All about Chinese Cyber Spying

In what possibly can be termed one of the biggest cyber espionage incident, computer systems of as many as 103 countries including Indian embassy in Washington, have been compromised. Over the past two years, the vast electronic spying operation from China has infiltrated over 1295 computers and stolen hundreds of sensitive government documents from around the world. The operation was incidentally unearthed by a group of researchers from the University of Toronto-based Monk Centre for International Studies. Here's all about the sinister operation which seems to be a part of the growing cyber warfare attacks.

Biggest-ever
	The spying operation is by far the largest to come to light in terms of countries affected. This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.

The Ghost behind

The spying system, dubbed GhostNet, used malware to penetrate PCs, conduct covert monitoring and steal files. GhostNet was focused on the governments of South Asian and Southeast Asian countries. The network traces back to four servers -- three of which are located in China, and one in Southern California. GhostNet is capable of taking full control of infected computers, including searching and downloading specific files. The GhostNet attack was launched in 2007 and infected machines with software which enabled hackers to gain real-time control.

Targets

Computer systems in 103 countries, including Indian embassy in Washington, Dalai Lama’s offices and Tibetan exile centres were the prime targets. Canadian experts have found that computer networks at foreign ministries of Bhutan, Bangladesh, Latvia, Indonesia, Iran and the Philipines have been hacked. Some of the most extensive evidence uncovered related to the computers used by the office of the Dalai Lama and the exiled Tibetan government, which is based in the Indian Himalayan town of Dharamsala. "We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama," said Greg Walton, a researcher based at the University of Toronto. Among many others were the ministry of foreign affairs of Iran; the embassies of India, South Korea, Indonesia, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN Secretariat; the Asian Development Bank; news organizations and an unclassified computer located at NATO headquarters.

Modus operandi

Infection reportedly happened in two ways. In one method infected emails bearing attachments or links to websites were sent. Once opened, the virus allowed hackers to operate the host computer, including moving files and sending and receiving data. Two, a user clicks on a Web link in an email message and is taken directly to the Poisned website. Hackers could turn on an infected computer's camera and microphone, creating a surveillance bug that could record any conversation within a range.

Damage

The Dalai Lama's personal office was among those 'conclusively compromised', giving attackers access to sensitive information. After an email invite was sent by Dalai Lama’s office to a foreign diplomat, the Chinese government called the diplomat discouraging the visit. Another case was of a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities. Targets in Britain included the Indian High Commission, Associated Press news agency and International Chamber of Shipping. "The computers of diplomats, military attaches, secretaries to prime ministers, journalists and others are under the concealed control of unknown assailants," said Canada's Information Warfare Monitor group. "Almost certainly, documents are being removed without the targets' knowledge and webcams silently triggered."

Chinese government hand

Though there has been no direct connection found between the spy network and the Chinese government, the research group said that its analysis points to China as the main source of the network. However, the investigating group has not conclusively been able to detect the exact identity or motivation of the hackers. What the researchers do have is circumstantial evidence. "The evidence that we have shows that the majority of the control servers were located in China. The interface to controlling the infected hosts on these servers in China was in Chinese. And the remote Trojan favoured by the attackers is a Trojan coded by Chinese hackers," says Nart Villeneuve, a white hat hacker. One of the four servers, located in Hainan Island, also traced back to a Chinese government server. However, Beijing has reportedly denied any involvement in the cyber spy ring, slamming the investigation's findings.

The crack

The 10-month investigations began after Toronto researchers were asked by the Dalai Lama's offices to examine their computers. Officials had become concerned that communications were being intercepted. The researchers found that computers had been infected by a virus created by malicious software. That discovery led them to a group of servers on Hainan Island, off China. Other servers they tracked were based in China's Xinjiang Uyghur autonomous region, where intelligence units dealing with Tibetan independence groups are based. "We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama," researcher Greg Walton said.