A new report from www.trusted.pt documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including:
- Embassy of Portugal, Germany
- Embassy of Portugal, France
- Embassy of Portugal, Finland
- CEGER, Management Center for the Electronic Government Network, Portugal
The trusted.pt investigated further and found two control servers and access the attacker’s admin interface:
In September 2009 it had full access to the two administration interfaces of “GhostNet, one on each controller. The administration interface is an application in php, rather crude but effective, at home we can see all computers that have taken place in these drivers, in this case were 730, from 67 countries The interface allows complete control over the infected machine. Through something like “modules” can be added to the infected machines new features such as keyloggers, trojans remote control in real time ( “GhostRAT”), execute remote commands, send and receive files, and view the files sent automatically by computers infected.
This is exactly what we found. However, trusted.pt was able to view the documents pilfered from the infected machines and provided this summary:
It was investigated and found to exist in “GhostNet” of 1.1 gigabytes of information from computers with IP addresses associated with the Ministry of Foreign Affairs – An. Pst Ambassador of Portugal in India – JPEG procedures for employees, including passage of visas was searched and found the existence of the “GhostNet” of 7.9 gigabytes of information from computers with IP addresses associated with the Ministry of Justice:
– Multiple files. pst ITIJ employees with diverse and sensitive.
– Documents describing the procedures, configurations, and topologies of the main services of the ministry of justice, including passwords (modules keylogger) for remote access to servers.
– Documents relating to the electoral process, action plans and contingency plans, descriptions of settings and network topology election, including any data source from the civilian governments, passwords, configuration of routers, switches and other equipment.
– Various. Pst files and passwords for employees of the Directorate General of Registration and Notary, which allow a total view of how the services work, including conservatories of civil status and property. Passwords for access to the applications used.
– In the Judiciary Police, including working procedures – Several technical information for the computer systems of courts and their applications (SITAF, habilus).
– Several files of cases that we think have been removed from computers officials or judges – Documents relating to the prosecutor.
– Computer Applications as Habilus.
In fact and in view of the files found concrete strip to the frightening conclusion that the spying by “GhostNet in Portugal was able to reach key bodies of the Portuguese as the courts, and there (and there?) A serious infection in various organisms containing valuable and sensitive information that should in theory is well protected. An attempt was made during the time it gained access to the two drivers “GhostNet” beyond the operating system hosting the interface, but you do not find any fault in it that we can make the most important information about the reasons and people behind this network of highly dangerous espionage, and our access was lost about 72 hours after first contact.
Very interesting stuff.