Information Operations Newsletter

Compiled by: Mr. Jeff Harley Army Forces Strategic Command G39, Information Operations Division

The articles and information appearing herein are intended for educational and non-commercial purposes to promote discussion of research in the public interest. The views, opinions, and/or findings and recommendations contained in this summary are those of the original authors and should not be construed as an official position, policy, or decision of the United States Government, U.S. Department of the Army, or U.S. Army Strategic Command.

Table of Contents

ARSTRAT IO Newsletter on OSS.net

Page 1 Table of Contents

Vol. 9, no. 09 (1- 6 April 2009)

1. Vast Spy System Loots Computers in 103 Countries 2. Researchers Say They Uncover International Cyber-Spy Network

ARSTRAT IO Newsletter on OSS.net

Page 2 Vast Spy System Loots Computers in 103 Countries By John Markoff, New York Times, March 29, 2009 TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded. In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved. The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware. Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York. The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries. Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information. The newly reported spying operation is by far the largest to come to light in terms of countries affected. This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude. Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated. The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed. The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization. The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities. The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.

Page 3 Although the Canadian researchers said that most of the computers behind the spying were in China, they cautioned against concluding that China’s government was involved. The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as “patriotic hackers.” “We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.” A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.” The Toronto researchers, who allowed a reporter for The New York Times to review the spies’ digital tracks, are publishing their findings in Information Warfare Monitor, an online publication associated with the Munk Center. At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report. They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation. “What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.” In any case, it was suspicions of Chinese interference that led to the discovery of the spy operation. Last summer, the office of the Dalai Lama invited two specialists to India to audit computers used by the Dalai Lama’s organization. The specialists, Greg Walton, the editor of Information Warfare Monitor, and Mr. Nagaraja, a network security expert, found that the computers had indeed been infected and that intruders had stolen files from personal computers serving several Tibetan exile groups. Back in Toronto, Mr. Walton shared data with colleagues at the Munk Center’s computer lab. One of them was Nart Villeneuve, 34, a graduate student and self-taught “white hat” hacker with dazzling technical skills. Last year, Mr. Villeneuve linked the Chinese version of the Skype communications service to a Chinese government operation that was systematically eavesdropping on users’ instant-messaging sessions. Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google. It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important. In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption. Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared. Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected. Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.

Page 4 The researchers said they avoided breaking any laws during three weeks of monitoring and extensively experimenting with the system’s unprotected software control panel. They provided, among other information, a log of compromised computers dating to May 22, 2007. They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California. Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.” Table of Contents

Researchers Say They Uncover International Cyber-Spy Network From Wall Street Journal, 29 Mar 2009 "Security researchers said they have discovered software capable of stealing information installed on computers in 103 countries, an apparently coordinated cyber-attack that targeted the office of the Dalai Lama and government agencies around the world. The software infected more than 1,200 computers in all, almost 30% of which are considered high- value targets, according to a report published Sunday by Information Warfare Monitor, a Toronto- based organization. (REPORT ATTACHED)

Tracking GhostNet.pdf Among the affected computers were those in embassies belonging to Germany, India, Romania, and Thailand, and in the ministries of foreign affairs for Barbados, Iran and Latvia. The researchers say the infected computers acted as a kind of illicit information-gathering network, and that they observed sensitive documents being stolen from a computer network operated by the Dalai Lama's organization. They traced the attacks to computers located in China, but stop short of blaming the Chinese government. A separate report by researchers at Cambridge University, also published Sunday, alleges that the Chinese government or a group working closely with it is responsible for the attack on the computer in the office of the Dalai Lama. (REPORT ATTACHED)

Snooping Dragon.pdf

Media officials at China's Ministry of Foreign Affairs and State Council Information Office declined requests for comment Sunday. The Chinese government has repeatedly denied past allegations that it sponsors cyber attacks. The New York Times published an article about the reports on its Web site Saturday. The apparent attacks are the latest in a series of incidents that suggest cyber-espionage is on the rise. Last year, Kevin Chilton, commander of the U.S. Strategic Command, said military computer networks are increasingly coming under attack from hackers trying to steal information, many of whom appear to have ties to China. The U.S. government has also said that military contractors have been victims of these attacks.

Page 5 In trying to tap into government computers, attackers have been stepping up the use of sabotaged programs, sometimes called malware. The technique is essentially the same as that used by criminals that try to break into people's home PCs to steal credit cards or other information. A victim is tricked into opening an infected file attached to an email or downloading a file from a Web site. Criminals have managed to gain control over millions of computers by sending files pretending to be racy pictures of celebrities or winning lottery tickets. In an espionage attack, the messages are much more targeted, said Shishir Nagaraja, one of the authors of the Cambridge study who investigated the attack on the office of the Dalai Lama. The emails appear to come from someone the recipient knows and may contain a file that recipient has been expecting. "Who wouldn't open that?" said Mr. Nagaraja, who is now a postdoctoral researcher at the University of Illinois. The attacks "depend less on technical measures and more on abusing trust." In the attacks tracked by the Canadian researchers, the installed software provided near-complete control over the victims' computers. The attackers could search for and steal sensitive files, capture passwords to Web sites, and even activate a computer's Web camera if they desired. The victims were typically unaware that someone else could control their computers. Officials working with the Dalai Lama first became suspicious that their computers had been compromised when a foreign diplomat the office had contacted via email received a call from the Chinese government discouraging a meeting with the Dalai Lama. Mr. Nagaraja said he traveled to Dharamsala, India, in September 2008 to investigate, and found evidence while there that cyber espionage was underway. Mr. Nagaraja stressed that businesses are also at risk. While the incidents uncovered by the researchers dealt mainly with government organizations, corporations could hire hackers to steal information from rivals using similar techniques. Indeed, there is a precedent for such incidents. In May 2005 Michael and Ruth Haephrati were arrested and later plead guilty to stealing secrets from dozens of businesses in Israel by crafting fake business proposals that really contained malicious software. The Haephratis would call their targets on the phone to make sure they had opened the infected files. Targeted attacks are on the rise. Researchers at MessageLabs, a division of Symantec Corp., only detected about one or two targeted attacks per week in 2005. In 2008, the researchers detected 53 of these attacks a day. The Canadian researchers are based at the Munk Centre for International Studies at the University of Toronto and the consulting firm SecDev Group. They said their investigation, conducted between June 2008 and March 2009, was prompted by allegations of cyber espionage against the Tibetan community." Table of Contents

Page 6