The "No Network is 100% Secure" series
- The GhostNet -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
What is the GhostNet?: GhostNet is the name that has been given to a large scale
cyber spying operation discovered in March 2009. It is based mainly in the People's
Republic of China and has infiltrated high-value political, economic and media
locations throughout the World. Computer systems belonging to embassies, foreign
ministries and other government offices, and the Dalai Lama's Tibetan exile centers
in India, Brussels, London and New York City have all been compromised. Although the
network is mostly based in China, there is no conclusive evidence that the Chinese
government is involved in its operation although that is the current assumption.
The discovery of the 'GhostNet', and details of its operations, were reported by The
New York Times on March 29, 2009. Investigators focused initially on allegations of
Chinese cyber-espionage against the Tibetan exile community, such as instances where
email correspondence and other data were extracted. No evidence was found that U.S.
government offices were infiltrated.
GhostNet intrusion method:
GhostNet uses a malicious software program called gh0st RAT (Remote Access Tool) to
steal sensitive documents and completely control infected computers.
Other GhostNet "features" include keystroke logging, the ability to turn on infected
computer's webcams and microphones remotely, being able to take and upload screenshots
and a browser-based "dashboard" that the spies use to control their network of 1,295
computers.
How GhostNet was discovered: Researchers at the Munk Center for International
Studies at the University of Toronto were asked by the office of the Dalai Lama, the
exiled Tibetan leader whom China regularly denounces, to examine its computers for
signs of malicious software, or malware. The researchers investigation revealed
a much broader operation that, in less than two years, has infiltrated at least 1,295
computers in 103 countries.
Method of infection:
1. You receive a spoofed e-mail with an attachment
2. The e-mail appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you see a document on your screen that makes
sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically a Poison Ivy or
Gh0st Rat variant
8. No one else got the e-mail but you
9. You work for a government, a defense contractor or an NGO
And even today (5/20/09) only 11 out of 34 anti-virus programs tested caught
the Trojan and recognized it as malware
What does GhostNet mean to security in the USA?
At the very least, the large number of high-value Government targets compromised by
GhostNet demonstrates the relative ease with which a technically unsophisticated
approach can quickly be harnessed to create a very effective spynet. These are major
disruptive capabilities that the professional information security community, as well
as policymakers, need to come to terms with rapidly. A chilly indicator is that
the U.S. Defense department has repeatedly warned of China's increasing capabilities
in electronic warfare. It said that the Chinese army "often cites the need in modern
warfare to control information, sometimes termed 'information dominance.'"
'Fifty Cent Party: We are primarily concerned with computer and Internet security
and not with political issues. However, the alleged "50 cent party" is reportedly
part of the Chinese Government spy-ring "bigger picture", so information about that
has been included here.
BBC Asia Pacific has alleged that the Chinese Communist Party has created broad
network of freelance internet commentators that are paid to infiltrate chatrooms,
websites and comment areas to shape public opinion in favor of China's policies
and to suppress free expression within the Chinese internet.
Commentators are reportedly used by Chinese government departments to scour the
internet for bad news - and then negate it. They post comments on websites and
forums that spin bad news into good in an attempt to shape public opinion,
claims BBC Asia Pacific.
These internet propagandists, said to number around 300,000, are paid 50 Chinese
cents or 7 U.S. cents for every post. They have been called the 'Fifty Cent Party,'
the 'red vests' and the 'red vanguard.' They are said to have just one mission: to
safeguard the interests of the Communist Party by infiltrating and policing a
rapidly growing Chinese Internet. They set out to neutralize undesirable public
opinion by pushing pro-Party views through chat rooms and Web forums, reporting
dangerous content to authorities, says the Far East Economic Review.
This practice is similar to astroturfing, a strategy used by political campaigners,
companies and other organizations wherein paid staff or volunteers are used to post
messages en masse to create a false impression that the public supports or opposes
something.
There is probably at least some credence to the BBC Asia Pacific's claims. Since
posting this web page, it regularly receives hits from computers with China IP
blocks that found this page using various keyword searches in Google and other
search engines.
Skype: Before GhostNet's unearthing, there had been reports about surveillance
and security breaches in China's TOM-Skype voice and video chat platform.
Last October, the Monk Group reported discovering a massive security hole in
TOM-Skype, the official Skype client in China, which allows the Chinese government
to monitor, censor and archive all Skype communications in, into or out of the
country. According to the report, researchers at the Monk Centre accessed and
downloaded millions of Skype communications, together with personally identifiable
information such as IP addresses and phone numbers, stored on eight TOM servers in
China. If you like Skype, that's fine. But if you're either in, or calling to,
China, don't think the government's not watching you.
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro