Thursday, April 15, 2010

Citizen Lab describes "Espionage 2.0" around GhostNet Investigation

Update: April 20, 2010
I've been in a bit of a bubble on this story, working only from original sources. The New York Times Published a nice piece April 5th 2010: "Researchers Trace Data Theft to Intruders in China" - By John Markoff and David Barboza.


"Espionage 2.0"

"My point in publishing these articles in FilterBlogs is to make people aware that powerful entities are threatening their Internet Civil Rights - rights that are in the process of being defined through legal precedent in courts of law. Using sophisticated tools to access information on the web that they are not legally entitled to see, governments, corporations and powerful organized crime syndicates are undermining the very rule of law that is in place partly, to define what our rights will be."

Two days after I published an opinion piece on Cyber Security issues - "BotNets: Sophisticated attacks likely Corporate, Government Espionage" (April 4th 2010) - the "Information Warfare Monitor" released a major scientific paper - SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 - an overview of the characteristics of the cyber espionage ring they named, "GhostNet".

Espionage 2.0. I like that - explains it perfectly.

(The report) "..is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation."



The people who contributed to the research (from Shadows in the Cloud):

"Steven Adair is a security researcher with the Shadowserver Foundation. He frequently analyzes malware, tracks botnets, and deals with cyber attacks of all kinds with a special emphasis on those linked to cyber espionage.

"Ron Deibert is Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon Inc., and a principal with the SecDev Group.

"Rafal Rohozinski is CEO of the SecDev Group and Psiphon Inc. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto.

"Nart Villeneuve is the Chief Security Officer at the SecDev Group, Director of Operations of Psiphon Inc. and a senior SecDev research fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto where he focuses on electronic surveillance, targeted malware and politically motivated digital attacks.

"Greg Walton conducted and coordinated the primary field-based research for the Shadow investigation in His Holiness the Dalai Lama’s Office and the Tibetan Government-in-Exile in Dharamsala, India. Greg is a SecDev
Group associate and editor of the Information Warfare Monitor website. He is the SecDev Fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto."

In my earlier piece I asked why a source quoted in a article by Brian Krebs "Cyber Attacks Target Pro-Tibet Groups" (Washington Post 2008/03/21), chose to remain anonymous. Between the lines I surmised the source might be working for China's enemies and was spreading disinformation. Greg Walton was apparently that source. He must have chosen to remain anonymous because the investigation was not complete.

Turns out many in the mass media automatically implied or outright stated that GhostNet was a Chinese government operation. I saw this in almost all the coverage on this story and it's understandable; journalists first question is usually "Who benefits?" The obvious answer in this case was the Chinese - but I thought it was very important to have proof before saying, or implying it. To mislead the public and the media in these highly organized professional espionage operations 'false flags' are placed, because they know what the first question asked will be.

Ron Deibert, Director, the Citizen Lab, Munk School of Global Affairs, University of Toronto is careful when he writes in the forward of 'Shadows...',
"We have no evidence in this report of the involvement of the People’s Republic of China (PRC) or any other government in the Shadow network. But an important question to be entertained is whether the PRC will take action to shut the Shadow network down."


An Overview

From the introduction:

"Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."


The following is the Synopsis of the report.

Summary of Main Findings

Complex cyber espionage network - Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents - Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of collateral compromise - A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data
compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services - Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.

Links to Chinese hacking community - Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

My point in publishing these articles in FilterBlogs is to make people aware that powerful entities are threatening their Internet Civil Rights - rights that are in the process of being defined through legal precedent in courts of law. Using sophisticated tools to access information on the web that they are not legally entitled to see, governments, corporations and powerful organized crime syndicates are undermining the very rule of law that is in place partly, to define what our rights will be.

As it looks like this particular GhostNet Botnet system is a product of the Chinese government (we shall see if they do anything to dismantle it, towards their obligation under international agreements), be assured that other governments are there too. The United States is the undisputed leader in computing technology globally - perhaps two generations ahead of where the Chinese are - better cloaked Botnets than GhostNet are undoubtedly functioning in cyber space, deployed by both governments and private entities..


Links:

From Citizen Lab web site, posted on the 6th of April, 2010: "New IWM Report: Shadows in the Cloud" (links to the news conference, three interviews at CBC and and the report).


Here's an embed of the report in it's entirety, via Scribd. - the document dissemination application:
SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0



To get a pdf copy for yourself go to Scribd.com, sign up (it's free), then go to "SHADOWS-IN-THE-CLOUD-Investigating-Cyber-Espionage-2-0", and click the download button at the top-left of the page.



mh

No comments:

Post a Comment