It was hot, the night we burned Chrome
April 5, 2010 9:02 PM   Subscribe

Canadian researchers have uncovered a vast “Shadow Network” of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data. Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad.

The findings, which are part of a report that will be made public today in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto’s Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and the Shadowserver Foundation, the report is expected to be controversial.

The report is available online:

Shadows in the Cloud: There is an urgent need for a global convention on cyberspace that builds robust mechanisms of information sharing across borders and institutions, defines appropriate rules of the road for engagement in the cyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activities operate from within their jurisdictions, and protects and preserves this valuable global commons. Until such a normative and policy shift occurs, the shadows in the cloud may grow into a dark, threatening storm.
posted by KokuRyu (35 comments total) 24 users marked this as a favorite

 
Go Canada!
posted by XMLicious at 9:08 PM on April 5, 2010 [2 favorites]


What's the Chinese character(s) for "black hat"?
posted by Cool Papa Bell at 9:10 PM on April 5, 2010 [1 favorite]


Whoa. This is big.
posted by swimming naked when the tide goes out at 9:11 PM on April 5, 2010 [1 favorite]


黑客 (someone should probably verify this)
posted by p3on at 9:12 PM on April 5, 2010 [2 favorites]


Command servers, which are used to issue instructions to computers – such as “send me all of your documents” – connected to victims through a variety of seemingly innocent networks such as Google groups, Yahoo e-mail and Twitter accounts. Those intermediaries were used to relay links or files to a recipient in a target organization. Once the user clicks on the link or opens an attachment in an infected e-mail, the computer relays a beacon to the command server, which instructs it to start sending files to a dump zone.
I'd be very interested to know what the target platforms and applications are. At the risk of setting off the usual, um, civil and informed discussion, presumably Windows/I, for reasons of market share at least, but it'd be nice to know if they routinely exploit vulnerabilities in any other client systems and what they are.
posted by George_Spiggott at 9:38 PM on April 5, 2010


(that should read "Windows/IE")
posted by George_Spiggott at 9:39 PM on April 5, 2010


What's the Chinese character(s) for "black hat"?

The "Field Work" section of the report seems to indicate the researchers got permission first to gather data.
posted by KokuRyu at 9:55 PM on April 5, 2010 [1 favorite]


What's the Chinese character(s) for "black hat"?

The "Field Work" section of the report seems to indicate the researchers got permission first to gather data.


I think Cool Papa Bell is referring to the malevolent operators of the "Shadow Network" as the black hats. The researchers are clearly the Good Guys in this case, and therefore are white hats.
posted by StrangerInAStrainedLand at 10:04 PM on April 5, 2010


"The report, titled Shadows in the Cloud, comes one year after the same team discovered a spy ring with links to China that it dubbed GhostNet. Using information gleaned from that investigation, investigators followed a trail of websites that led to a much larger operation, also with links to China."

Previous thread on GhostNet.
posted by homunculus at 10:19 PM on April 5, 2010 [2 favorites]


I've often thought that the most practical way to surveil westerners in a cradle-to-grave manner (in other words what the US Patriot Act, for example, spells out as official policy) would be to enlist large numbers of Chinese internet analysts. I wanted my idea to be proven wrong.
posted by telstar at 10:33 PM on April 5, 2010


黑客 (someone should probably verify this)

Yep. The literal translation is Dark Visitor.
posted by scalefree at 10:37 PM on April 5, 2010 [2 favorites]


There is an urgent need for a global convention on cyberspace that builds robust mechanisms of information sharing across borders and institutions

LOL. To solve the problem of governments stealing sensitive information, we need to make it easier for governments to acquire and share information!

The irony is that insecurity is baked in. Individual-to-individual Crypto is easy using public key crypto. If we were all using public key crypto in our emails and other communications, this stuff would be very hard to crack. Getting one person's key would only compromise that one person. If the government promoted it, either by requiring people emailing the government to use it, or just spending money to promote it, it would be totally standard by now.

But that would also mean that the government couldn't eaves drop legitimately (or "legitimately") In order for that to be possible, the stuff needs to be in plaintext in some central location. But those central locations make prime targets for hackers, which is exactly what they're doing. In fact, with the Gmail thing the Chinese were actively targeting the very system designed to allow the U.S. government to read everyone's email!

So the solution to the holes opened up by necessary spying now require even more spying infrastructure in order to "monitor" "misuse".
posted by delmoi at 10:40 PM on April 5, 2010 [12 favorites]


I'd be very interested to know what the target platforms and applications are.

I can get you halfway there. Here's a list of tools they commonly use.
posted by scalefree at 10:56 PM on April 5, 2010


Colour me wholly and completely unsurprised. What does surprise me, however, is that journalists (here in Australia, at any rate) are not interrogating our government about how they are addressing this, and our government - whilst happy to trumpet about a stupid and ineffectual net filter - is equally silent on the topic.

I think perhaps it's partly because some of the older generation of our politicians don't really understand or appreciate the stakes, and partly because I think both governments and companies have - unconsciously and consciously - regarded a measure of dodgy-ness as the price of dealing with China.
posted by smoke at 11:24 PM on April 5, 2010 [1 favorite]


The literal translation of 黑客 may be "dark visitor," but it's really just a sound loan for "hacker" - the characters are pronounced "hēikè."
posted by bokane at 11:41 PM on April 5, 2010 [1 favorite]


Nice title.
posted by rodgerd at 11:57 PM on April 5, 2010 [2 favorites]


Their definition of vast might not be the same as my definition of vast.

"1,300 infected computers in 103 countries linked to servers in China" sounds less like an super secret GhostNet international hacking force, and more like script kiddies using old ass IE exploits trying to get Warcraft passwords. Nothing anywhere close to an international conspiracy. This statistic is ludicrously tiny at best, and miniscule at worst. How many computers do you think exist globally? 4,000? In 500 countries? 1,300 machines is the literal spit in the ocean.

Was the entire intent of this article to point out that the Internet, and servers that reside on it may not be totally secure? And to follow that with a paper thin link to some shady 'Shadow Conspiracy'? That sounds like some really shoddy journalism to me. Confidential visa applications, oh no. GhostNet pwnd U

"It was hot, the night we burned Chrome", really? That's what you get out of this article? As far as we know, they're running an infected profile.dat file on Word 97. That's exactly what I'd expect the Indonesian government to be doing.

Wait, stop the press. China may be monitoring the email of the Dalai Lama. Let me contain my surprise.

Shit, here's where I find out that this is the Canadian version of the Daily Mail, isn't it?
The fact that they were named ShadowServer Foundation should have given it away.

posted by Sphinx at 12:16 AM on April 6, 2010 [3 favorites]


That's what I got out of the article. But thank you for pointing out that I am an idiot.
posted by KokuRyu at 1:31 AM on April 6, 2010 [1 favorite]


Sphinx, perhaps you wouldn't be so sanguine if you understood exactly who is being targetted by these attacks. This isn't the Conficker worm; the power isn't in the computers, it's in what's on them.
posted by smoke at 2:47 AM on April 6, 2010


If we were all using public key crypto in our emails and other communications, this stuff would be very hard to crack. Getting one person's key would only compromise that one person.

And, analogously, if our operating systems (and "system" software such as word processors, email programs, etc) were very heterogeneous, we'd be less vulnerable to the worms and viruses that open up some of these security holes. But the government and corporate response? "We must have homogeneity on the desktop! For security!"

Most people still don't get the nature of distributed systems.
posted by DU at 2:53 AM on April 6, 2010


黑客 is totally my new inscrutable Asian script tattoo.
posted by flabdablet at 3:25 AM on April 6, 2010


I'd be very careful believing anything that comes out of the Munk centre. Let's let this one sort itself out before we give this report any credo whatsoever.
posted by clvrmnky at 5:46 AM on April 6, 2010


Basic marketing to me:
Make the client afraid of something then sell a solution:

Fear the Chinamen so we can censor your Internets.
posted by CitoyenK at 5:51 AM on April 6, 2010


I'd be very careful believing anything that comes out of the Munk centre.

Have they been unreliable in the past?
posted by shothotbot at 5:54 AM on April 6, 2010


I'd be very careful believing anything that comes out of the Munk centre. Let's let this one sort itself out before we give this report any credo whatsoever.

Really? Why? Just curious, I have never heard anything bad about them before.
posted by molecicco at 6:05 AM on April 6, 2010


I think Cool Papa Bell is referring to the malevolent operators of the "Shadow Network" as the black hats. The researchers are clearly the Good Guys in this case, and therefore are white hats.

The researchers are Canadian so they should be referred to as "White Toques" eh.
posted by srboisvert at 6:24 AM on April 6, 2010 [8 favorites]


The Chinese are targeting government computers, military computers, and corporate computers. 1300 computers isn't a tiny number if they've picked the ones with all the important information.

For instance, when Ford agreed to sell Volvo to Geely, you can bet your ass that the Chinese — sponsored by the government or by Geely itself — did everything possible to remotely access Ford's computers.

But, hey, if Sphinx is all cool with the latest military hardware plans being stolen, or the Administration's notes on Iran being stolen, or Ford being screwed-over in its negotiations, then I guess we can all ignore the problem and party like it's 1999.

Have a ground meat patty, Sphinx. You deserve it!
posted by five fresh fish at 7:25 AM on April 6, 2010


White Toques FTW
posted by Mike Mongo at 7:26 AM on April 6, 2010


Have to concur with Sphinx on this one. FFF do you really believe that just 1,300 computers can hold 'all the important information'?

Your point about the unfair advantage of the chinese in respect of Ford selling Volvo to Geely is unusual. Do you not think that most governments obtain information to give the 'upper hand' in significant commercial contracts? I am not saying it is pretty but it is commonplace in negotiations.

And anyway, are not all of the headline pieces of information very small beer compared to what the combined Sigint facilities of the Echelon members (AUSCANZUKUS) retrieve on a daily basis?
posted by numberstation at 7:47 AM on April 6, 2010


do you really believe that just 1,300 computers can hold 'all the important information'?
They weren't trying to identify or even estimate the number of computers affected worldwide by botnets, and I'm sure you'll agree it's exponentially more than 1300.

Instead, the authors of the study were trying to describe the emerging threat posed by lax internet security: ease of social engineering, updating to the latest software, using ubiquitous tools such as Yahoo Mail and Twitter to host and coordinate attacks.

Another theme of the report (you need to first read the report before you can critique it) was that "hackers" or "spies" can leverage the decentralized nature of the Internet with ubiquitous web tools and web services, and there is no way to coordinate defences.

I might add that internet censorship was not mentioned in the report as a way to control threats.

Even in their own industry, internet security, there is no tradition of sharing information, which means they have limited resources to conduct studies.

That's why the 1300 computers are not the fucking point. Wouldn't you rather someone explain that there's a problem on the horizon, rather than describe something obvious?
posted by KokuRyu at 8:12 AM on April 6, 2010 [2 favorites]


KoKuRyu : Easy tiger. The apparent 'problem on the horizon' is not helped by the seemingly undergraduate meanderings contained in this report. 'There is a real risk of a perfect storm in cyberspace errupting out of this vaccumn that threatens to subvert cyberspace itself.' Sounds like a Russell Brand dialogue.

The issue is no doubt a reality and yes clearly the internet is going to bring about new challenges but there is nothing new in any of this.

Obviously the difficulty in the desire for 'states to not tolerate or encourage mischievous networks' is that (as I alluded too) all major actors in the international arena do similar deeds as a matter of course. But hey if you want to paint this as being a China specific issue knock yourself out.
posted by numberstation at 8:34 AM on April 6, 2010


There's nothing technically new here, the novel claim is this is organized activity by the Chinese government. Google already blew the lid off that story, since confirmed by pretty much every big tech company.

So is the Chinese government alone in doing focussed Internet espionage? Or do the US and European governments run botnets too? If not, why not?
posted by Nelson at 9:49 AM on April 6, 2010


I don't have specific intel but I'd be surprised if most of the following countries weren't at least researching if not operating active botnet espionage networks: Japan, Korea, Israel, India, Pakistan, Germany, France & Russia. I'm sure someone in DoD is researching it but I doubt we have anybody running one; just a feeling because we're kind of conservative in that area.
posted by scalefree at 10:29 AM on April 6, 2010


Conservative in that area? It's Microsoft and Intel that have put huge backdoors in your software and hardware. What's conservative about that?
posted by five fresh fish at 12:14 PM on April 6, 2010


Now I'm always up for a good conspiracy but I've also seen inside the belly of the beast & I know it's not always that simple. Unless you listen to the conspiracy theorists, any holes found in Microsoft & Intel products are entirely accidental.

At one former employer of mine, an NSA contractor, it was part of the mythology that when the Pentium chip was being designed the NSA instructed Intel to add an instruction to the chipset in order to allow a certain type of secure computation that wouldn't be possible otherwise, something that we had suggested to the NSA. I just don't think they'd go to that length to secure an American product then turn around & build a flaw into the same thing.

Now that's not to say they have any qualms about convincing foreign firms to put holes in their products. Anyone who's read the sordid story of Crypto AG knows that.
posted by scalefree at 4:44 PM on April 6, 2010


« Older Atta Kim...  |  Boys Will Be Girls, Girls Will... Newer »


This thread has been archived and is closed to new comments