Massive Chinese spynet targeted Dalai Lama

It all started with the Dalai Lama. The Tibetan leader's offices in India, Brussels, London and New York asked the researchers to examane its computers for malware.
Written by Richard Koman, Contributor

It all started with the Dalai Lama. The Tibetan leader's offices in India, Brussels, London and New York asked the researchers to examane its computers for malware. But researchers at the Munk Center for International Studies at the University of Toronto found something much more than garden-variety spyware, John Markoff reports for the New York Times.

This was industrial-strength spyware, controlled from computers almost exclusively based in China, and aimed not just at the Dalai Lama but in fact thousands of computers in 103 countries.

The spy operation, dubbed "GhostNet," has stolen hundreds of documents from government computers around the world, the Toronto researchers say in their report, "Tracking GhostNet" (Scribd) Besides the Dalai Lama, GhostNet appears focused on India and Southeast Asian countries.

Computers based in China ... spying on the Dalai Lama ... Hmm, could the Chinese government be behind GhostNet?

Careful there, say the Toronto researchers.

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”

Nonsense, say two British researchers at Cambridge.

“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in [their report.]

I can appreciate Toronto's caution, but let's be real. Consider this real-life impact:

After an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.

Seems like the Chinese government is pretty on top of this operation, doesn't it? Anyway, here's the inside story of how GhostNet was exposed: Last summer the Dalai Lama invited two computer specialists to examine their computers. They found the systems had been infected and files stolen. They shared the data with Nart Villeneuve, a white hat hacker at Toronto.

Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google. It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important.

In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.

Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.

Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected.

Editorial standards