GhostNet
March 28, 2009 10:55 PM Subscribe
Tracking GhostNet: Investigating a Cyber Espionage Network. "A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded. In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved."
Another report does fault China: The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement
Another report does fault China: The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement
Hacked by the Chinese.
One nerd's terrifying ordeal!
posted by Pope Guilty at 11:53 PM on March 28, 2009
One nerd's terrifying ordeal!
posted by Pope Guilty at 11:53 PM on March 28, 2009
Hacked by the Chinese.
Ur doin it wrong: it's "Hacked by Chinese!"
posted by DecemberBoy at 12:06 AM on March 29, 2009 [3 favorites]
Ur doin it wrong: it's "Hacked by Chinese!"
posted by DecemberBoy at 12:06 AM on March 29, 2009 [3 favorites]
From p.27:
"The Drewla ('connection' in Tibetan) is an online outreach program, set up in 2005 that employs Tibetan youth with Chinese language skills to chat with people in mainland China and the diaspora, raising awareness about the Tibetan situation, sharing the Dalai Lama's teachings and supplying information on how to circumvent Chinese government censorship on the internet."
So these people are self-confessed enemies of the Chinese state who are using the internet to reach into that country, propagandize and spread subversion? Not really surprising that they're paranoid about being hacked then.
But I'm not sure how different what the Tibetans are up to is from this.
Do you suppose that the NSA isn't keeping an eye on these folks? It's probably all a lot easier when you've got full control over the major backbones though.
posted by PeterMcDermott at 1:06 AM on March 29, 2009 [1 favorite]
"The Drewla ('connection' in Tibetan) is an online outreach program, set up in 2005 that employs Tibetan youth with Chinese language skills to chat with people in mainland China and the diaspora, raising awareness about the Tibetan situation, sharing the Dalai Lama's teachings and supplying information on how to circumvent Chinese government censorship on the internet."
So these people are self-confessed enemies of the Chinese state who are using the internet to reach into that country, propagandize and spread subversion? Not really surprising that they're paranoid about being hacked then.
But I'm not sure how different what the Tibetans are up to is from this.
Do you suppose that the NSA isn't keeping an eye on these folks? It's probably all a lot easier when you've got full control over the major backbones though.
posted by PeterMcDermott at 1:06 AM on March 29, 2009 [1 favorite]
Cool! Shishir, who did some of the fieldwork, is a friend from university; we used to have long, interesting conversations about politics and internet security. I'm delighted to see that the report has finally been published!
posted by honest knave at 2:22 AM on March 29, 2009
posted by honest knave at 2:22 AM on March 29, 2009
SURPRISE!
posted by BitterOldPunk at 4:01 AM on March 29, 2009
posted by BitterOldPunk at 4:01 AM on March 29, 2009
This is really creepy.
posted by pyngthyngs at 6:23 AM on March 29, 2009
posted by pyngthyngs at 6:23 AM on March 29, 2009
So these people are self-confessed enemies of the Chinese state who are using the internet to reach into that country, propagandize and spread subversion? Not really surprising that they're paranoid about being hacked then.
I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it's not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this "GhostNet". I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community - be it academics, think tankers, NGO employees, and government officials - are consistently targeted by the kind of "social malware" attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what's going on in the community. Let me give you two recent examples:
On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said "Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful". Attached was a PDF named "China_Military_Power_Report_2009.pdf", exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn't, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn't sent an email like that.
In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn't have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.
And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I'm glad that the issue is continuing to get coverage in the mainstream press.
posted by gemmy at 6:25 AM on March 29, 2009 [145 favorites]
I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it's not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this "GhostNet". I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community - be it academics, think tankers, NGO employees, and government officials - are consistently targeted by the kind of "social malware" attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what's going on in the community. Let me give you two recent examples:
On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said "Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful". Attached was a PDF named "China_Military_Power_Report_2009.pdf", exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn't, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn't sent an email like that.
In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn't have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.
And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I'm glad that the issue is continuing to get coverage in the mainstream press.
posted by gemmy at 6:25 AM on March 29, 2009 [145 favorites]
Geez-us. I hope whoever hacked the Dalai Lama's email attained the secrets for enlightenment.
posted by grapefruitmoon at 7:12 AM on March 29, 2009 [3 favorites]
posted by grapefruitmoon at 7:12 AM on March 29, 2009 [3 favorites]
This report really has been a while in coming. Although this example is hardly on the level of gemmy's experience, last August Boingboing's Xeni Jardin posted a screenshot of Tibetan activist-targeting malware that she received in an e-mail on the same day that she got an update from a member of the Munk Centre's Ghostnet investigation team (who was in Hong Kong to help a local human rights group with their online security).
posted by Doktor Zed at 7:29 AM on March 29, 2009
posted by Doktor Zed at 7:29 AM on March 29, 2009
Wow gemmy, that kind of maliciousness is one of the first good cases for using mandatory PGP (or other) signing that I've seen in a while. At least for files. Most email clients that you'd be using would support it. It would take a community wide approach, but given the scope of the attacks it might be possible.
posted by a robot made out of meat at 9:12 AM on March 29, 2009
posted by a robot made out of meat at 9:12 AM on March 29, 2009
So apart from PGP signing, which I can't see my organization adopting, is there another way to prevent PDF malware? Can anyone recommend an antivirus program for Mac that actually catches such malware?
posted by limeonaire at 11:54 AM on March 29, 2009
posted by limeonaire at 11:54 AM on March 29, 2009
Wow gemmy, that story reminds me of a friend telling me about how people at The Pentagon have secure computers not connected to the internet, then separate internet terminals, and they like to move stuff across each computer via USB thumb drive, so virus/malware crackers wrote special hacks specific to getting embedded into USB mounted drives and then used all sorts of tricks to get onto infected thumb drives of Pentagon employees.
Eventually I heard they filled every USB port on Pentagon computers with cement.
posted by mathowie at 1:44 PM on March 29, 2009 [8 favorites]
Eventually I heard they filled every USB port on Pentagon computers with cement.
posted by mathowie at 1:44 PM on March 29, 2009 [8 favorites]
Limeonaire: How do you prevent that kind of malware? It's easy: Never open email attachments. No matter what they are and who you think they're from, never open them.
But in the end there is no foolproof technological solution to the problem of "social engineering" -- because every time you make it foolproof, they invent a better fool.
posted by Chocolate Pickle at 5:50 PM on March 29, 2009 [1 favorite]
But in the end there is no foolproof technological solution to the problem of "social engineering" -- because every time you make it foolproof, they invent a better fool.
posted by Chocolate Pickle at 5:50 PM on March 29, 2009 [1 favorite]
Thanks all! We are looking into options, including PGP/other signing for emails, but it won't be all that useful unless it comes into more widespread use in the community. And yea, mathowie, from what I understand a lot of the Pentagon computers have had their USB ports blocked in one way or another, and it's a huge pain to move files between the secure and the internet-connected system.
posted by gemmy at 5:53 PM on March 29, 2009
posted by gemmy at 5:53 PM on March 29, 2009
And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I'm glad that the issue is continuing to get coverage in the mainstream press.
One thing you could do would be to make sure acrobat is always kept up to date. Presumably Adobe would close every security vulnerability they knew of, and if any viruses were in the wild.
The thing with PGP, if you did use it and a hacker got into one person's machine, they'd be able to sign docs as that person from then on out (assuming they were able to guess or sniff the passphrase) So it's not a panacea.
(And you could run Linux /nerd)
posted by delmoi at 6:23 AM on March 30, 2009
One thing you could do would be to make sure acrobat is always kept up to date. Presumably Adobe would close every security vulnerability they knew of, and if any viruses were in the wild.
The thing with PGP, if you did use it and a hacker got into one person's machine, they'd be able to sign docs as that person from then on out (assuming they were able to guess or sniff the passphrase) So it's not a panacea.
(And you could run Linux /nerd)
posted by delmoi at 6:23 AM on March 30, 2009
demoi: at least they'd be able to revoke the key on noticing. I guess it depends on the attacks; there will always be zero day attacks, even if you're using SElinux (like that ugly intel CPU cache poisoning). What they're currently exploiting is the lack of any identity authentication at all. True, then you just have to get to the moron with the most trust. From the white hat side, at least you can watch that moron closely and maybe notice the compromise before they have the chance to be useful. Also you can trace outward who they might have targeted using that identity.
posted by a robot made out of meat at 7:30 AM on March 30, 2009
posted by a robot made out of meat at 7:30 AM on March 30, 2009
I love PGP to death, but S/MIME is easier to implement (assuming you're using MS Exchange, Apple Mail, and other common clients) and provides many of the same benefits. Its trust model is also more straightforward — although it requires purchasing certificates, I have found that it's an easier sell to management than web-of-trust based systems.
Basically you just need to install the client certificates on user's machines (and reinstall or explain to them how to reinstall, once a year) and then their outgoing email will come up as "signed" when viewed by most client programs.
It is not a foolproof system, and I have serious reservations about the way the whole trust model is set up, and how well some "certificate authorities" really authenticate the names and addresses they put on their certificates, but it is a lot better than nothing at all.
If you could combine S/MIME with a server-side solution that stripped attachments from unsigned messages (and from signed messages originating from outside trusted domains), you would probably eliminate a lot of attack vectors.
S/MIME is also used by some Federal agencies, mostly the ones that don't use Lotus Notes. They have their own trusted root servers, though, and mostly don't use the commercial ones.
posted by Kadin2048 at 9:23 AM on March 30, 2009
Basically you just need to install the client certificates on user's machines (and reinstall or explain to them how to reinstall, once a year) and then their outgoing email will come up as "signed" when viewed by most client programs.
It is not a foolproof system, and I have serious reservations about the way the whole trust model is set up, and how well some "certificate authorities" really authenticate the names and addresses they put on their certificates, but it is a lot better than nothing at all.
If you could combine S/MIME with a server-side solution that stripped attachments from unsigned messages (and from signed messages originating from outside trusted domains), you would probably eliminate a lot of attack vectors.
S/MIME is also used by some Federal agencies, mostly the ones that don't use Lotus Notes. They have their own trusted root servers, though, and mostly don't use the commercial ones.
posted by Kadin2048 at 9:23 AM on March 30, 2009
It's easy: Never open email attachments. No matter what they are and who you think they're from, never open them.
I, like a lot of people, get around 5-10 emails a day that have attachments I need to read in order to do my job, so that's not very realistic. If this sort of thing started happening where I work we would probably have to move to sending everything in plain text, which would be a major pain.
posted by burnmp3s at 10:50 AM on March 30, 2009 [1 favorite]
I, like a lot of people, get around 5-10 emails a day that have attachments I need to read in order to do my job, so that's not very realistic. If this sort of thing started happening where I work we would probably have to move to sending everything in plain text, which would be a major pain.
posted by burnmp3s at 10:50 AM on March 30, 2009 [1 favorite]
Between because every time you make it foolproof, they invent a better fool or simply they invent a better fool...
--is your tagline for the day.
posted by y2karl at 11:46 AM on March 30, 2009
--is your tagline for the day.
posted by y2karl at 11:46 AM on March 30, 2009
I'm curious to know gemmy, if you had received that infected PDF attachment in a gmail account for example, whether gmail would have spotted the malware?
posted by storybored at 2:18 PM on March 30, 2009
posted by storybored at 2:18 PM on March 30, 2009
Via Schneier, F-Secure has more information on the tools the hackers used.
posted by homunculus at 5:22 PM on March 30, 2009
posted by homunculus at 5:22 PM on March 30, 2009
I'm curious to know gemmy, if you had received that infected PDF attachment in a gmail account for example, whether gmail would have spotted the malware?
We are on a hosted Google Apps solution, so the answer is no for this particular one. I would say on average 1/15 of the malware pdf/doc attachments in these kinds of emails get flagged as such by either Google or our Norton Corporate install.
posted by gemmy at 8:37 PM on March 30, 2009
We are on a hosted Google Apps solution, so the answer is no for this particular one. I would say on average 1/15 of the malware pdf/doc attachments in these kinds of emails get flagged as such by either Google or our Norton Corporate install.
posted by gemmy at 8:37 PM on March 30, 2009
One thing you could do would be to make sure acrobat is always kept up to date. Presumably Adobe would close every security vulnerability they knew of, and if any viruses were in the wild.
They do, but sometimes they take a while. That particular hole was open for several weeks, known, exploitable, explited, and unpatched. Simply being up-to-date wasn't enough. Having the latest version of Acrobat active as a plugin in your browser left you vulnerable to infection just by hitting the wrong website. I was hit by malware on my work PC, running the latest Acrobat and up-to-date McAfee enterprise virus software, when I took a break to play a tower defense game (I chose a lame one, too). McAfee didn't catch the malware; its updates from a few days later would have, but apparently it's not that hard to come up with new variants that slip past current filters.
We've gone through plenty of vulnerabilities in Windows itself, now much less common, then the browser(s), now much less common. So the OS itself and its primary exposure to the internet seem fairly secure. What's the next vulnerable surface? Viewing material from the net via plugins and external applications. The most common software used to view material from the net? Flash and Acrobat. Basically, Adobe needs to get into the same security mindset that Microsoft has had beaten into it over the past decade.
posted by whatnotever at 6:58 PM on March 31, 2009 [1 favorite]
They do, but sometimes they take a while. That particular hole was open for several weeks, known, exploitable, explited, and unpatched. Simply being up-to-date wasn't enough. Having the latest version of Acrobat active as a plugin in your browser left you vulnerable to infection just by hitting the wrong website. I was hit by malware on my work PC, running the latest Acrobat and up-to-date McAfee enterprise virus software, when I took a break to play a tower defense game (I chose a lame one, too). McAfee didn't catch the malware; its updates from a few days later would have, but apparently it's not that hard to come up with new variants that slip past current filters.
We've gone through plenty of vulnerabilities in Windows itself, now much less common, then the browser(s), now much less common. So the OS itself and its primary exposure to the internet seem fairly secure. What's the next vulnerable surface? Viewing material from the net via plugins and external applications. The most common software used to view material from the net? Flash and Acrobat. Basically, Adobe needs to get into the same security mindset that Microsoft has had beaten into it over the past decade.
posted by whatnotever at 6:58 PM on March 31, 2009 [1 favorite]
How do you prevent that kind of malware? It's easy: Never open email attachments. No matter what they are and who you think they're from, never open them.
Well, that's the trick, isn't it? Heh. 'Cause I work in editing, where Word docs and PDFs are regularly swapped by email, and clueless marketers routinely send me unsolicited attachments that I unfortunately can't just ignore. I've always thought I was pretty good at sussing out suspect emails, but this FPP gives me pause on that front. Hence the question. Any ideas?
posted by limeonaire at 3:50 PM on April 1, 2009
Well, that's the trick, isn't it? Heh. 'Cause I work in editing, where Word docs and PDFs are regularly swapped by email, and clueless marketers routinely send me unsolicited attachments that I unfortunately can't just ignore. I've always thought I was pretty good at sussing out suspect emails, but this FPP gives me pause on that front. Hence the question. Any ideas?
posted by limeonaire at 3:50 PM on April 1, 2009
Never open email attachments.What about using a virtual machine to browse attachments etc.?
Things like VMWare Player are free - you can boot up a separated, quarantined Windows just for attachment wrangling and stuff like that. Then you can zap and reset the virtual machine to whatever pristine state you would like, after you've checked incoming documents. Even if someone plants malware on the virtual machine, the VM shouldn't contain much data, and the infection is lost when any changes on the VM disk images are reverted on its cleanse / bootup cycle.
Also consider using Linux and doing some hardening work on it. (You could still have Windows in a virtual machine.)
posted by krilli at 4:55 PM on April 1, 2009
Oh wait, this is all a misunderstanding. GhostNet was actually targeting these guys. Gotta watch those typos.
posted by homunculus at 11:07 AM on April 8, 2009
posted by homunculus at 11:07 AM on April 8, 2009
In other news: Electricity Grid in U.S. Penetrated By Spies
posted by homunculus at 11:30 AM on April 8, 2009
posted by homunculus at 11:30 AM on April 8, 2009
« Older New life for traditional Japanese music? | The Zappa Drummers Newer »
This thread has been archived and is closed to new comments
posted by homunculus at 10:56 PM on March 28, 2009 [1 favorite]