Two foreign embassies on Australian soil have allegedly been infected by an espionage botnet dubbed GhostNet, according to security researchers.
At the end of 10 months of research that started at the Office of the Dalai Lama in Tibet, researchers at Canadian public/private venture the Independent Warfare Monitor exposed the workings of the network, which they dubbed "GhostNet", over the weekend. It showed 1,295 infected hosts in 103 countries.
Two of the infected hosts were allegedly located in the German Embassy and the Maltese Embassy in Australia, although the researchers identified the computers via lists on control servers for the espionage network and they were not highly confident as to their true identity.
The German Embassy would not comment on the issue since it concerned security. No spokesperson for the Maltese Embassy was available. The Australian Security Intelligence Organisation (ASIO) would not give any comment.
There could potentially be more infected hosts in Australia, with those listed in the researchers' report only a sample of the infected hosts.
GhostNet gets infected computers to download a trojan, handing attackers complete real-time control of computers: even allowing them to operate attached devices including microphones and web cameras.
To spread the infection, emails are sent to specific targets with attached documents packed with exploit code and trojans which use vulnerabilities on the target's computer to compromise it. Then files can be mined for contact information, and more emails can be sent to spread the infection — from legitimate sources.
"At the very least, it demonstrates the ease by which computer-based malware can be used to build a robust, low-cost intelligence capability and infect a network of potentially high-value targets," the report said.
The type of information such organisations had that those behind the espionage would find valuable were files and emails with contact information, lists of meetings and attendees, organisational budgets, and lists of visitors, the report said.
At the very least, it demonstrates the ease by which computer-based malware can be used to build a robust, low-cost intelligence capability and infect a network of potentially high-value targets
Independent Warfare Monitor researchers
One alleged incident the researchers spelled out which showed how such information could be used, involved a young woman who was a member of a Tibetan non-government organisation who decided to return to her home village after two years of employment.
She was allegedly arrested at the Nepalese-Tibetan border and held for two months, where the researchers said she was interrogated by Chinese intelligence personnel about her employment. She denied being politically active, at which the intelligence officers allegedly pulled out a dossier with full transcripts of her internet chats over the years.
The earliest infected computer contacted the control server on 22 May 2007 and the most recent entry was 12 March 12 2009. Around a third of the computers were infected for over a year. The researchers believed the network to be still operational, according to the report.
Although the researchers said the system was being controlled from servers based almost exclusively in China, (70 per cent) they would not point the finger at that nation, saying that alternate explanations were possible.
The identity behind the espionage didn't matter, according to the report. "Regardless of who or what is ultimately in control of GhostNet, its capabilities of exploitation and the strategic intelligence that can be harvested from it matter most," the researchers said. "We can safely hypothesise that it is neither the first nor the only one of its kind," they warned.