Recent site activity

Cyber espionage

Shadows in the cloud; investigating China’s cyber espionage on India

 

Full text of the report at http://www.scribd.com/doc/29435784/SHADOWS-IN-THE-CLOUD-Investigating-Cyber-Espionage-2-0

 

The report notes that documents the researchers recovered were found with “Secret,” “Restricted” and “Confidential” notices. “These documents,” the report says, “contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists,” two opposition groups.

 

Spying on Computer Spies Traces Data Theft to China

By JOHN MARKOFF and DAVID BARBOZA April 5, 2010, New York Times

 

TORONTO — Turning the tables on a China-based computer espionage gang, Canadian and United States computer security researchers have monitored a spying operation for the past eight months, observing while the intruders pilfered classified and restricted documents from the highest levels of the Indian Defense Ministry.

In a report issued Monday night, the researchers, based at the Munk School of Global Affairs at the University of Toronto, provide a detailed account of how a spy operation it called the Shadow Network systematically hacked into personal computers in government offices on several continents.

The Toronto spy hunters not only learned what kinds of material had been stolen, but were able to see some of the documents, including classified assessments about security in several Indian states, and confidential embassy documents about India’s relationships in West Africa, Russia and the Middle East. The intruders breached the systems of independent analysts, taking reports on several Indian missile systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail messages.

The intruders even stole documents related to the travel of NATO forces in Afghanistan, illustrating that even though the Indian government was the primary target of the attacks, one chink in computer security can leave many nations exposed.

“It’s not only that you’re only secure as the weakest link in your network,” said Rafal Rohozinski, a member of the Toronto team. “But in an interconnected world, you’re only as secure as the weakest link in the global chain of information.”

As recently as early March, the Indian communications minister, Sachin Pilot, told reporters that government networks had been attacked by China, but that “not one attempt has been successful.” But on March 24, the Toronto researchers said, they contacted intelligence officials in India and told them of the spy ring they had been tracking. They requested and were given instructions on how to dispose of the classified and restricted documents.

On Monday, Sitanshu Kar, a spokesman for the Indian Defense Ministry, said officials were “looking into” the report, but had no official statement.

The attacks look like the work of a criminal gang based in Sichuan Province, but as with all cyberattacks, it is easy to mask the true origin, the researchers said. Given the sophistication of the intruders and the targets of the operation, the researchers said, it is possible that the Chinese government approved of the spying.

When asked about the new report on Monday, a propaganda official in Sichuan’s capital, Chengdu, said “it’s ridiculous” to suggest that the Chinese government might have played a role. “The Chinese government considers hacking a cancer to the whole society,” said the official, Ye Lao. Tensions have risen between China and the United States this year after a statement by Google in January that it and dozens of other companies had been the victims of computer intrusions coming from China.

The spy operation appears to be different from the Internet intruders identified by Google and from a surveillance ring known as Ghostnet, also believed to be operating from China, which the Canadian researchers identified in March of last year. Ghostnet used computer servers based largely on the island of Hainan to steal documents from the Dalai Lama, the exiled Tibetan spiritual leader, and governments and corporations in more than 103 countries.

The Ghostnet investigation led the researchers to this second Internet spy operation, which is the subject of their new report, titled “Shadows in the Cloud: An investigation Into Cyberespionage 2.0.” The new report shows that the India-focused spy ring made extensive use of Internet services like Twitter, Google Groups, Blogspot, blog.comBaidu Blogs and Yahoo! Mail to automate the control of computers once they had been infected.

The Canadian researchers cooperated in their investigation with a volunteer group of security experts in the United States at theShadowserver Foundation, which focuses on Internet criminal activity.

“This would definitely rank in the sophisticated range,” said Steven Adair, a security research with the group. “While we don’t know exactly who’s behind it, we know they selected their targets with great care.”

By gaining access to the control servers used by the second cyber gang, the researchers observed the theft of a wide range of material, including classified documents from the Indian government and reports taken from Indian military analysts and corporations, as well as documents from agencies of the United Nations and other governments.

“We snuck around behind the backs of the attackers and picked their pockets,” said Ronald J. Deibert, a political scientist who is director of the Citizen Lab, a cybersecurity research group at the Munk School. “I’ve not seen anything remotely close to the depth and the sensitivity of the documents that we’ve recovered.”

The researchers said the second spy ring was more sophisticated and difficult to detect than the Ghostnet operation.

By examining a series of e-mail addresses, the investigators traced the attacks to hackers who appeared to be based in Chengdu, which is home to a large population from neighboring Tibet. Researchers believe that one hacker used the code name “lost33” and that he may have been affiliated with the city’s prestigious University of Electronic Science and Technology. The university publishes books on computer hacking and offers courses in “network attack and defense technology” and “information conflict technology,” according to its Web site.

The People’s Liberation Army also operates a technical reconnaissance bureau in the city, and helps finance the university’s research on computer network defense. A university spokesman could not be reached Monday because of a national holiday.

The investigators linked the account of another hacker to a Chengdu resident whose name appeared to be Mr. Li. Reached by telephone on Monday, Mr. Li denied taking part in computer hacking. Mr. Li, who declined to give his full name, said he must have been confused with someone else. He said he knew little about hacking. “That is not me,” he said. “I’m a wine seller.”

The Canadian researchers stressed that while the new spy ring focused primarily on India, there were clear international ramifications. Mr. Rohozinski noted that civilians working for NATO and the reconstruction mission in Afghanistan usually traveled through India and that Indian government computers that issued visas had been compromised in both Kandahar and Kabul in Afghanistan.

“That is an operations security issue for both NATO and the International Security Assistance Force,” said Mr. Rohozinski, who is also chief executive of the SecDev Group, a Canadian computer security consulting and research firm.

The report notes that documents the researchers recovered were found with “Secret,” “Restricted” and “Confidential” notices. “These documents,” the report says, “contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists,” two opposition groups.

Other documents included personal information about a member of the Indian Directorate General of Military Intelligence.

The researchers also found evidence that Indian Embassy computers in Kabul, Moscow and Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria had been compromised.

Also compromised were computers used by the Indian Military Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the 21 Mountain Artillery Brigade in Assam and three air force bases. Computers at two Indian military colleges were also taken over by the spy ring.

Even after eight months of watching the spy ring, the Toronto researchers said they could not determine exactly who was using the Chengdu computers to infiltrate the Indian government.

“But an important question to be entertained is whether the P.R.C. will take action to shut the Shadow Network down,” the report says, referring to the People’s Republic of China. “Doing so will help to address longstanding concerns that malware ecosystems are actively cultivated, or at the very least tolerated, by governments like the P.R.C. who stand to benefit from their exploits though the black and gray markets for information and data.”

John Markoff reported from Toronto, and David Barboza from Shanghai. Vikas Bajaj contributed reporting from Mumbai, India.

 

http://www.nytimes.com/2010/04/06/science/06cyber.html?hpw=&pagewanted=print

Cyber Espionage

China hacked Indian defence documents: report

The report, 'Shadow in the Clouds', said the intruders breached the systems of independent analysts, taking reports on several Indian missile systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail messages

CMN Correspondent

Tuesday, April 06, 2010


TORONTO, CANADA: In an apparent threat to the Indian defence system, Chinese hackers have reportedly broken into top secret files of the Indian Defence Ministry and embassies around the world.

Citing a report, 'Shadow in the Clouds', The New York Times said the Canadian and American computer security researchers have monitored a Chinese spying operation for the past eight months, observing while the intruders pilfered classified and restricted documents from the highest levels of the Indian Defense Ministry.

In a report issued Monday night, the researchers, based at the Munk School of Global Affairs at the University of Toronto, provide a detailed account of how a spy operation it called the 'Shadow Network' systematically hacked into personal computers in government offices on several continents.

According to it, the “Toronto spy hunters not only learned what kinds of material had been stolen, but were able to see some of the documents, including classified assessments about security in several Indian states, and confidential embassy documents about India’s relationships in West Africa, Russia and the Middle East.”

The report said the intruders breached the systems of independent analysts, taking reports on several Indian missile systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail messages.

Recently, Minister of State for IT and Communications, Sachin Pilot had told reporters that government networks had been attacked by China, but that “not one attempt has been successful”.

But the latest report has apparently made the government press the panic button.

“On March 24, the Toronto researchers said, they contacted intelligence officials in India and told them of the spy ring they had been tracking. They requested and were given instructions on how to dispose of the classified and restricted documents,” the report added.

Though the attacks look like the work of a criminal gang based in Sichuan Province, as with all cyber attacks, it is easy to mask the true origin, the researchers said. Given the sophistication of the intruders and the targets of the operation, the researchers said, it is possible that the Chinese government approved of the spying.

The documents hacked by the criminals contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists, according to NYT

There was evidence that Indian Embassy computers in Kabul, Moscow and Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria had been compromised, it added. 

Computers used by the Indian Military Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the 21 Mountain Artillery Brigade in Assam and three air force bases were compromised, and computers at two Indian military colleges were also taken over by the spy ring, the NYT quoted the report as saying.

Is it that China is getting ready for a cyber war with India?

http://www.ciol.com/News/News/News-Reports/China-hacked-Indian-defence-documents-report/134358/0/

Chinese agents hack into India's secret documents: Report

PTI, Apr 6, 2010, 12.39pm IST

NEW YORK: Major Indian missile and armament systems may have been compromised as Chinese hackers have reportedly broken into top secret files of the Indian Defence Ministry and embassies around the world. 

Among the systems leaked out could be Shakti, the just introduced advanced artillery combat and control system of the Indian Army and the country's new mobile missile defence system called the Iron Dome. 

A new report called 'Shadow in the Clouds' by Canadian and American researchers based at the University of Toronto has said that a spy operation called 'Shadow Network' based out of China has tapped into top secret files of the Indian government. 

In the investigations conducted over eight months, the report claimed that systematic cyber espionage was carried out from servers located in China that "compromised" government, business, academic and other computer network systems in India. 

The report finds that Indian government related entities, both in India and throughout the world, had been thoroughly compromised. 

These included computers at Indian embassies in Belgium, Serbia, Germany, Italy, Kuwait, the United States, Zimbabwe, and the High Commissions of India in Cyprus and the United Kingdom. 

"These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment," the report said. 

"Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation," it said. 

"Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked "SECRET", six as "RESTRICTED", and five as "CONFIDENTIAL". These documents are identified as belonging to the Indian government," it added. 

These documents contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India's security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists. 

In addition, they contain confidential information taken from Indian embassies regarding India's international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence. 

However, the researchers note that there is no direct evidence that these were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. 

Recovered documents also included presentations relating to the following projects:Pechora Missile System - an anti-aircraft surface-to-air missile system, Iron Dome Missile System - a mobile missile defence system (Ratzlav-Katz 2010) and Project Shakti - an artillery combat command and control system (Frontier India 2009). 

The report also finds that the spies also hacked into information on visa applications submitted to Indian diplomatic missions in Afghanistan. 

This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. 

"In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners," the report said. 

The investigation also said that 1,500 letters sent from the Dalai Lama's office between January and November 2009, were also leaked out. 

The researchers noted that while there was no clear insight into the motives of the spies, "the theme appears to involve topics that would likely be of interest to the Indian and Tibetan communities".

 

http://timesofindia.indiatimes.com/articleshow/5766129.cms?prtpage=1

 

Groundbreaking cyber espionage report to be released

TORONTO, April 5 /CNW/ - The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0.

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

Members of the research team are holding a news conference at 11 a.m. on Tuesday, April 6, to discuss their latest findings and to answer questions from the media. The news conference will also be webcast live at:

http://hosting.epresence.tv/MUNK/1/live/148.aspx

A pdf of the full report can be downloaded at: http://shadows-in-the-cloud.net/

The news conference will be held at the Campbell Conference Facility, Munk Centre for International Studies, 1 Devonshire Place,Toronto, (416-946-8900).

NOTE: Reporters unable to attend the news conference may e-mail questions during the event to media.relations@utoronto.ca. The questions will be relayed to the panel for response.

The investigation recovered a large quantity of stolen documents - including sensitive and classified materials - belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltrated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows' attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People's Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

    Summary of main findings:

 

    -   Complex cyber espionage network - Documented evidence of a cyber

        espionage network that compromised government, business, and academic

        computer systems in India, the Office of the Dalai Lama, and the

        United Nations. Numerous other institutions, including the Embassy of

        Pakistan in the United States, were also compromised. Some of these

        institutions can be positively identified, while others cannot.

 

    -   Theft of classified and sensitive documents - Recovery and analysis

        of exfiltrated data, including one document that appears to be

        encrypted diplomatic correspondence, two documents marked "SECRET",

        six as "RESTRICTED", and five as "CONFIDENTIAL". These documents are

        identified as belonging to the Indian government. However, we do not

        have direct evidence that they were stolen from Indian government

        computers and they may have been compromised as a result of being

        copied by Indian officials onto personal computers. The recovered

        documents also include 1,500 letters sent from the Dalai Lama's

        office between January and November 2009. The profile of documents

        recovered suggests that the attackers targeted specific systems and

        profiles of users.

 

    -   Evidence of Collateral Compromise -  A portion of the recovered data

        included visa applications submitted to Indian diplomatic missions in

        Afghanistan. This data was voluntarily provided to the Indian

        missions by nationals of 13 countries as part of the regular visa

        application process. In a context like Afghanistan, this finding

        points to the complex nature of the information security challenge

        where risks to individuals (or operational security) can occur as a

        result of a data compromise on secure systems operated by trusted

        partners.

 

    -   Command-and-control infrastructure that leverages cloud-based social

        media services - Documentation of a complex and tiered command and

        control infrastructure, designed to maintain persistence. The

        infrastructure made use of freely available social media systems that

        include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and

        Yahoo! Mail. This top layer directed compromised computers to

        accounts on free web hosting services, and as the free hosting

        servers were disabled, to a stable core of command and control

        servers located in the PRC.

 

    -   Links to Chinese hacking community - Evidence of links between the

        Shadow network and two individuals living in Chengdu, PRC to the

        underground hacking community in the PRC.

About the Researcher Collaboration:

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (infowar-monitor.net) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University ofToronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence.

The Shadowserver Foundation (shadowserver.org) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.

Principal Investigators' Bio and Comments:

Steven Adair is a security researcher with the Shadowserver Foundation. He frequently analyzes malware, tracks botnets, and deals with cyber attacks of all kinds with a special emphasis on those linked to cyber espionage. "This report is a fascinating look at the activities of individuals involved in cyber espionage. It is unfortunately just a small piece of a very big pie. This is a problem that goes well beyond those detailed in this report and affects organizations and missions of all sizes all over the globe."

Ron Deibert is Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon Inc., and a principal with the SecDev Group. "It is often said that dark clouds have silver linings. What the Shadow report shows is that the social media clouds of cyberspace we rely upon today have a dark, hidden core. There is a vast, subterranean ecosystem to cyberspace within which criminal and espionage networks thrive. The Shadow network we uncovered was able to reach into the upper echelon of the Indian national security establishment, as well as many other institutions, and extract sensitive information from unwitting victims. Networks such as these thrive because of a vacuum at the global level. Governments are engaged in a competitive arms race in cyberspace, which prevents cooperation on global cyber security. For its part, the Canadian government has neither a domestic cyber security strategy or a foreign policy for cyberspace. The Shadow report should offer a wakeup call that rectifies this situation, or we may find that we are the next victim of the Shadows and GhostNets of cyberspace."

Rafal Rohozinski is CEO of the SecDev Group and Psiphon Inc. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University ofToronto. "Cyber espionage has gone industrial. We are witnessing cloud-based techniques and tradecraft from cybercrime being repurposed to target government systems and computers belonging to officials entrusted with state or commercial secrets. Whether the attackers are working for state agencies, or freelancing and selling stolen data or tradecraft on the global graymarket - this report is a clear wake-up call that the threat of advanced persistent threats is very real and requires measured international action. First and foremost, we need an agreement on the norms that should govern cyberspace similar to the treaties we presently have for outer space, the sea or other domains where we have international agreements. We must take care to preserve the openness of the global commons without precipitating an overreaction that could diminish or even roll back the very real gains in knowledge, empowerment, and to democratization that cyberspace has catalyzed over the last 20 years. We must balance the need to create policies and practices appropriate to information security in a global networked age, while preventing unnecessary overreaction to what we fear as the dark side of the net."

Nart Villeneuve is the Chief Security Officer at the SecDev Group, Director of Operations of Psiphon Inc. and a senior SecDev research fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto where he focuses on electronic surveillance, targeted malware and politically motivated digital attacks. "There is no direct evidence linking these attacks to the Chinese government. We look forward to working with China CERT to shut down this malware network."

Greg Walton conducted and coordinated the primary field-based research for the Shadow investigation in His Holiness The Dalai Lama's Office and the Tibetan Government-in-Exile in Dharamsala, India. Greg is a SecDev Group associate and editor of the Information Warfare Monitor website. He is the SecDev Fellow at the Citizen Lab at the Munk School of Global Affairs, University ofToronto.

For further information: University of Toronto media relations, (416) 978-0100, media.relations@utoronto.ca

 

http://www.newswire.ca/en/releases/archive/April2010/05/c7845.html

Comments