Shadow Network

Description

(Information Warfare Monitor) Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.

Also see GhostNet, Snooping Dragon.

Names

Name	Name-Giver
Shadow Network	Information Warfare Monitor

Country

• China

Motivation

• Information theft and espionage

First Seen

2010

Observed Sectors

• Education
• Government
• others

Observed Countries

• Afghanistan
• Australia
• Azerbaijan
• Canada
• China
• France
• Germany
• Greece
• Hong Kong
• India
• Israel
• Italy
• Japan
• Lithuania
• Malaysia
• Mexico
• Nepal
• Netherlands
• New Zealand
• Pakistan
• Papua New Guinea
• Philippines
• Qatar
• Romania
• Russia
• South Korea
• Sweden
• Taiwan
• Thailand
• Tibet
• UAE
• UK
• USA
• Vietnam

Tools

• ShadowNet

Counter Operations

• 2010: Taken down by the Shadowserver Foundation.

Information

• https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf

Other Information

Uuid

2e57bbb2-c3f8-426e-9abd-2d806d972a29

Last Card Change

2020-04-15