明报/多伦多大学Munk Center for International Studies联手渥太华的网络安全公司SecDev Group公司,经过8个月调查,发现一个位于中国成都市的地下网络间谍组织。
该组织特别针对印度政府和位于印度的达赖喇嘛办公室,研究人员发现了700多份该组织偷窃的文件,其中包括不少印度国家安全部的“机密”和“限制级”文件,并有不少文件涉及印度军方策略。
比如这些起获的文件包括:印度在阿富汗的外交行动、其他国家的公民向印度大使馆递交的加拿大公民申请材料,还有1500多封达赖喇嘛办公室介于去年1月至11月的电邮。
调查人员称,该组织使用“malware ecosystem”进行偷窃,该系统使用大量社交媒介,比如Twitter、百度博客、雅虎电邮等进入受害人帐户,进而控制受害人电脑偷窃机密文件。
Canadian researchers reveal online spy ring based in China
Espionage network is breaching servers of dozens of countries and groups and focusing on India and the Dalai Lama
Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Nart Villeneuve, chief security officer at SecDev Group, and Greg Walton, a fellow at the Munk School, were instrumental in uncovering a massive network of online espionage. Fred Lum/THE GLOBE AND MAIL
Grant Robertson
From Tuesday’s Globe and Mail
Published on Tuesday, Apr. 06, 2010 1:00AM EDT
Last updated on Tuesday, Apr. 06, 2010 9:54AM EDT
Canadian researchers have uncovered a vast “Shadow Network” of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data from computers around the world.
Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad.
The findings, which are part of a report that will be made public today in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto’s Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and a U.S. cyber sleuthing organization known as the Shadowserver Foundation, the report is expected to be controversial.
The researchers have found a global network of “botnets,” computers controlled remotely and made to report to servers in China. Along with those servers, the investigators located where the hackers stashed their stolen files, allowing a glimpse into what the spy ring is looking for.
“Essentially we went behind the backs of the attackers and picked their pockets,” said Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs, which investigated the spy ring.
The report, titled Shadows in the Cloud, comes one year after the same team discovered a spy ring with links to China that it dubbed GhostNet. Using information gleaned from that investigation, investigators followed a trail of websites that led to a much larger operation, also with links to China.
“ Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? ”
— Rafal Rohozinski, co-author of the report
The report is careful not to conclude the Chinese government is behind the operation, since it is difficult to tell who is orchestrating the attacks. Last year, the Chinese government denied any involvement in GhostNet after the researchers uncovered nearly 1,300 infected computers in 103 countries linked to servers in China.
But computers belonging to exiled Tibetan leader, the Dalai Lama, who is denounced by China, have been the most compromised.
Almost every e-mail sent to or from the Dalai Lama’s offices in 2009 has shown up in the files, the report says. Nearby India has also taken the brunt of the cyber attacks, with numerous secret government documents recovered by the Canadian researchers. They include 78 documents related to the financing of military projects in India, details of live fire exercises and missile projects, and two documents marked “secret” belonging to the national security council.
Sensitive data from 16 countries, such as visa applications by Canadian citizens, were also recovered. It is believed the hackers accessed those files through computers at India’s embassies in Kabul, Dubai, Nigeria and Moscow, which were corrupted.
Rafal Rohozinski, a principal of the SecDev Group and a principal investigator and co-author of the report, said such a collection of sensitive information represents a new era in online spying. A decade ago, hackers generally looked for quick paydays – for example, by blocking access to a gambling site and demanding a ransom. But the Shadow Network operation exposes much bigger game: information that, if it isn’t being collected by governments, could be sold to the state.
“It’s like the world of art theft, where you steal things that have a very high value, so long as you can find a buyer,” Mr. Rohozinski said.
“So the question of course is, who’s the buyer? Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? That’s one of those things that we don’t really have a good answer for.”
A small number of computers at the University of Western Ontario were also found to be connected to the network, and potentially used to surrender files, although it is not clear how they were affected. Similarly, computers at New York University and Kaunas University of Technology in Lithuania were also linked to the infected network.
The Shadow Network structure was ingenious for its simplicity. Command servers, which are used to issue instructions to computers – such as “send me all of your documents” – connected to victims through a variety of seemingly innocent networks such as Google groups, Yahoo e-mail and Twitter accounts. Those intermediaries were used to relay links or files to a recipient in a target organization. Once the user clicks on the link or opens an attachment in an infected e-mail, the computer relays a beacon to the command server, which instructs it to start sending files to a dump zone.
The revelations are a warning to governments, Mr. Deibert said, since countries are only as strong as their weakest link in a global data network. So while files may be safe in paper form in a locked cabinet, as soon as nations begin exchanging data electronically, cracks can be exploited, as they appear to have been with India.
“Unfortunately, Canada has no cyber security strategy, although one’s been promised for many years,” Mr. Deibert said. “We have no foreign policy for cyberspace either, which is mind boggling, considering how important this domain is for us.”
http://www.theglobeandmail.com/news/technology/canadian-researchers-reveal-online-spy-ring-based-in-china/article1524228/
Spies reach deep into India’s defence
Government has been reluctant to discuss the matter publicly
GRANT ROBERTSON
From Tuesday’s Globe and Mail
Published on Tuesday, Apr. 06, 2010 5:16AM EDT
Last updated on Tuesday, Apr. 06, 2010 11:51AM EDT
When Greg Walton began sifting through the files recovered from one of the biggest Internet spy rings ever cracked, the evidence didn’t immediately strike him as a high-stakes espionage case.
The first stolen file Canadian researchers unearthed seemed innocuous. It was an e-mail sent from people in the tiny village of Pooh in India to the Dalai Lama. The small Himalayan enclave was sending 34 boxes of “our finest apples” to the Tibetan leader to wish him a long and healthy life.
“Nothing Earth shattering,” Mr. Walton said.
But soon, Mr. Walton and his colleagues found far more dangerous e-mails in the recovered files that were linked to servers in China.
The spy ring linked to China had Indian national security files, including details of the Pechora missile system, an anti-aircraft, surface-to-air weapons project. Other documents contained data related to the Iron Dome missile system, and Project Shakti, an artillery combat system.
Documents related to military training schools were also found, along with information on troops. Computers at Indian corporations, including YKK India and Tata, had also been compromised.
Mr. Walton, an expert on the region who conducted the field research in India for the investigation, was amazed.
“I thought, wow, that’s the whole Indian defence establishment,” he said yesterday as the researchers prepared to issue their report on the online espionage, titled Shadows in the Cloud: An Investigation Into Cyber Espionage 2.0. The report is a collaboration involving Ottawa-based consultancy SecDev and the Munk School of Global Affairs at the University of Toronto.
The report stops short of blaming the Chinese government, mainly because the researchers just aren’t sure. China has shrugged off allegations of cyber spying in the past, including Google’s revelation in January that it was attacked late last year.
Often, the government blames so-called “patriotic hackers,” groups of people in China loyal to the state who launch rogue attacks.
“We cannot establish links to the People’s Republic of China government,” Mr. Walton said. “But at the same time, there is a growing body of evidence that there’s some kind of relationship between the state’s specific agencies and the computer underground – the hacking scene – in China.”
The official position of China is that the state does not support such measures.
However, Mr. Walton said the government does not discourage the activity. China “has a vibrant hacker community that has been tied to targeted attacks in the past, and has been linked through informal channels to elements of the Chinese state,” says the report, which will be made public today.
Even if the government isn’t behind the attacks, “information that is independently obtained by the Chinese hacker community is likely to find its way to elements within the Chinese state,” the report says.
Cyber spying is not limited to China. It is plausible that most major powers in the world are engaging in some form of online espionage, the researchers believe.
“If we looked in another part of the world with a different set of victims, we’d probably find entirely different cyber espionage networks,” said Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs. He calls it a new form of arms race, one that is cheaper than the other methods of espionage, such as satellite networks that cost billions.
For now, the Indian government is not reacting to the report’s findings. Mr. Deibert met with government officials late last week to inform them of the forthcoming report. They thanked him for the meeting and seemed “taken aback,” Mr. Deibert said.
In the past, government officials in India have dismissed suggestions that online spies from China have infiltrated the country, and the government has been reluctant to discuss the matter publicly.
http://www.theglobeandmail.com/news/technology/spies-reach-deep-into-indias-defence/article1524425/
Ronald Deibert and Rafal Rohozinski
Breaking up dark clouds in cyberspace
Anthony Jenkins/The Globe and Mail
The need for security must be balanced with the equally important need for an open, accessible Internet
Ronald Deibert and Rafal Rohozinski
From Tuesday’s Globe and Mail
Published on Monday, Apr. 05, 2010 6:54PM EDT
Last updated on Tuesday, Apr. 06, 2010 8:06AM EDT
Crime and espionage form a dark underworld of cyberspace. Whereas crime is usually the first to seek out new opportunities and methods, espionage usually follows in its wake, borrowing techniques and tradecraft. The Shadows in the Cloud report, released today, illustrates the increasingly dangerous ecosystem of crime and espionage and its embeddedness in the fabric of global cyberspace.
As our everyday lives move online, criminals and spies have migrated to this domain. They leverage complex, adaptive attack techniques to take advantage of the fissures that have emerged in an era where “e” is everything. Every new software, social networking site, cloud-computing system, or web-hosting service represents opportunities for the predatory criminal ecosystem to subvert, adapt, and exploit.
This situation has also emerged because of poor security practices among individuals, businesses and governments. The age of mass Internet access is less than 20 years old. Public institutions – particularly those in developing countries – have embraced these new technologies faster than procedures have been created to deal with the vulnerabilities they introduce. Today, data is transferred from laptops to USB sticks, over wireless networks at cafe hot spots, and stored across cloud-computing systems whose servers are located in far-off jurisdictions. The sheer complexity makes thinking about security in cyberspace mind-bogglingly difficult. Paradoxically, documents and personal information are probably safer in a file cabinet, under the bureaucrat’s careful watch, than they are on today’s networked PC.
The ecosystem of crime and espionage is also emerging because of strategic calculus. Cyberspace is the great equalizer. Countries no longer need to spend billions of dollars to build globe-spanning satellites to pursue high-level intelligence gathering, when they can do so by harvesting information from government computers connected to the Internet.
Governments are engaged in a rapid race to militarize cyberspace, to develop tools and methods to fight and win wars in this domain. This arms race creates an opportunity structure ripe for crime and espionage to flourish. In the absence of norms, principles and rules of mutual restraint opportunists, criminals, spies and others rush to fill the vacuum.
Against this context, the absence of Canadian policy for cyberspace is notable. For years, Canadian telcos have acted as the frontline against a surging tide of criminal botnets, malware, and other malicious online behavior – largely in the absence of government policy. At least one Canadian institution was ensnared in the Shadow network we uncovered, but no doubt others have been that escaped our gaze.
Canada’s cybersecurity strategy has been long promised, but a domestic cybersecurity plan is only a partial solution. In a networked world, you are only as secure as the weakest link – and that link can be anyone, including your allies and partners. Notably, our investigation discovered that Canadian visa applications submitted to Indian consulates in Afghanistan were stolen along with those of 12 other nationalities.
Fixing cybersecurity requires a global effort, and one in which Canada’s security and foreign policy must be attuned and synchronized to the unique needs of cyberspace. We should take the lead in pushing for a global convention that builds robust mechanisms of information sharing across borders and institutions, defines appropriate rules of the road for engagement in the cyberdomain, puts the onus on states to not tolerate or encourage malicious networks whose activities operate from within their jurisdictions.
At the same time, Canada should work to defend the openness of the global Internet commons – to ensure that policies and practices appropriate to security in the information age do not restrict, constrain, or threaten to roll back the gains in development, human rights and democracy – values we as Canadians embrace – and which cyberspace has helped propel globally over the past 20 years.
Today, no country is secure in the global sea of information. Preserving cyberspace requires a strategy to address the dark side of the Internet. This requires urgent international co-operation, level-headed judgment and a commitment to preserve our values of freedom of speech and access to information, so as to ensure that in our quest for online security we do not secure ourselves into a new dark age.
Ron Deibert is associate professor of political science and director of the Citizen Lab at the University of Toronto’s Munk Centre for International Studies. Rafal Rohozinski is CEO of the Ottawa-based SecDev Group. They are co-authors of the Shadows in the Clouds report.
http://www.theglobeandmail.com/news/opinions/breaking-up-dark-clouds-in-cyberspace/article1524064/