At the end of 10 months of research that started at the Office of
the Dalai Lama in Tibet, researchers at Canadian public/private venture the Independent Warfare Monitor
exposed the workings of the network, which they dubbed "GhostNet", over the weekend. It showed 1,295 infected hosts
in 103 countries.
Two of the infected hosts were allegedly located in the German Embassy and the Maltese Embassy in Australia, although the researchers identified
the computers via lists on control servers for the espionage network
and they were not highly confident as to their true identity.
The German Embassy would not comment on the issue since it
concerned security. No spokesperson for the Maltese Embassy was
available. The Australian Security Intelligence Organisation (ASIO) would not give any comment.
There could potentially be more infected hosts in Australia, with those
listed in the researchers' report only a sample of the infected hosts.
GhostNet gets infected computers to download a trojan, handing
attackers complete real-time control of computers: even allowing them
to operate attached devices including microphones and web
cameras.
To spread the infection, emails are sent to specific targets
with attached documents packed with exploit code and trojans which
use vulnerabilities on the target's computer to compromise it.
Then files can be mined for contact information, and more emails
can be sent to spread the infection — from legitimate
sources.
"At the very least, it demonstrates the ease by which
computer-based malware can be used to build a robust, low-cost
intelligence capability and infect a network of potentially
high-value targets," the report said.
The type of information such organisations had that those
behind the espionage would find valuable were files and emails with
contact information, lists of meetings and attendees,
organisational budgets, and lists of visitors, the report said.
At the very least, it demonstrates the ease by which
computer-based malware can be used to build a robust, low-cost
intelligence capability and infect a network of potentially
high-value targets
Independent Warfare Monitor researchers
One alleged incident the researchers spelled out which showed how such
information could be used, involved a young woman who was a member
of a Tibetan non-government organisation who decided to return to
her home village after two years of employment.
She was allegedly arrested at
the Nepalese-Tibetan border and held for two months, where the researchers said she was
interrogated by Chinese intelligence personnel about her
employment. She denied being politically active, at which the
intelligence officers allegedly pulled out a dossier with full transcripts of
her internet chats over the years.
The earliest infected computer contacted the control server on
22 May 2007 and the most recent entry was 12 March 12 2009. Around
a third of the computers were infected for over a year. The
researchers believed the network to be still operational, according to the report.
Although the researchers said the system was being controlled
from servers based almost exclusively in China, (70 per cent) they
would not point the finger at that nation, saying that alternate
explanations were possible.
The identity behind the espionage didn't matter, according to
the report. "Regardless of who or what is ultimately in control of
GhostNet, its capabilities of exploitation and the strategic
intelligence that can be harvested from it matter most," the
researchers said. "We can safely hypothesise that it is neither
the first nor the only one of its kind," they warned.
