Mercury Rising 鳯女

Politics, life, and other things that matter

China spy network

Posted by Charles II on March 28, 2009

Paul Harris, Guardian:

A mystery electronic spy network apparently based in China has infiltrated hundreds of computers around the world and stolen files and documents, Canadian researchers have revealed.

The network, dubbed GhostNet, appears to target embassies, media groups, NGOs, international organisations, government foreign ministries and the offices of the Dalai Lama, leader of the Tibetan exile movement. The researchers, based at Toronto University’s Munk Centre for International Studies, said their discovery had profound implications.

“This report serves as a wake-up call… these are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly,” said researchers Ron Deibert and Rafal Rohozinski.

After 10 months of study, the researchers concluded that GhostNet had invaded 1,295 computers in 103 countries, but it appeared to be most focused on countries in south Asia and south-east Asia, as well as the Dalai Lama’s offices in India, Brussels, London and New York. The network continues to infiltrate dozens of new computers each week.

Such a pattern, and the fact that the network seemed to be controlled from computers inside China, could suggest that GhostNet was set up or linked to Chinese government espionage agencies. However, the researchers were clear that they had not been able to identify who was behind the network, and said it could be run by private citizens in China or a different country altogether. A Chinese government spokesmen has denied any official involvement.

A massive network operating from within China without the government’s knowledge.

I don’t think so.

8 Responses to “China spy network”

  1. No kidding. The extreme interest in the Dalai Lama is the giveaway.

  2. Stormcrow said


    Plus the fact that the policy of the PRC of protecting its cybercrooks, with precisely this sort of operation in mind, is a very open secret.

    Two years ago, I listened to a presentation by the VP of a major information security firm. He talked about his personal visit to a malware shop in the PRC. Fixed dedicated premise, dedicated equipment.

    He was a foreigner, these guys were breaking every computer intrusion law on anybody’s books, and they took him for a guided tour.

    These people were doing this for a living, in a way that’d get them busted in seconds in the US. That point wasn’t lost by many in attendance.

  3. A-yup. Nobody wants to say openly that this is being done with the PRC’s blessing, both because a) we can’t stop them from doing it, and b) if we really tried to stop them, they’d stop buying our bonds.

  4. Stormcrow said

    I don’t think (b) is a real factor.

    The bonds market and the Chinese cybercrook militia are not tied together by PRC policy, to the best of my knowledge. And China has been very careful not to make threats about its holdings of American bonds.

    In order for them to escalate to that level, we’d have to something a lot more direct and damaging than simply harden our infrastructure to the point where successful attacks dwindled away to a level acceptably close to zero.

    That bond market is a two-edged sword. If they drop their support of our economy and it goes even further down the toilet than it is already, then they lose theirs too.

    What we have here is the economic equivalent of MAD, but unlike MAD, it’s self-enforcing.

    But (a) is a lead-pipe cinch.

    We’ve seen the evidence of that over and over and over. Nobody wants to admit their security sucks, especially DoD and the armed services, because security is their business.

    Every time something like this happens, they start screaming bloody murder about PRC espionage. But comments about our poor-to-nonexistent network security are conspicuous by their absence.

  5. The sad thing is that our security sucks by design. This is because a lot of businesses now depend on spam for their profit margins.

  6. Stormcrow said

    The sad thing is that our security sucks by design. This is because a lot of businesses now depend on spam for their profit margins.

    Where do you get that causal relationship?

    I’m afraid I have to disagree, strongly.

    Spam would never have been more than an annoyance, if SMTP had built-in non-repudiation and verifiable sourcing. As things stand, it is perfectly trivial to forge the source address since there is no way to verify it. And I do mean trivial.

    Some of the study materials I was reading in the late 90s took you through exactly how to do this. It doesn’t take any special magic.

    You can synthesize the entirety of a spam email message, including the forged and completely fictitious “From” address, using nothing more than a telnet connection to the SMTP relay server of your choice on port 25, your keyboard, and your wits.

    The only way to trace it would be through ISP log files, which you’d have to subpoena before they were overwritten. This raises the effective bar right through the roof. Especially if the first ISPs in the chain are in the territory of another sovereign nation which will promptly drop your subpoena into the roundfile upon receipt.

    This is what killed Usenet. Because the NNTP protocol is even more trivial to abuse. A couple of ambulance-chasing lawyers by the names of Canter and Siegel were the pioneers back in 1994, and their imitators were legion.

    The root cause flaw lies in the design of protocols which predated the spread of the Internet past a few universities and research labs. SMTP and NNTP were designed for friendly environments where nearly all the participants were trustworthy, not for environments where criminal psychopaths abound.

    We have also been through this with telnet and ftp. Don’t even get me started about those. I’ve seen that battle fought and lost too many times.

    Now we’ve finally gotten to the point where most default OS installs have those services turned off, and we have yet another generation of issues to deal with.

    This time, it’s insecure web apps, many of which are built on languages like PHP which have security histories longer than Dillinger’s. And we have ActiveX and Javascript, which can be and are imbedded in web pages in order to run unvetted executable code on your system. And most web pages now involve HTTP contacts not only with the site intended, but with 5 or 10 other sites, any one of which could host malicious mobile code.

    Firewalls don’t help with any of this, because any sane firewall configuration will permit incoming replies to permitted outbound requests from systems in the trusted network. You dial up a malicious web site on your browser, the exploit code is sent back to you on the same port 80 contact your browser initiated, and the firewall will pass the traffic on.

    The only ways to fix this are with proxy servers which filter return traffic at the trusted network perimeter, and with host-based anti-malware whose cost in system overhead keeps going up every year.

    I’ve already used and dumped two commercial anti-spyware apps because they hammered my own Windows systems so badly they amounted to a denial of service attack I was paying for and installing myself. I also went down this road with Symantec four years ago, and with Zone Alarm two years ago.

  7. Charles said

    Kaspersky has treated me pretty well, Stormcrow. There are occasional hinks and needless scares, but generally pretty good.

  8. Stormcrow said

    Yeah, I tried Kaspersky and it did not impose an overly heavy system load.

    But 8 or 9 years ago, I would have used the results of containment tests against known infectors as the principal figure of merit, rather than system overhead.

    These days, there are so many zero-day infectors that containment tests against known infectors are barely relevant any more. So automated defenses now pretty much have to be backed up by mother wit, and an attitude of “system compromise will happen sooner or later, so what then?”.

    There’s a profit motive in all this, but the guilty parties aren’t spammers per-se, they’re the entirety of an international and craft-specialized networked computer crime community. A community without the bosses and hierarchies and internal wars over control of rackets and territories that plagued the Mafia during Prohibition and later.

    The FBI has smartened up considerably over the last 10 years, they’re getting much better at infiltration, and they’re arresting and getting convictions. But containing this is like trying to stop the sea with a sieve.

Sorry, the comment form is closed at this time.

%d bloggers like this: