Major Chinese cyber spy network infiltrates governments worldwide

30 Mar 2009

A “GhostNet” or cyber espionage network based in China has infiltrated over 1,295 computers in 103 countries including foreign affairs departments and embassies with malware.

A Canada-based cyber research group called the Munk Centre, based at the University of Toronto, conducted a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions, including the Office of the Dalai Lama.

The investigation consisted of fieldwork, technical scouting and laboratory analysis.

It uncovered a network of over 1,295 infected hosts in 103 countries, with up to 30pc of the targeted computers belonging to ministries of foreign affairs, embassies, news organisations and non-government organisations (NGOs).

The Tibetan computers originally investigated were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.

The culprit, is appears, is China which has made it clear it views cyberspace as a strategic concern and has established a cyber espionage unit to redress the military imbalance between China and the rest of the world.

China has identified cyberspace as the strategic fulcrum on which US military and economic dominance depends.

The investigation found that at least 1,295 computers in 103 countries were infected by a socially engineered Trojan Horse, entitled ‘gh0st RAT’, controlled from internet access accounts on the island of Hainan, People’s Republic of China.

Close to 30pc of the infected computers, the Munk Centre said, can be considered high value and include ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Brunei, Barbados, the Philippines and Bhutan as well as the embassies of India, South Korea, Indonesia, Malta, Cyprus, Thailand, Taiwan, Portugal, Germany and Pakistan. NGOs that were infected include the Association of South East Asian Nations, the South Asian Association for Regional Cooperation, the Asian Development Bank.

The malware even infected a number of news organisations as well as an unclassified computer at NATO headquarters.

“Documentation and reverse engineering of the modus operandi of the GhostNet system—including vectors, targeting, delivery mechanisms, data retrieval and control systems—reveals a covert, difficult-to-detect and elaborate cyber-espionage system capable of taking full control of affected systems,” the report said.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years