Vast Spy System Loots Computers

Amazing, but not that surprising. The full 53-page report is available here, if you are interested in the details1.

Computer Consultants

A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.

[Click to read more of Vast Spy System Loots Computers in 103 Countries – NYTimes.com]

Amusing that this front page article doesn’t once mention the operating system the target computers ran. Did Microsoft agree to purchase full page advertisements in the Sunday New York Times for the next ten years in order to keep Windows and Outlook from being mentioned in the story? Why do governments use Windows in sensitive networks anyway? Even if they didn’t use Macs, perhaps they could use Linux machines instead.

Apple Logos

Kim Zetter of Wired adds:

Infected computers include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, and the Philippines and embassies of India, South Korea, Germany, Pakistan and Taiwan. Thirty percent of the infected computers could be considered “high-value” diplomatic, political, economic and military targets, the researchers say.

The largest number of infected computers in a single country were in Taiwan (148), followed by Vietnam (130) and the U.S. (113). Seventy-nine computers were infected at the Taiwan External Trade Development Council (TAITRA). One computer at Deloite & Touche in New York was among those infected in the U.S.

The earliest infection the researchers found occurred May 22, 2007; the most recent infection at the time they wrote their report was March 12, 2009. Each computer was infected for various amounts of days, with the average being about 145 days. There were significant spikes in the number of systems infected in December 2007 (113 of 320 infections in December occurred at TAITRA in Taiwan) and August 2008.

The researchers found the network after examining computers at the Dalai Lama’s office and found that the system had gained control of mail servers for the Dalai Lama’s offices, allowing the spies to intercept all correspondence.

The computers were infected either after workers clicked on an e-mail attachment containing malware or clicked on a URL that took them to a rogue web site where the malware downloaded to their computer. The spy network continues to infect about a dozen new computers in various places each week, according to the researchers, who are based at the University of Toronto’s Munk Center for International Studies.

The malware includes a feature for turning on the web camera and microphone on a computer in order to secretly record conversation and activity in a room.

They write that e-mails that OHHDL workers received that contained the infected attachments appeared to come from Tibetan co-workers. In some cases, monks received infected e-mails that appeared to come from other monks. The attackers seemed to target their infected correspondence at key people in the OHHDL office, including network administrators. In this way, the attackers likely gained login credentials for the mail server. Once they had control of the mail server, they were able to infect more computers by intercepting legitimate e-mail in transit and replace clean attachments with infected .doc and .pdf attachments that installed rootkits on the recipient’s computer that gave the attacker full control over the computer.

One monk reported that he was looking at his screen when his Outlook Express program launched on its own and began sending out e-mails with infected attachments.

[Click to continue reading Electronic Spy Network Focused on Dalai Lama and Embassies | Threat Level from Wired.com]

Fascinating stuff. China is very serious about keeping Tibet under their thumb.

Footnotes:
  1. unfortunately, to download the document as a PDF, you have to give up an email account, and other personal data []