‘GhostNet’ Spies on Governments & Dalai Lama

After a 10-month cyber espionage investigation, researchers have found 1,295 computers in 103 countries with software that is capable of stealing information from high-profile targets such as the Dalai Lama and government agencies around the world. In the report published today by Information Warfare Monitor, a Toronto-based organization, we learn the affected computers include embassies belonging to Germany, India, Romania, and Thailand as well as the ministries of foreign affairs for Barbados, Iran, and Latvia.

The infected computers acted as an illicit information-gathering network. Researchers observed sensitive documents being stolen from a computer network operated by the Dalai Lama’s organization. The attacks have been traced back to computers in China, but the analysts were cautious to link the spying to the Chinese government, especially since China has one fifth of the world’s Internet users. It’s very conceivable some of those users could be hackers that have goals that align with the Chinese political positions.

Researchers at Cambridge University also published a report today. This report suspected the Chinese government or a group that has close ties to the Chinese government is responsible for the attack on the computer in the Dalai Lama’s office. The Chinese government has repeatedly denied past allegations that it sponsors cyber attacks.

The Information Warfare Monitor dubbed the vast spy network ‘GhostNet’ after the gh0st RAT (Remote Access Tool) malware at the heart of it. The malicious software provided almost complete control over a victim’s computer. With the software, the attackers were able to search for and steal sensitive files, capture passwords, and use a computer’s Web cam. According to the report, victims and organizations are almost certainly oblivious to the compromised situation.

Mikko Hypponen, director of antivirus research at F-Secure, says the operation could have started as early as 2004, which is when security researchers noticed many of the targeted institutions were being sent bogus email messages with attached executable files. Hypponen has been tracking the attacks for years and says GhostNet’s tactics have evolved considerably from the early days.