The Wall Street Journal and numerous other news outlets are reporting on security researchers’ statements (pdf) that “they have discovered software capable of stealing information installed on computers in 103 countries from a network that targeted government agencies.” Last year, the researchers from the Information Warfare Monitor began an extensive investigation into allegations of Chinese cyber espionage against the Tibetan community.
The researchers said (pdf):
During the second phase of our investigation, the data was analyzed, and led to the discovery of insecure, web-based interfaces to four control servers. These interfaces allow attacker(s) to send instructions to, and receive data from, compromised computers. Our research team successfully scouted these servers, revealing a wide-ranging network of compromised computers. This extensive network consists of at least 1,295 infected computers in 103 countries.
Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.
The GhostNet system directs infected computers to download a Trojan known as gh0st RAT that allows attackers to gain complete, real-time control. These instances of gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan, People’s Republic of China.
Our investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.
Another new report (pdf) on the cyber attacks on Tibetans was published Sunday by researchers at Cambridge. The Cambridge scholars said, “agents of the Chinese government compromised the computing infrastructure of the Oﬃce of His Holiness the Dalai Lama. They used social phishing to install rootkits on a number of machines and then downloaded sensitive data.” The scholars detail some steps nongovernmental organizations can take to protect their computer systems from outside attacks.