ARS Technica, 2010-04-7
The people who uncovered GhostNet, an extensive cyber espionage network that targeted the Tibetan exile community, are back with a sequel. Starting with an infected machine that was found during that investigation, an international team of researchers has uncovered a completely separate network that primarily targeted the Indian government, and turned up some classified documents that had been obtained by the hackers. By reconstructing the network, the team was able to trace things back to the hacking community in Chengdu, China.
The work involved a collaboration between the Information Warfare Monitor and the Shadowserver Foundation, but, over the course of its work, involved dozens of other security groups and experts. It also benefitted from extensive cooperation with the Office of His Holiness the Dalai Lama, which had previously approached the security researchers in response to security lapses that unearthed GhostNet. The researchers take what they term a "fusion methodology," which is basically a combination of fieldwork—studying infected systems in situ—with standard security approaches.
The investigation grew out of GhostNet in two ways. As part of their efforts to help the Tibetan exile community secure its systems, the researchers were monitoring the network used by the OHHDL. As part of that monitoring, they uncovered an malware-infected machine that attempted to transfer documents to a control server.
Separately, they found that most of the control servers identified through the GhostNet investigation were taken down after their report on it was released. As the domain registrations on these servers lapsed, the researchers grabbed them for themselves, and created what's termed a DNS sinkhole, in which requests from compromised machines were directed to one under the researchers' control, allowing a study of the command-and-control communications.
Over time, the authors were able to trace communications back and develop a reasonable picture of a computer espionage network that was separate from, but partially overlapped with, the GhostNet. It turns out that, just as hackers count on regular users having moments of carelessness, they suffer from the same problem, which allowed the researchers to view the complete list of infected systems four times, and obtain documents stolen by the hackers twice.
In general, machines were compromised using low-tech methods, primarily via malware that travelled as Microsoft Office or PDF files, and used relatively well-known exploits. Once on a machine, however, the malware would communicate with a specific Yahoo Mail account, which allowed it to receive more sophisticated software via attachments, and alert the network to its identity.
The command-and-control network operated primarily through free webhosting services, many of them operating from within the US. As these systems came and went, various social networking services—Google and Baidu blogs, Twitter, etc.—were used to supply the infected systems with a list of alternate hosts. Fortunately for the researchers, at times when a lot of the free webhosts were taken out of action, the social networking updates revealed a core of servers that remained constant; these were exclusively hosted within China.
The list of infected systems was pretty variable, and included US institutions like NYU and Honeywell, and at least one machine in China that the researchers think was used for testing the system. But the majority of infected machines were associated with India. Some of these were commercial, like the Times of India and the New Delhi rail station, but the list included Indian embassies and consulates.
The documents retrieved by the researchers include everything from information on missile systems being developed by India to a list of visas issued by Indian embassies. That latter item may have implications for NATO's Afghanistan mission, since many of the officials from NATO countries travel via India. Several of these were marked classified or confidential, and some provided internal security evaluations in regions where India is dealing with armed insurgency.
Aside from the fact that the core of the network resides in China, there is some circumstantial evidence linking the network to the hacking community that exists in Chengdu. A blog that follows Chinese hacking activity independently identified the e-mail address used to register one of the domains that turned up as part of the new espionage network. The address turned up in several popular Chinese hacking forums, but also showed up in association with advertisements for apartment rentals in Chengdu. Several of the command-and-control e-mails sent to the Yahoo account also originated from computers in the region.
So, does that mean the Chinese government is behind the espionage? Chengdu is the site of an Army technical reconnaissance bureau, which would be consistent with direct involvement. But, it's quite near Chongquing, a city with thriving criminal syndicates, and several of the servers were also traced to that city.
Complicating matters further, China is one of the governments that has been accused of hiring digital privateers, private citizens that engage in hacking while remaining independent of the central government. The report notes that private citizens might engage in these activities under the expectation that the documents, once obtained, could be sold to the government, even if the government didn't authorize the intrusions.
In any case, the report's authors mentioned that the Chinese CERT organization was cooperating with attempts to shut down the network.
In addition to providing an interesting window into the world of cyberespionage, the authors use the report to argue that the chaotic mix of private hackers and government interests highlights the need to develop some international norms that govern acceptable online behavior. In that sense, they seem to be on the same page as the authors of the National Academies of Science report on cyberdeterrance covered over the weekend.
