Researchers expose complex cyber espionage network

Researchers expose complex cyber espionage network

Summary: A newly released report "Shadows in the Cloud", details the the inner workings of complex cyber espionage network, that was systematically stealing sensitive documents/correspondence from the Indian government, the United Nations, as well as Dalai Lama's offices.


Security researchers from the Information Warfare Monitor (Citizen Lab and SecDev) and the ShadowServer Foundation, have released the findings from their eight month investigation, “Shadows in the Cloud”, detailing the inner workings of complex cyber espionage network that was systematically stealing sensitive documents/correspondence from the Indian government, the United Nations, as well as Dalai Lama's offices, from January to November 2009.

More details on attack vectors used, the command and control infrastructure, and the victim analysis based on the recovered documents, some of which are marked as SECRET, RESTRICTED and CONFIDENTIAL:

  • Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and  five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Just like the majority of targeted malware attacks, this one was also relying on client-side exploits (Report: Malicious PDF files comprised 80 percent of all exploits for 2009) served through different file types (PDF, PPT, DOC) using a relevant topic of interest to Indian and Tibetan communities, which were then spamvertised to the victims of interest.

What's particularly interesting about the cyber espionage facilitating network in question, is the mix of legitimate and purely malicious infrastructure in an attempt to not only increase the life cycle of the campaign, but also, to make it harder for network administrators to detect the malicious use of popular free email service providers, as well as social networks.

According to the report:

  • During our investigation we found that such intermediaries included Twitter, Google Groups, Blogspot, Baidu Blogs, and The attackers also used Yahoo! Mail accounts as a command and control component in order to send new malicious binaries to compromised computers. In total, we found three Twitter accounts, five Yahoo! Mail accounts, twelve Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on that we being used as part of the attacker’s infrastructure. The attackers simply created accounts on these services and used them as a mechanism to update compromised computers with new command and control server information.

The practice of blending legitimate infrastructure into the malicious mix is nothing new. In fact, in 2009 cybercriminals continued demonstrating their interest in abusing legitimate services such as Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a backend.

Moreover, although the report is logically emphasizing on the actual attack vectors used in this particular cyber espionage network, there's another attack vector that's been trending over the past few years, having an identical cyber espionage potential to the targeted attacks in general.

The attack vector in question, is the client-side exploits serving embassy, with the following international embassies serving malware to their visitors over the past few years as an example of the trend:

Who visits the web site of a particular embassy next to the people looking for information? It's the embassy staff itself, as well as other high-profile visitors. Therefore, a compromised web site of an embassy, which make in fact act as the weakest link in case it's insecure and open to exploitation compared to a failed targeted attack, could be on purposely used as an attack vector for a particular cyber espionage campaign.

The lines between cybercrime, and cyber espionage keep getting thinner, with financially-motivated cybercriminals today, in the best position to become information brokers of stolen high value data tomorrow, or even worse - set up the foundations for cyber espionage as a service propositions.

Topics: Security, CXO, Google, Hardware, Malware, Networking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Total compromised computers: 44!?


    This must surely be the biggest cyber-espionage operation [i]of all time[/i]!
    • It's not about the numbers

      It's about the placement, maintaining access, and the information accessible from the compromised computers that matters.

      A hacker only needs 1 computer inside an organisations network.

      Espionage not like bot herding/leasing or spamming.

      The idea is to keep a low profile, go undetected for as long as possible, and gather as much information as possible. It could be argued that 44 was too many computers, and the reason they were discovered.

      As Dancho says, it's an interesting development/transition in terms of cyber crime/espionage.
      • It's not about the numbers

        This is exactly correct. Someone got greedy. Some N.U.G. or newbie made a mistake in hacking or cracking. iTeaBoy understands this. I hope everyone else catches on!!!
    • RE: Total compromised computers: 44!?

      Quality of the infected hosts, over the quantity of the infected hosts, with evidence of cyber espionage done against the victims in this campaign.

      In fact, one PC per high profile victim would have achieved a similar effect.
      • RE: Quality of the infected hosts, over the quantity of the infected hosts

        Oops, there goes the whole argument of "Windows only gets hacked more
        because there are tons of little desktops running it all over the place".
        • Errrr... No!

          If your intention is to infect/own as many devices as possible you would obviously target the biggest market.

          If your intention is to steal specific information you identify a few targets, sneak in as quietly and low key as you can, and get as much infomation as you can without being detected.

          Two very different goals with two very different methods.
          • Replace "specific information" with "huge bandwidth and processing power";)

            [b] [/b]
        • Quality of the infected hosts, over the quantity of the infected hosts

          Really? Seriously? You are a newbie. Arrrrgh! You need to read more!!! You are missing the whole point. You are in the forest, but you can't see it for all of the trees!!!!
          • Good points. That was very logical and informative.

            [b] [/b]
  • Okay, seriously..

    ..if you're going to delete the comment I'm replying to, delete my reply too. :(
  • Thanks, Adobe!

    Of course, the article conveniently neglects to mention that US agents use similar methods, but hey, they are the good guys, right?
    terry flores
    • Trust me, they'd be doing more if they could

      only the Feds are running ever lower on funds as they squeeze us for every conceivable nickel we're worth in this crash n burn economy. Problem is, the tax paying sheeple have fewer funds to hand over than ever.

      So many surveillance projects, so few funds... pfffft.
      • Maybe they'd have enough money if they spent it on..

        ..going after bad guys, instead of people who choose to eat harmless plants.
        • You and your harmless plants

          Only you have a point, more so when it comes to [b]priorities[/b]. How did that all go wrong in this country?
        • Is this driftwood time or what...

          [i]..going after bad guys, instead of people who choose to eat harmless plants.[/i]

          One can only imagine what you're 'eating...'

          lol... :D
          still not nice
          • In U.S., a supposedly Christian country, plants created for man by God are

            a higher priority for extermination than murderers.
          • Well

            The United States may be predominantly Christian, and a lot of our laws may be based on the Bible, but not all of them are.

            By the way, try not to let that troll get to you.
            He acts similarly to everyone.
          • Too late

            I already got his mom.

            lol... :D

            [i]By the way, try not to let that troll get to you. He acts similarly to everyone.[/i]
            still not nice
  • China


    So, who do you think could be behind it?
    • re: China


      So, who do you think could be behind it?

      the guys selling the shoes in the previous two posts, of course!