GhostNet (simplified Chinese: 幽灵网; traditional Chinese: 幽靈網; pinyin: YōuLíngWǎng) is the name used by researchers at the Information Warfare Monitor for a large cyber spying operation found in March 2009. This operation is likely linked to a group that secretly spies on others for a long time without being discovered. The main control system for this operation is located mainly in the People's Republic of China. GhostNet has gained access to important political, economic, and media places in 103 countries. Computer systems in embassies, foreign ministries, government offices, and Tibetan exile centers in India, London, and New York City were compromised.

Discovery

GhostNet was found and named after a 10-month study by the Infowar Monitor (IWM). This happened after IWM researchers contacted the Dalai Lama's representative in Geneva and thought their computer network might have been hacked. The IWM includes researchers from The SecDev Group, a Canadian consulting firm, and the Citizen Lab at the University of Toronto's Munk School of Global Affairs. Their findings were published in Infowar Monitor, which is related to the IWM. Researchers from the University of Cambridge's Computer Laboratory, with help from the Institute for Information Infrastructure Protection, also worked on the investigation in Dharamshala, where the Tibetan government-in-exile is based. The discovery of GhostNet and information about its activities were reported by The New York Times on March 29, 2009. At first, investigators looked into claims that China was using cyber-espionage against the Tibetan exile community, such as stealing emails and other data. Hacked systems were found in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and Pakistan, as well as the office of Laos' Prime Minister. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados, and Bhutan were also targeted. No evidence showed that U.S. or U.K. government offices were hacked. However, a NATO computer was watched for half a day, and the computers at the Indian embassy in Washington, D.C., were hacked. After being discovered, GhostNet attacked other government networks, such as Canadian financial departments in early 2011, which caused them to stop working. Governments usually do not admit these attacks, and they must be confirmed by official but anonymous sources.

Technical functionality

Emails are sent to specific groups and include information that appears relevant to the recipient. These emails contain harmful files that, when opened, allow a type of hidden software called a Trojan to access the computer. The Trojan connects to a remote server, often located in China, to receive instructions. The infected computer then follows the commands given by the server. Sometimes, these commands direct the computer to download and install another Trojan called Gh0st Rat. This software lets attackers take full, immediate control of computers using Microsoft Windows. Attackers can then view screens, listen to sounds, or use the computer's camera and microphone to watch or listen to activities on the infected device.

Origin

Researchers from the IWM said they could not decide if the Chinese government was responsible for the spy network. However, a report from the University of Cambridge suggests they believe the Chinese government may be behind the break-ins they studied at the Office of the Dalai Lama.

Researchers also noted that GhostNet might have been an operation run by private citizens in China for profit or patriotism, or created by intelligence agencies from other countries, such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime."

The "Ghostnet Report" describes several unrelated infections at Tibetan-related organizations, in addition to Ghostnet infections. Using email addresses from the IWM report, Scott J. Henderson traced one of the operators of a non-Ghostnet infection to Chengdu. He identified the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China and is now connected with the Chinese hacker underground.

Although there is no clear proof that the Chinese government is responsible for break-ins targeting Tibetan-related groups, researchers at Cambridge found actions by Chinese government officials that matched information obtained through computer break-ins. One example involved a diplomat who was pressured by Beijing after receiving an email invitation to meet with the Dalai Lama from his representatives.

Another example involved a Tibetan woman who was questioned by Chinese intelligence officers and shown transcripts of her online conversations. Other explanations for this event are possible. Drelwa uses QQ and other instant messengers to communicate with Chinese internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was recording and storing text messages between users. It is possible that Chinese authorities obtained the chat transcripts through these methods.

IWM researchers also found that when GhostNet was detected, it was consistently controlled from IP addresses located on the island of Hainan, China. They noted that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army. Additionally, one of GhostNet's four control servers has been identified as a government server.