Proactive IT Security
 

GhostNet - a real espionage network

2009-04-03 [Malware discussion, Privacy issues, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

This week started with significant media attention about a report dated 29 March from Information Warfare Monitor (Canada) titled Tracking GhostNet: Investigating a Cyber Espionage Network.

One of the reasons why this report received much media attention was that it showed that several computers owned by governments and international organizations were compromised. This includes several embassies world-wide and a NATO computer.

We will use this report as the basis for this week's security article.

Highlights from the report

In the first place the investigation was focused on alleged Chinese cyber spying against Tibetan institutions, particularly those with some kind of connection to Dalai Lama and his organizations.

The targets

However, a much more wide-spread network was discovered quite early in the investigation. In total 1 295 compromised computers in 103 different countries were discovered. One problem in such an investigation is of course to identify the owner of a compromised computer. The report therefore uses a three-level degree of confidence regarding identification. Among those with High confidence regarding ownership, one found computers belonging to (among several others):

  • Asian Development Bank (in two different countries)
  • Associated Press UK (in two different countries)
  • Deloitte & Touche (USA)
  • Embassy of India (in several different countries, including Germany, Italy and USA)
  • Embassy of Romania (in several different countries, including France, Finland and Norway)
  • Lots of other embassies all over the world
  • NATO (SHAPE headquarters)  in the Netherlands
  • The Prime Minister's Office in Laos

Techniques used

The investigation offers the following scenario regarding how the attack was carried out and GhostNet was used:

  1. An email is sent to a target.
    This email is a spear phishing attack, and uses personalized social engineering techniques to get the target to open an seemingly legitimate and relevant attachment.
  2. When the attachment is opened the computer is infected (by exploiting a software vulnerability) with a trojan.
  3. This trojan (usually one called gh0st RAT) connects to a server.
    Most of the servers that were discovered had IP addresses located in China, but locations elsewhere were also found.
  4. The servers that infected computers connect to, are used for
    • Controlling the infected computers by issuing commands to the infected computers. Such commands might be uploading sensitive documents or other information to computers in the GhostNet.
    • Downloading software with new malicious functionality to the compromised computers.
  5. There are two types of servers involved in the GhostNet - control servers and command servers. Their functionality are somewhat different, though also overlapping.

The list above is a short and simplified version of an infection scenario.
The investigation showed that the initially infected computer (item 1 in the list) could be used as a tool for infecting other computers in the network. The investigation also revealed other infection vectors than targeted emails, e.g. drive-by infection by visiting compromised web sites.

By whom?

Although it may be tempting to assume that someone closely associated with Chinese authorities was behind this attack, the report is by far conclusive regarding this. The report stresses cautiousness in rushing to judgements, as other explainations are possible, including purely profit motives by criminal organizations. The fact that a large part of malicious activity seems to originate from China, is in itself not particularly surprising, as China is the country with most Internet users.

The investigators behind the report point out that the Internet has lots of mechanisms available for those who want to hide their identity and/or origin. This is one of the major obstacles for stopping activities like those analyzed in the GhostNet report.

General observations and recommendations

The GhostNet report is an excellent example to study for those who are interested in details regarding how a systematic espionage system (against organizations and/or nations) can be set up and functioning. It would be wise to assume that there are several similar malicious networks already set up and in use, and more to be expected.

Malicious activity initiated by individuals, groups, and even nations, using specially crafted software and the Internet as their tools, have several advantages over someone using other instruments to accomplish the same end. To mention just a few:

  • The Internet-based tools are much cheaper and can normally be set up a lot easier and faster.
  • The Internet-based tools usually need less personnel.
  • The risk of being captured for each and every person directly involved, is probably less.
  • The risk of exposure for those responsible is probably less.

The GhostNet report has an observation, which seems obvious, but easy to forget to take into consideration: Developing countries are more exposed to criminal activity of the kind discussed here, than countries which have a longer history using computers. One of the reasons why is the fact that the general use of computers and computer technology is lower, which usually means that security considerations are less in focus. Legitimate software in general is relatively expensive, which makes it tempting to use pirated software - a security risk in itself - and often without support for security updates. And finally, investments in security soft- and hardware, and security expertise, may be seen as too expensive to be prioirtized.
These facts may tempt criminal elements to focus on targets in developing countries rather than more advanced targets computer-wise.

A targeted attack as the one investigated by those who wrote the GhostNet report is difficult to protect against. The software used will usually be created for a particular attack/purpose, and will therefore often not be detected by antivirus programs and other security products. Publicly available - or even unpublished - vulnerabilities in software may be utilized to get the malware into the targeted system. Sophisticated social engineering techniques can be set up to trick personnel in the target organization to install malware.

The protection techniques that should be deployed are mentioned numerous times. Among the most important are:

  • Ensure that the operating systems and applications are updated with the latest security patches as soon as possible.
  • Use security software on all systems in the organization. One insecure system may be the entry point to compromising the whole organization.
  • Educate the users to better understand social engineering techniques and how to protect oneself against such attacks.

An attempted conclusion

To conclude this article, we take the liberty of quoting the report that initiated this article. The authors write about the Significance of GhostNet in this way:

(...) What this study discovered is serious evidence that information security is an item requiring urgent attention at the highest levels. It demonstrates that the subterranean layers of cyberspace, about which most users are unaware, are domains of active reconnaissance, surveillance, and exploitation. Regardless of who or what is ultimately in control of GhostNet, its capabilities of exploitation and the strategic intelligence that can be harvested from it matter most. Indeed, although the Achilles’ heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesize that it is neither the first nor the only one of its kind.

(The bold is emphasized by this article's author)

More information

The complete GhostNet report can be read and downloaded from several places, including http://www.infowar-monitor.net/ghostnet (registration required for downloading).
It is a 50-plus pages report written in a language that is not too technical, and the report is highly recommended reading for those who want to understand how such a network is operated. The report also offers significant insight into the investigation techniques that may be used to reveal the network itself and those operating it, as well as problems involved in reaching firm conclusions.