Canadian research uncovers cyber espionage network
Malware-spreading computers based mainly in China
Last Updated: Sunday, March 29, 2009 | 10:03 AM ET
CBC News
Canadian researchers have uncovered an internet spy network, based mostly in China, that has hacked into computers owned by governments and private organizations in 103 countries.
The findings released Sunday follow a 10-month investigation by researchers from the Ottawa-based think tank SecDev Group and the Munk Centre for International Studies at the University of Toronto.
The group was initially asked to look into allegations that the Chinese were hacking into computers set up by the Tibetan exile community, but their work eventually led them to a much wider network of compromised computers.
Once the hackers infiltrated the systems, they installed malware — software that sends and receives data. By doing this, they were able to gain control of the electronic mail server computers of the Dalai Lama’s organization, the group said.
The researchers said the spy network, dubbed GhostNet, infiltrated at least 1,295 computers, many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centres in India, Brussels, London and New York.
Embassies, foreign affairs ministries targeted
"Significantly, close to 30 per cent of the infected computers can be considered high-value and include the ministries of foreign affairs in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan," the researchers said.
Other compromised computers were discovered at embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan.
The list continues with the network infiltrating economic organizations in Southeast Asia, news organizations, and an unclassified computer located at NATO headquarters.
Although almost all the hackers were based in China, the researchers could not say whether they are working for the government.
A spokesman for the Chinese consulate in New York dismissed the idea that China was involved.
The spokesman, Wenqi Gao, told The New York Times these are "old stories" and "nonsense."
A 'wakeup call' for international community
"This is a wakeup call for the international community," said Rafal Rohozinski of SecDev Group, who is one of the principal authors of the report. "At the moment there is no clear legal framework for how you deal with a spy network."
Rohozinski said three out of the four servers in the network are based in China and one is in the United States, complicating any efforts to launch a criminal investigation.
"It's all a question of jurisdiction. Obviously the Chinese government would have a capability — a legal jurisdiction — to investigate the servers located on their territory. But that is ultimately up to them," he told CBC News.
"Certainly in the States — because one of the control servers happens to be located there — we fully expect the DHS [Department of Homeland Security] or the FBI will be investigating," Rohozinski said.
One of several infections that have been installed gives the hacker full control over the compromised computer, giving the culprit the ability to look at all files, including emails.
"They can surreptitiously turn on the [computer's] microphone or the video camera and record you. And moreover, because what we found is a trojan which at this moment is undetectable by exisiting firewalls or virus technologies, it can essentially do a data infinitum.
"In fact, some of the computers on this network have been lit up — meaning they have been compromised — for over 400 days," Rohozinski said.
