The same Internet security analysts who identified and revealed the surveillance ring known as GhostNet published another report today, revealing a vast “Shadow network” of online espionage based in China’s Sichuan Province.
The report, titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0,” is the product of a collaborative effort between Canada’s Information War Monitor and America’s Shadowserver Foundation. The Information War Monitor is a public-private joint venture linking the Citizen Lab at the University of Toronto’s Munk School for International Studies to Ottawa-based think tank The SecDev Group. The Shadowserver Foundation is a group of volunteer Internet security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.
While operating from the Munk School, the international Internet security team has monitored a complex ecosystem of cyber espionage originating in the Chinese city of Chengdu over an eight month period.
Using popular online social-media tools such as Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com, and Yahoo Mail, the hackers breached and compromised computer networks within India, the Offices of the Dalai Lama, the United Nations, and several other countries and organizations. The Indian government and the Dalai Lama, however, were undoubtedly the parties most affected by the attacks.
Among the documents recovered by the online security analysts in Toronto were several encrypted confidential files belonging to the Indian government.
“These documents contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists,” the report said. “In addition, they contain confidential information taken from Indian embassies regarding India’s international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence.”
The hackers may have also obtained confidential information from Indian military personnel on the Pechora Missile System, the Iron Dome Missile System, and Project Shakti.
In addition, over 1,500 letters sent from the Office of the Dalai Lama between January and November of last year were among those files recovered.
When questioned about the report on Monday, Chengdu’s propaganda official Ye Lao dismissed the notion of Chinese government involvement as “ridiculous.”
“The Chinese government considers hacking a cancer to the whole society,” he went on to say.
While the report does not directly implicate the government in Beijing, it does maintain a critical stance towards the overall Internet environment which it believes is permitted to thrive in China.
“We have no evidence in this report of the involvement of the People’s Republic of China or any other government in the Shadow network,” the report said. “But an important question to be entertained is whether the PRC will take action to shut the Shadow network down. Doing so will help to address long-standing concerns that malware ecosystems are actively cultivated, or at the very least tolerated, by governments like the PRC who stand to benefit from their exploits through the black and grey markets for information and data.”
This illustrates the underlying propellant of cyber espionage operations like those uncovered in China; where even if the information isn’t being stolen under the direction of the government, there remains a lucrative market for the data to be sold to interested parties. And while the authors of the report admit that it is out of their realm to speculate as to the motives of the hackers, there is one particular party that comes to mind that may be interested in acquiring the correspondence of the Dalai Lama and confidential reports belonging to the Indian government.
“It’s like the world of art theft, where you steal things that have a very high value, as long as you can find a buyer,” said Rafal Rohozinski, senior research adviser at Citizen Lab and CEO of SecDev Group, according to The Globe and Mail.
“So the question of course is, who’s the buyer? Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? That’s one of those things that we don’t really have a good answer for,” said Rohozinski.