Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters.
I remember when I stumbled upon the GhostNet attacker’s command and control interface by Googling a string of text from the network traffic obtained during our field investigation from a compromised computer at the Dalai Lama’s office in Dharamsala , India. To my surprise Google returned several results, which I clicked, and was suddenly looking at an interface that allowed the attackers to fully control a network of compromised computer system. When the report came out and I realized the significance of the find I thought that there was no way it would happen again. I was wrong.
Today the IWM and the Shadowserver Foundation have released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” (mirror) in which we document another targeted malware network. (NYT coverage here). We started by exploring one of the malware networks described in the GhostNet report but was an entirely separate malware network that had also compromised computers at the Dalai Lama’s office. I cannot stress just how important the trust, collaboration and information sharing across all those involved in this report from the Citizen Lab, SecDev , and Shadowserver, along with the Dalai Lama’s Office were to the success of the project.
As a result we were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States.
In the report we enumerated a complex and tiered command and control infrastructure. The attackers misused a variety of services including Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in China.
This time, unlike GhostNet, we were able to recover data, some of which are highly sensitive, from a drop zone used by the attackers. One day, while exploring open directories on one of the command and control servers I noticed that there were files in a directory that was normally empty. It turned out that the attackers were directing compromised computers to upload data to this directory; the attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals.
We recovered a wide variety of documents including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED” and five as “CONFIDENTIAL” which appear to belong to the Indian government. We also recovered documents including 1,500 letters sent from the Dalai Lama’s office between January and November 2009.
Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.
Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.
This, of course, does not reveal the role of these specific individuals nor the motivation behind the attacks. However, the connection that The Dark Visitor drew between lost33 and the underground hacking community in China does indicate that motivations such as patriotic hacking and cybercrime may have played a role. Finally, the nature of the data stolen by the attackers does indicate correlations with the strategic interests
of the Chinese state. But, we were unable to determine any direct connection between these attackers and elements of the Chinese state. However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government.
Now having reported this incident to the China CERT — which handles security incidents in China — I look forward to working with them to shut down this malware network.
This is an investigation in progress. There are many threads in this investigation that have still to be fully explored. I hope that this report provides enough detail to allow others with different specializations to continue to explore aspects of the Shadow network enriching our collective understanding of this incident and the broader implications regarding both cyber-crime and cyber-espionage.