencies and it is presumed that further investigation is being undertaken.
The Canadian researcher responsible, a Mr. Villeneuve, was sifting through approximately 1GB of indiscernable characters when he decided to paste them into Google. Upon doing so, it is reported that such action led him to one of the machines responsible for the malicious code. Upon changing a character within the code, he stumbled upon another server, in another country and so on and so forth.
The publication of the research paper can be found on Scribd.
The Chinese government has stated that it is as much against cyber-terrorism as everyone else, and has not sanctioned any such operations.
========================================================
http://www.theglobeandmail.com/servlet/story/RTGAM.20090328.wspy0328/BNStory/Technology/
The Canadian Press
March 29, 2009 at 8:29 AM EDT
TORONTO — A cyber spy network based mainly in China has tapped into classified documents from government and private organizations in 103 countries, including the computers of Tibetan exiles, Canadian researchers said Saturday.
The work of the Information Warfare Monitor initially focused on allegations of Chinese cyber espionage against the Tibetan community in exile, especially the Dalai Lama, who is frequently denounced by Chinese officials.
The research eventually led to a much wider network of compromised machines, the Internet-based research group said.
Information Warfare Monitor is a joint effort of the SecDev Group in Ottawa and the Citizen Lab at the University of Toronto.
Related Articles
The Globe and Mail
The group said in a news release Sunday that investigators conducted field research in India, Europe and North America, including in the private office of the Dalai Lama, the Tibetan government-in-exile and several Tibetan NGOs.
Investigator Greg Walton said: "We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama."
During the second phase of the investigation, the data led to the discovery of insecure, web-based interfaces to four control servers. The interfaces allow attackers to send instructions to and receive data from compromised computers.
"What we found is not so much unprecedented in scope and sophistication," said Nart Villeneuve, a senior IWM analyst.
"But the relatively small size of the network and concentration of high-value targets is significant. It does not fit the profile for a typical cyber crime network."
Principal investigators Ron Deibert and Rafal Rohozinski said: "This report serves as a wake-up call."
"At the very least, the large percentage of high-value targets compromised by this network demonstrates the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet."
The compromised computers included, among many others, the ministry of foreign affairs of Iran; the embassies of India, South Korea, Indonesia, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN Secretariat; the Asian Development Bank; news organizations and an unclassified computer located at NATO headquarters.
The research group said while its analysis points to China as the main source of the network, it has not conclusively been able to detect the exact identity or motivation of the hackers.
A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved.
The researchers said they have notified international law-enforcement agencies of the spying operation.
The F.B.I. declined comment on the operation.
The full report of the investigation entitled, "Tracking GhostNet: Investigating a Cyber Espionage Network," was released online Sunday.