GhostNet, Snooping Dragon

Description

(Information Warfare Monitor) Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.

(UCAM) Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)

Also see Shadow Network.

Names

Name	Name-Giver
GhostNet	Information Warfare Monitor
Snooping Dragon	UCAM

Country

• China

Sponsor

State-sponsored, PLA Unit 61398

Motivation

• Information theft and espionage

First Seen

2009

Observed Sectors

• Embassies
• Financial
• Government
• Media
• NGOs

Observed Countries

• Bangladesh
• Barbados
• Bhutan
• Brunei
• Philippines
• Cyprus
• Germany
• India
• Indonesia
• Iran
• Latvia
• Malta
• Pakistan
• Portugal
• Romania
• South Korea
• Taiwan
• Thailand
• ASEAN
• NATO
• SAARC (South Asian Association for Regional Cooperation), the Asian Development Bank and news organizations

Tools

• Gh0stnet
• Gh0st RAT
• TOM-Skype

Counter Operations

• 2010: Taken down by the Shadowserver Foundation.

Information

• http://www.nartv.org/mirror/ghostnet.pdf
• https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf
• https://en.wikipedia.org/wiki/GhostNet

Other Information

Uuid

b3621d74-4802-4c40-995b-cf9258c832ce

Last Card Change

2021-05-21