Ghostnet Revisited: A Disturbing Canadian Report on Cyber Espionage

Almost exactly one year ago, E-TIPS® reported the discovery by Canadian researchers at the Munk School of Global Affairs at the University of Toronto of an international electronic spy network dubbed “Ghostnet” (“Ghostnet Electronic Spying Links Canada, China and Tibet” Vol 7 No 20, April 8, 2009). Building on that earlier research, and based on collaboration between the Information Warfare Monitor and the Shadowserver Foundation, a new report (2010 Report) on the same general topic, Shadows in the Cloud: Investigating Cyber Espionage 2.0, was released on April 6, 2010. The 2010 Report claims a malware ecosystem has been created and employed “which [has] leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the PRC”. In the Summary of Main Findings in the 2010 Report, the authors list several institutions and organizations that have been compromised and the type of data involved, including passport and visa applications submitted to Indian diplomatic missions in Afghanistan. It is also claimed that the spy infrastructure made use of social media systems including Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. An interesting aspect of the 2010 Report is its claim that, unlike the research undertaken for the 2009 report, during the current research activities the authors were able to recover a significant volume of stolen documents, “some of which are highly sensitive, from a drop zone connected to one of the malware networks under observation”. A full copy of the 58-page Report can be found on the web site of the University of Toronto at: http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf Newspaper reports appear in the April 6, 2010 issue of The Globe and Mail: http://tinyurl.com/ya93pbs; http://tinyurl.com/yl9c67v; and also in The New York Times Summary by: Richard Potter