GhostNet () is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the

People's Republic of China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's List of countries and dependencies by population, most populous country, with a Population of China, population exceeding 1.4 billion, slig ...

and GhostNet has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the

Dalai Lama Dalai Lama (, ; ) is a title given by the Tibetan people to the foremost spiritual leader of the Gelug or "Yellow Hat" school of Tibetan Buddhism, the newest and most dominant of the four major schools of Tibetan Buddhism. The 14th and current D ...

Tibet Tibet (; ''Böd''; ) is a region in East Asia, covering much of the Tibetan Plateau and spanning about . It is the traditional homeland of the Tibetan people. Also resident on the plateau are some other ethnic groups such as Monpa people, ...

an exile centers in India, London and New York City were compromised.

Discovery

GhostNet was discovered and named following a 10-month investigation by the Infowar Monitor (IWM), carried out after IWM researchers approached the

's representative in Geneva suspecting that their computer network had been infiltrated. The IWM is composed of researchers from The SecDev Group and Canadian consultancy and the

Citizen Lab The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness ...

, Munk Centre for International Studies at the

University of Toronto The University of Toronto (UToronto or U of T) is a public research university in Toronto, Ontario, Canada, located on the grounds that surround Queen's Park. It was founded by royal charter in 1827 as King's College, the first institution ...

; the research findings were published in the ''Infowar Monitor'', an affiliated publication. Researchers from the

University of Cambridge , mottoeng = Literal: From here, light and sacred draughts. Non literal: From this place, we gain enlightenment and precious knowledge. , established = , other_name = The Chancellor, Masters and Schola ...

's Computer Laboratory, supported by the Institute for Information Infrastructure Protection, also contributed to the investigation at one of the three locations in Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''

The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...

'' on March 29, 2009. Investigators focused initially on allegations of Chinese cyber-espionage against the

Tibetan exile The Tibetan diaspora are the diaspora of Tibetan people living outside Tibet. Tibetan emigration has three separate stages. The first stage was in 1959 following the 14th Dalai Lama's defection to Dharamshala in Himachal Pradesh, India. The se ...

community, such as instances where email correspondence and other data were extracted.China-based spies target Thailand
Bangkok Post, March 30, 2009. Retrieved on March 30, 2009. Compromised systems were discovered in the embassies of

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area, the List of countries and dependencies by population, second-most populous ...

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...

Indonesia Indonesia, officially the Republic of Indonesia, is a country in Southeast Asia and Oceania between the Indian and Pacific oceans. It consists of over 17,000 islands, including Sumatra, Java, Sulawesi, and parts of Borneo and New Gui ...

Romania Romania ( ; ro, România ) is a country located at the crossroads of Central Europe, Central, Eastern Europe, Eastern, and Southeast Europe, Southeastern Europe. It borders Bulgaria to the south, Ukraine to the north, Hungary to the west, S ...

Cyprus Cyprus ; tr, Kıbrıs (), officially the Republic of Cyprus,, , lit: Republic of Cyprus is an island country located south of the Anatolian Peninsula in the eastern Mediterranean Sea. Its continental position is disputed; while it is ...

Malta Malta ( , , ), officially the Republic of Malta ( mt, Repubblika ta' Malta ), is an island country in the Mediterranean Sea. It consists of an archipelago, between Italy and Libya, and is often considered a part of Southern Europe. It lies ...

Thailand Thailand ( ), historically known as Siam () and officially the Kingdom of Thailand, is a country in Southeast Asia, located at the centre of the Indochinese Peninsula, spanning , with a population of almost 70 million. The country is b ...

Taiwan Taiwan, officially the Republic of China (ROC), is a country in East Asia, at the junction of the East and South China Seas in the northwestern Pacific Ocean, with the People's Republic of China (PRC) to the northwest, Japan to the no ...

Portugal Portugal, officially the Portuguese Republic ( pt, República Portuguesa, links=yes ), is a country whose mainland is located on the Iberian Peninsula of Southwestern Europe, and whose territory also includes the Atlantic archipelagos of th ...

, Germany and Pakistan and the office of the Prime Minister of

Laos Laos (, ''Lāo'' )), officially the Lao People's Democratic Republic ( Lao: ສາທາລະນະລັດ ປະຊາທິປະໄຕ ປະຊາຊົນລາວ, French: République démocratique populaire lao), is a socialist s ...

. The

foreign ministries A foreign affairs minister or minister of foreign affairs (less commonly minister for foreign affairs) is generally a cabinet minister in charge of a state's foreign policy and relations. The formal title of the top official varies between cou ...

Iran Iran, officially the Islamic Republic of Iran, and also called Persia, is a country located in Western Asia. It is bordered by Iraq and Turkey to the west, by Azerbaijan and Armenia to the northwest, by the Caspian Sea and Turkmeni ...

Bangladesh Bangladesh (}, ), officially the People's Republic of Bangladesh, is a country in South Asia. It is the eighth-most populous country in the world, with a population exceeding 165 million people in an area of . Bangladesh is among the mo ...

, Latvia,

Philippines The Philippines (; fil, Pilipinas, links=no), officially the Republic of the Philippines ( fil, Republika ng Pilipinas, links=no), * bik, Republika kan Filipinas * ceb, Republika sa Pilipinas * cbk, República de Filipinas * hil, Republ ...

Brunei Brunei ( , ), formally Brunei Darussalam ( ms, Negara Brunei Darussalam, Jawi: , ), is a country located on the north coast of the island of Borneo in Southeast Asia. Apart from its South China Sea coast, it is completely surrounded by th ...

Barbados Barbados is an island country in the Lesser Antilles of the West Indies, in the Caribbean region of the Americas, and the most easterly of the Caribbean Islands. It occupies an area of and has a population of about 287,000 (2019 estima ...

and

Bhutan Bhutan (; dz, འབྲུག་ཡུལ་, Druk Yul ), officially the Kingdom of Bhutan,), is a landlocked country in South Asia. It is situated in the Eastern Himalayas, between China in the north and India in the south. A mountainou ...

were also targeted. No evidence was found that U.S. or UK government offices were infiltrated, although a

NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two N ...

computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C., were infiltrated. Since its discovery, GhostNet has attacked other government networks, for example Canadian official financial departments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must be verified by official but anonymous sources.

Technical functionality

Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, enable a trojan horse to access the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a trojan known as

Gh0st Rat Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "RAT" part of the name refers to the software's ability to operate ...

that allows attackers to gain complete, real-time control of computers running

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...

. Such a computer can be controlled or inspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of infected computers, enabling attackers to perform surveillance.

Origin

The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network. However, a report from researchers at the

says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama. Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States. The Chinese government has stated that China "strictly forbids any cyber crime." The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed to trace one of the operators of one of the infections (non-Ghostnet) to

Chengdu Chengdu (, ; simplified Chinese: 成都; pinyin: ''Chéngdū''; Sichuanese pronunciation: , Standard Chinese pronunciation: ), alternatively romanized as Chengtu, is a sub-provincial city which serves as the capital of the Chinese provin ...

. He identifies the hacker as a 27-year-old man who had attended the University of Electronic Science and Technology of China, and currently connected with the Chinese hacker underground. Despite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer intrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the

from his representatives. Another incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.Tracking GhostNet: Investigating a Cyber Espionage Network
Munk Centre for International Studies. March 29, 2009 However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through these means. IWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses located on the island of

Hainan Hainan (, ; ) is the smallest and southernmost province of the People's Republic of China (PRC), consisting of various islands in the South China Sea. , the largest and most populous island in China,The island of Taiwan, which is slightly l ...

, China, and have pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army. Furthermore, one of GhostNet's four control servers has been revealed to be a .Meet the Canadians who busted Ghostnet
''

The Globe and Mail ''The Globe and Mail'' is a Canadian newspaper printed in five cities in western and central Canada. With a weekly readership of approximately 2 million in 2015, it is Canada's most widely read newspaper on weekdays and Saturdays, although it ...

''March 29, 2009

References

External links

The SecDev Group

Citizen Lab
at the University of Toronto
Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citize Lab), March 29, 2009)

Mirror of the report PDF
Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)

Twitter: InfowarMonitor
* * * Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. , {{Hacking in the 2000s Open-source intelligence Spyware Espionage projects Cyberwarfare by China 2009 in China Mass intelligence-gathering systems Cyberattacks Cyberwarfare Cyberattack gangs Chinese advanced persistent threat groups Cybercrime in India

Discovery

Technical functionality

Origin

See also

References

External links