As a result of some tremendous work done by researchers at the University of Toronto, we now know that there is an enormous network of compromised machines in more than 100 countries around the world, many of them in government agencies, embassies and other sensitive locations.
The network has its tentacles all over Asia, Europe and even had some small successes in the U.S. Dubbed GhostNet by the researchers, the network is really the first widely publicized online spying operation we’ve seen dragged into the sunlight. But it’s certainly not the only one in operation. It just happens to be the one these researchers unearthed.
At this point, we have to assume that most of the world’s advanced nations have spy networks like GhostNet up and running. The Toronto researchers noted that GhostNet had strong ties to China, but did not conclude that the Chinese government was involved in the network’s operations or funding. However, security experts say that there is no question that there are governments around the world involved in offensive online operations. These could run the gamut from simple surveillance and reconaissance operations to outright attacks against machines and networks in other countries.
That’s just the cost of doing business in today’s world. Whoever the GhostNet operators are, they’re using much the same tools as the run-of-the-mill phishers and identity thieves are. F-Secure officials said that the malware used in the operation looks to be modified versions of well-known remote administration tools Poison Ivy and Gh0st RAT. And the infection method involves the familiar and consistently effective malicious email or link that takes users to a compromised Web site. A click here, a click there and it’s lights out.
What’s captured the imagination of media outlets, regular Internet users and human rights organizations is the fact that the GhostNet appears to have infiltrated some computers belonging to the Dalai Lama. This has elicited a fair bit of outrage, and perhaps that’s to be expected. Spying on a religious figure just doesn’t sit well.
A pair of researchers from Cambridge University in the UK and the University of Illinois at Champaign-Urbana has produced a companion paper on this network, specifically analyzing the attack on the Dalai Lama’s office. In their paper, Ross Anderson and Shishir Nagaraja write that the attack on the Dalai Lama’s organization “used social phishing to install rootkits on a number of machines and then downloaded sensitive data.”
But aside from that tantalizing detail, GhostNet right now appears to be one more profesionally constructed and operated network, albeit one with outsized ambitions and perhaps some powerful backing.