In a report released earlier this month, Canadian based ‘Information Warfare Monitor’ and the ‘Shadowserver Foundation’ have warned of an ongoing, massive cyber espionage scheme directed from China against several countries, among them India and Pakistan. The warning was included in the “Shadows in the Cloud: An investigation into cyber espionage 2.0” report.
The study uncovered a complex ecosystem of cyber espionage that systematically targeted computer systems throughout the world, targeting governments individuals, non-state and international organizations, among them the Offices of the Dalai Lama, the United Nations, as well as Indian government officials and Pakistani embassies. Through their investigation the group recovered thousands of official documents obtained by hacking targeted computers being ‘harvested’ through internet.
A Small Piece of a Big Pie
“This is just a small piece of a very big pie.” Said Steven Adair is a security researcher with the Shadowserver Foundation. “This is a problem that goes well beyond those detailed in this report and affects organizations and missions of all sizes all over the globe.” According to the researchers, the attackers seemingly targeted specific sensitive and classified material, belonging to government, business, academic, and other computer networks and politically sensitive targets by employing virus-like ‘maleware’ applications. These shadow worms systematically snoop through the files stored on targeted computers, sending the harvested data through the web to core servers located in the People’s Republic of China (PRC).
Among the document recovered by the researchers were “SECRET”, “RESTRICTED” and “CONFIDENTIAL” classified encrypted diplomatic correspondence, identified as belonging to the Indian government. The researchers admit that these files may have been harvested unintentionally, as they were transferred to non-secure computers by their owners, not being aware of the underlying harvesting of material from their PCs. Such material includes information originated by the user of that PC, as well as by others, unaware of the data compromising of secure data on by trusted partners.
Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC. Although the links to China are clear, Nart Villeneuve, Chief Security Officer at the SecDev Group does not attribute the scheme to official Chinese espionage “There is no direct evidence linking these attacks to the Chinese government. We look forward to working with China CERT to shut down this malware network.”
The shadow network maintained persistent control over the network through facades of service providers, unaware of the scheme they were assisting. These networks were established of multiple, redundant cloud computing systems, social networking platforms, and free web hosting services. The attackers exploited freely available social media systems, like Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail as the command-and-control infrastructure for their worldwide scheme, leveraging these cloud-based social media services to establish tiered command and control infrastructure, and maintain persistence over the whole network. Exploiting these services by ‘phishing’, disguised as innocent message activities, directing compromised computers to accounts on free web hosting services, where disabled routed to the targeted computers to a stable core of command and control servers located in the PRC.
“The Shadow report shows that the social media clouds of cyberspace we rely upon today have a dark, hidden core” warns Ron Deibert, Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. “There is a vast, subterranean ecosystem to cyberspace, within which criminal and espionage networks thrive. The Shadow network we uncovered was able to reach into the upper echelon of the Indian national security establishment, as well as many other institutions, and extract sensitive information from unwitting victims. Networks such as these thrive because of a vacuum at the global level. Governments are engaged in a competitive arms race in cyberspace, which prevents cooperation on global cyber security.”
A Wake Up Call
The Shadow report should offer a wakeup call to governments, to establish cyber security strategies and implement a foreign and security policy addressing cybersecurity challenges. Unless governments take action, we may find that we are the next victim of the Shadows and GhostNets of cyberspace. Deibert warned.
“Cyber espionage has gone industrial” warns Rafal Rohozinski, CEO of the SecDev Group and Psiphon Inc., and the co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto. “We are witnessing cloud-based techniques and tradecraft from cybercrime being repurposed to target government systems and computers belonging to officials entrusted with state or commercial secrets.”
Whether the attackers are working for state agencies, or freelancing and selling stolen data or tradecraft on the global graymarket, the recent report is a clear wake-up call that the threat of advanced persistent threats is very real and requires measured international action. “First and foremost, we need an agreement on the norms that should govern cyberspace similar to the treaties we presently have for outer space, the sea or other domains where we have international agreements.” Rohozinski added, “We must take care to preserve the openness of the global commons without precipitating an overreaction that could diminish or even roll back the very real gains in knowledge, empowerment, and to democratization that cyberspace has catalyzed over the last 20 years. We must balance the need to create policies and practices appropriate to information security in a global networked age, while preventing unnecessary overreaction to what we fear as the dark side of the net.”
About the Researcher Collaboration:
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (infowar-monitor.net) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (shadowserver.org) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.