Chinese hackers ‘using ghost network to control embassy computers’

March 30, 2009

A spy network believed to have been controlled from China has hacked into classified documents on government and private computers in 103 countries, according to internet researchers. The spy system, dubbed GhostNet, is alleged to have compromised 1,295 machines at Nato and foreign ministries, embassies, banks and news organisations across the world, as well as computers used by the Dalai Lama and Tibetan exiles.

The work of Information Warfare Monitor (IWM) investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, but led to a much wider network of compromised machines. IWM said that, while China appeared to be the main source of the network, it had not been able conclusively to identify the hackers. The IWM is composed of researchers from an Ottawa-based think-tank, SecDev Group, and the Munk Centre for International Studies at the University of Toronto.

They found that the foreign ministries of Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados and Bhutan had been spied on remotely, and the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan hacked.

The operation is thought to be the most extensive yet uncovered in the political world and is estimated to be invading more than a dozen new computers a week. Other infected computers were found at the accountancy firm Deloitte & Touche in New York.

The IWM report said: “GhostNet represents a network of compromised computers in high-value political, economic and media locations in numerous countries worldwide. These organisations are almost certainly oblivious to the compromised situation in which they find themselves. The computers of diplomats, military attachés, private assistants, secretaries to prime ministers, journalists and others are under the concealed control of unknown assailant(s).

“In Dharamsala [the headquarters of the Tibetan government in exile] and elsewhere, we have witnessed machines being profiled and sensitive documents being removed. Almost certainly, documents are being removed without the targets’ knowledge, key-strokes logged, web cameras are being silently triggered and audio inputs surreptitiously activated.”

Chinese hackers are thought to have targeted Western networks repeatedly. Computers at the Foreign and Commonwealth Office and other Whitehall departments were attacked from China in 2007. In the same year, Jonathan Evans, the MI5 Director-General, alerted 300 British businesses that they were under Chinese cyber-attack.

British intelligence chiefs have warned recently that China may have gained the capability effectively to shut down Britain by crippling its telecoms and utilities. Equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies, they said.

The Chinese Embassy in London said that there was no evidence to back up the claim that the Chinese Government was behind GhostNet and alleged that the report had been “commissioned by the Tibetan government in exile”.

Liu Weimin, a spokesman, said: “I will not be surprised if this report is just another case of their recent media and propaganda campaign. In China, it is against the law to hack into the computers of others, and we are victims of such cyber-attack. It is a global challenge that requires global cooperation. China is an active participant in such cooperation in the world.”

Once the hackers had infiltrated the systems, they gained control using malware – software installed on the compromised computers – and sent and received data from them, the researchers said. “The GhostNet system directs infected computers to download a Trojan known as Ghost Rat that allows attackers to gain complete, real-time control,” IWM said. “These instances of Ghost Rat are consistently controlled from commercial internet access accounts located on the island of Hainan, in the People’s Republic of China.”

Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army, IWM said.

Greg Walton, editor of IWM, said: “Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. Indeed, although the Achilles’ heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesise that it is neither the first nor the only one of its kind.”