China, GhostNet and the Tip of the Iceberg
By Tom Kington, Rome, and Wendell Minnick, Taipei — After scores of tales of Chinese cyberattacks on Western governments, GhostNet seemed to cap them all when details emerged in March.
Not content with hacking into 1,295 computers in 103 countries, including at embassies, a New York finance firm, a news agency and even NATO command, the hidden hand behind GhostNet was capable of reading keystrokes and even triggering Webcams and microphones.
Thanks to GhostNet, it was suggested, Beijing was literally in the room with you, watching and listening.
The academic teams that exposed GhostNet were careful to state that even if the attack appeared to originate mostly in China, they had no proof of Chinese state involvement. “GhostNet was just one of many such schemes probably in existence. It may have folded, but many like it will still be around,” said Johannes Ullrich, chief technical officer at Maryland’s SANS Technology Institute.
“GhostNet was characteristic of most forms of cybercrime and was not hugely innovative in terms of technology,” said Peter Sommer, a computer security specialist and visiting professor at the London School of Economics. “The people who pull off the big attacks are not usually the innovators. The kit for GhostNet is available online.”
Analysts exposed GhostNet after finding that innocuous e-mails sent to Tibetan activists contained malicious software that linked back to servers and allowed remote control of the computer. By setting up a “honey pot” computer that was infected, the analysts were able to enter the hackers’ system.
What made the study so intriguing was the over-the-shoulder view it gave of the hackers’ day-to-day operation. The academics, who hailed from the Ottawa-based think tank SecDev Group and the University of Toronto’s Munk Centre for International Studies, watched while documents were pilfered from the office of the Dalai Lama, the Tibetan spiritual leader in exile.
For one analyst, GhostNet bore the hallmarks of a Chinese operation and was evidence that China informally cooperates with hackers.
“We have been seeing this kind of overlap between government security forces and patriotic hackers since the mid- to late-90s, involving attacks against Falong Gong and Tibetans,” said James Mulvenon, an expert on China’s military, who is also director of the Center for Intelligence Research and Analysis in Washington.
“The difference is that back then, these attacks started with hackers, leaving a question over state control,” he said. “Now it appears China and Russia see it as a legitimate tool of national power. There can be little doubt that the Chinese attacks are government-sponsored, since the documents sought out are not the kind of thing young hackers interested in stealing credit cards and selling botnets would go after.” Mulvenon said the use of “proxy” online warriors set China and Russia apart from the United States.
The GhostNet team found most of the infected computers were in Taiwan, followed by the United States, Vietnam and India. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados and Bhutan also appeared to be targeted, as well as the embassies of India, South Korea, Indonesia, Romania, Cyprus, Thailand, Germany and Pakistan.
GhostNet was discovered as the United States beefs up its cybersecurity amid unconfirmed reports of Chinese hackers penetrating U.S. Pentagon and corporate computer systems to steal data on the F-35 Joint Strike Fighter.
“While we don’t usually comment on security matters, we believe the article in the Wall Street Journal was incorrect in its representation of successful cyber attacks on the F-35 program,” said Joe Stout, Lockheed Martin Aeronautics director of communications. “To our knowledge, there has never been any classified information breech. Like the government, we have attacks on our systems continually and have stringent measures in place to detect and stop attacks.”
Larry Wortzel, vice chairman of the U.S.-China Economic and Security Review Commission, said contractors in the Defense Industrial Security System working on classified DoD information would likely get Pentagon protection.
“I suggest it might be a little early to jump to conclusions on what the new cyber command will or will not do,” he said, “but I would be very surprised if it ignored work being done for the Department of Defense at contractors like Lockheed, Raytheon or Northrop Grumman.” While the United States protects its home front, there were calls for it to come out fighting.
“We need to develop an offensive capability,” said Jun Isomura, a senior fellow at the Hudson Institute in Washington. “It is the sites launching the attacks that should be destroyed,” he added.
But Peter Sommer warned that in cyberspace, the identity of your enemy is not always obvious.
“There is the possibility that the GhostNet attack was carried out by someone outside China,” he said. “The first step in cyberwar is to disguise your steps. That is the danger of having militaries run things. They think in terms of attack and counterattack, but it is often difficult to identify the person who has attacked you.”