# GhostNet



## George Wallace (6 Apr 2010)

This is old news, but hitting the MSM once again: 


Reproduced under the Fair Dealings provisions of the Copyright Act.

*Articles found April 6,2010*

 Internet spy ring uncovered
06/04/2010 9:59:40 AM
Article Link

*Canadian researchers have helped uncover an internet spy network that was used to steal data on India's missile systems, private correspondence of the Dalai Lama and Canadian visa applications. *

The discovery was made by security researchers at the University of Toronto's Citizen Lab who worked for eight months with the Ottawa-based think-tank SecDev Group and U.S. researchers from the Shadowserver Foundation.

The team describes its findings in a report called "Shadows in the Cloud: An investigation into cyber espionage 2.0," which was released Tuesday.

Ron Deibert, the Citizen Lab director, said researchers tracked the use of computer servers and discovered that someone had been stealing secret documents from the Indian government, the offices of the Dalai Lama, the United Nations and several other countries.

"Most of them are highly sensitive documents that have come from the Indian national security establishment," Deibert said, noting that some of the documents are marked "top secret" or "restricted."

"Some contain information that is definitely sensitive about troop movements and military procurement," he said.

Deibert said the researchers tracked servers used by the spies back to the city of Chengdu, China. But the authors of the report caution that there is "no evidence in this report of the involvement of the People's Republic of China or any other government in the shadow network." 

"But an important question to be entertained is whether the PRC will take action to shut the Shadow network down," the authors said.

No way to confirm identity

Given the anonymity of the internet, Deibert said there's no way for the researchers to confirm the identity of the attackers or what motivated the attacks.

However, since many of the attacks were directed at India's military secrets, Deibert believes the team has uncovered cyber-espionage.

A handful of Canadians were also victims.

When the cyber-spies hacked the Indian Embassy in Kabul's computers, they also stole confidential visa information on Canadians applying to travel from Kabul, Afghanistan, to New Delhi. Deibert said the network stole more than 700 documents.

"You are only as secure as your weakest link," he said.

Last March, researchers at the Citizen Lab released a report on a spy network they dubbed GhostNet. Researchers said it had infiltrated at least 1,295 computers, including 103 belonging to embassies, foreign ministries and other government offices around the world.

The GhostNet investigation began after members of the Tibetan exile community asked the authors to look into allegations that the Chinese were hacking into their computer systems.

The researchers eventually found a wider network of infected computers. In a report, researchers said three out of the four servers in the network were based in China while a fourth was in the United States.

China's government dismissed the GhostNet report, saying it was full of "lies" designed to hurt the country's image abroad.


----------



## George Wallace (6 Apr 2010)

It seems some PC activity is taking place and the above article has now changed slightly: 


Reproduced under the Fair Dealings provisions of the Copyright Act.

 Hackers not linked to Chinese government: researcher
06/04/2010 1:58:37 PM
Article Link


*Chinese-based hackers who stole data on India's missile systems, private correspondence of the Dalai Lama and Canadian visa applications appear not to be linked to the Chinese government, according to Canadian researchers who uncovered the internet spy network.*

"I don't doubt that some of the sensitive information that was acquired might eventually find its way to elements within the Chinese government that may find it useful," said Nart Villeneuve, one of the University of Toronto researchers who took part in the investigation that uncovered the hackers. 

"But I don't think that there's any direct connection between the attackers and the government, at least at this time."

Villeneuve said it's "very unclear what the relationship is between any of these particular hacking groups and any specific element of the Chinese government."

He said that so far, no hard evidence has been uncovered that links the attacks to the Chinese government. He also pointed out that the hacking community is not monolithic.

"There are a lot of different groups with membership that focus on different types of activities," Villeneuve said.

He added: "In fact, we have had very healthy co-operation with the Chinese CERT (Computer Emergency Response Team), who are actively working to understand what we've uncovered. It's been a very encouraging development for us."

The discovery was made by security researchers at the University of Toronto's Citizen Lab who worked for eight months with the Ottawa-based think-tank SecDev Group and U.S. researchers from the Shadowserver Foundation.

The team describes its findings in a report called Shadows in the Cloud: An investigation into Cyber Espionage 2.0, which was released Tuesday.

Ron Deibert, the Citizen Lab director, said researchers tracked the use of computer servers and discovered that someone had been stealing secret documents from the Indian government, the offices of the Dalai Lama, the United Nations and several other countries.

"Most of them are highly sensitive documents that have come from the Indian national security establishment," Deibert said, noting that some of the documents are marked "top secret" or "restricted."

"Some contain information that is definitely sensitive about troop movements and military procurement," he said.

Deibert said the researchers tracked servers used by the spies back to the city of Chengdu, China.

Villeneuve said there has been a growing trend that blurs the boundaries between cyber crime and cyber espionage as criminal networks are increasingly stealing sensitive information in addition to the typical things like credit card numbers and bank account numbers.

"In this particular case, the attackers disproportionately took sensitive information, but they also took financial information and personal information. They were somewhat indiscriminate in terms of the information that they stole from the compromised computers," he said.

A handful of Canadians were also victims.

When the cyber-spies hacked the Indian Embassy in Kabul's computers, they also stole confidential visa information on Canadians applying to travel from Kabul, Afghanistan, to New Delhi. Deibert said the network stole more than 700 documents.

Last March, researchers at the Citizen Lab released a report on a spy network they dubbed GhostNet. Researchers said it had infiltrated at least 1,295 computers, including 103 belonging to embassies, foreign ministries and other government offices around the world.

The GhostNet investigation began after members of the Tibetan exile community asked the authors to look into allegations that the Chinese were hacking into their computer systems.

The researchers eventually found a wider network of infected computers. In a report, researchers said three out of the four servers in the network were based in China while a fourth was in the United States.

China's government dismissed the GhostNet report, saying it was full of "lies" designed to hurt the country's image abroad.


----------



## George Wallace (6 Apr 2010)

Those two previous posts were from CBC, and we can see how the article changed over the passage of a few hours.  Below is from the CTV site:


Reproduced under the Fair Dealings provisions of the Copyright Act.

 Canadians help ID China-based cyber spy ring
06/04/2010 12:41:56 PM
Article Link

CTV.ca News Staff 
*Canadian and U.S. researchers say a group of China-based hackers have managed to pilfer sensitive computer data from an array of worldwide targets, including from the offices of the Dalai Lama and the United Nations. *

The researchers from the University of Toronto, the Ottawa-based SecDev security group and the U.S.-based Shadowserver Foundation, say the hackers are based in the city of Chengdu, in the southwestern Chinese province of Sichuan. 

Having recovered copies of stolen documents, the researchers say the hackers have managed to steal classified information in some cases, demonstrating their capability to reach into the computers of major governments and organizations. 

In addition to stealing data held by the UN and the Office of the Dalai Lama, the attackers also infiltrated the cyber networks of the national security wing of the Indian government. Some of the data taken from the Indian government involved information that Canadian visa applicants had provided. 

The hackers used many routine online programs and websites, including e-mail programs and Twitter, to gain the information they were seeking. By developing a network that leveraged social networking websites, webmail providers and other online services, the researchers say the attackers issued commands through these portals to compromised machines to steal the data they were interested in. 

Ronald Deibert, of the Munk Centre of International Studies at the University of Toronto, said computer users in developing countries -- citing both the Office of the Dalai Lama and Indian government as examples -- may be put at increasing risk of espionage as more and more users make use of new online products and technologies. 

"There has been, I think, a rush to embrace new information and communication technologies around the world -- especially in developing countries -- without corresponding attention to security," Deibert said at a news conference on Tuesday morning. 

Deibert said many governments and organizations have not fully considered the "risks and vulnerabilities of this radical transparency and radical network environment" that exists today. 

As a result, many governments and organizations in the developing world "find themselves in a challenging situation to deal with the new security vulnerabilities as they arrive." 

Using some of the fingerprints the hackers left on the web, the U.S. and Canadian researchers were able to pinpoint the origin of the attacks to a location in Chengu. But they are not sure to what degree -- if any -- the Chinese government approves of such activities taking place within their country. 

"The relationship between the Chinese state and the hacker community is very unclear," Nart Villeneuve, the lead technical investigator on the project, said at the same news conference where Deibert was speaking. 

Pointing to the fact that the group "did not find any hard evidence" linking Beijing to the attacks being studied, Villenueve said it is still possible that the Chinese government could be interested in obtaining the information retrieved through the attacks. 

"I don't doubt that some of the sensitive information that was acquired, might find its way to elements within the Chinese government that may find it useful, but I don't think there is any direct connection between the attackers and the government, at least at this time," he said. 

China has been identified in separate reports as the country where attacks on Google and other countries have also originated. 

In Beijing, the Chinese government remains defensive about such allegations. 

"We have from time to time heard this kind of news. I don't know the purpose of stirring up these issues," said Foreign Ministry spokeswoman Jiang Yu. 

"We are firmly opposed to various kinds of hacking activities through the Internet." 

The Canadian and U.S. researchers detail their findings in a new report entitled: "Shadows in the Cloud: Investigating Cyber Espionage 2.0." It was released Tuesday, when it was released online and covered in various media reports, including mention in the New York Times and Toronto Star. 

Deibert suggests the report should be a wake-up call to governments that are too complacent about their risks in the current online world. 

It's the same story in Canada, which Deibert told the press conference is a country that is also at risk. 

"For it's part, the Canadian government has neither a domestic cybersecurity strategy or a foreign policy for cyberspace," Deibert said. 

"The Shadow report should offer a wake-up call that rectifies this situation, or we may find that we are the next victim of the Shadows and GhostNets of cyberspace," he said, alluding to the names of two major hacker networks his group has researched. 

With files from The Canadian Press and The Associated Press


----------

