WASHINGTON—Computer security researchers in Canada have monitored a China-based cyber-spying organization over the last eight months, as the group attempted to steal sensitive information from foreign governments.
The researchers, from the Citizen Lab at the University of Toronto’s Munk Center and the Ottawa-based SecDev Group, said Tuesday in a joint report that while several documents were stolen from the Indian Defense Ministry, the hackers were unable to gain access to sensitive information stored on the computer system of the Tibetan government-in-exile.
Documents stolen from the Indian Defense Ministry included classified assessments of security in several Indian states, and confidential embassy documents about Indian international policy, the researchers said.
But the hacker group, referred to as the Shadow Network, succeeded only in retrieving a year’s worth of the Dalai Lama’s personal e-mail messages.
Greg Walton, a fellow at Citizen Lab, said that computers at the office of the Tibetan government-in-exile have been storing sensitive information offline following last year’s discovery of the Ghostnet hacking breach that was also traced back to servers in China.
“The correspondence that were exfiltrated—the e-mails that were stolen and taken back to servers in China—really weren’t all that sensitive,” he said.
Walton added that the Dalai Lama, Tibet's exiled spiritual leader, had instructed his government to work with researchers to avoid future security compromises following last year's atacks.
“His Holiness has insisted throughout this process on transparency and provided access to independent academic researchers and scholars to perform a thorough and independent examination of his systems,” Walton said.
China-based attacks
The researchers said the Shadow Network attacks appear to have originated in China’s southwestern Sichuan province, and that given the sophistication of the spy ring and their targets, it is possible Beijing had given the hackers a green light to proceed.
Nart Villeneuve, a senior fellow at Citizen Lab, said researchers were able to trace email addresses they discovered from the attacks back to “individuals associated with the underground hacking community in China.”
But he said that it remains unclear what relationship the Shadow Network has, if any, with the Chinese government.
“We did not find any hard evidence that links these attacks to the Chinese government. In fact, we’ve actually had very healthy cooperation with the Chinese CERT,” Villeneuve said, referring to China’s Computer Emergency Response Team.
“[They] are actively working to understand what we’ve uncovered and have indicated that they will work to deal with this botnet the way they deal with any other botnet, and that is to investigate it and to try to shut it down.”
Ye Lao, a propaganda official in the Sichuan capital of Chengdu, said the Chinese government played no role in the attacks, adding that Beijing considers hacking a serious social problem that must be eliminated.
Search engine giant Google claimed earlier this year that its China operations, and those of several other companies, had come under attack from hackers located within the country.
The researchers said China has recently become the source of many attacks because of lax security practices by local infrastructure providers, adding that there is growing evidence to suggest a number of hackers have moved to the country from countries including Russia and Ukraine to exploit this weakness.
False e-mails
The researchers explained that the Shadow Network was able to gain remote control of its victims’ computers by gaining the trust of e-mail recipients.
E-mails were sent including URL address links with newsworthy themes or specific information that related to the recipient gleaned from a previous attack.
Alternatively, Word documents, ZIP files, or PDF files would be sent as attachments in e-mails.
When the recipient clicks on a link or opens an attachment, a virus is activated that tries to exploit flaws in the software used to view it, and if the user is running a version that lacks the necessary security update, the hacker can gain access to the system.
The virus then notifies the hacker that the software can be remotely controlled and used to send files to external servers.
The system is similar to that used by Ghostnet servers, believed to be based on the southeastern Chinese island of Hainan, to steal documents from the Dalai Lama and governments and corporations in more than 100 countries last year.
Ron Diebert, director of Citizen Lab, said the scope of both attacks shows the need for a more effective international effort to study and combat cyberterrorism.
“We believe that there needs to be action taken at a global level to ensure that information between law enforcement, intelligence and researchers on investigations like this can make its way to the right parties,” he said.
“The fact of the matter is that in many developing countries, the dividing line between organized crime and the government is not clear … but we are eager to work with those parts of the Chinese government that want to try to solve this problem.”
Original reporting by Joshua Lipes. Edited by Sarah Jackson-Han.