GhostNet

This article documents a current event. Information may change rapidly as the event progresses, and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. Feel free to improve this article or discuss changes on the talk page, but please note that updates without valid and reliable references will be removed. (March 2009) (Learn how and when to remove this message)

GhostNet is the name given to a recently-discovered, large-scale electronic spying operation, based mainly in the People's Republic of China, which has infiltrated at least 1,295 computers in 103 countries. Computer systems belonging to embassies, foreign ministries, and other government offices, as well as the Dalai Lama's Tibetan exile centers in India, Brussels, London, and New York City.^[1]

The 'GhostNet' was discovered and named by researchers at the University of Toronto's Munk Centre for International Studies and the University of Cambridge's Computer Laboratory, after a 10-month investigation. The discovery of the 'GhostNet', and details of its operations, were reported by The New York Times on March 29, 2009.^[1][2] Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were stolen.^[3] This led to the discovery of a much wider network of compromised machines.

Compromised systems were discovered in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted.^[4][5] No evidence was found that U.S. or U.K. government offices were infiltrated, although a NATO computer was monitored for half a day and the computers of the Indian embassy in Washington, D.C. were infiltrated.^[5][6][7]

Researchers believe they have found evidence of actions taken by government officials from the People's Republic of China as a result of information obtained via the 'GhostNet'. After a diplomat received an email invitation to a visit with the Dalai Lama from his representatives, Beijing officials made a call to the diplomat discouraging the visit. A woman on her way to Tibet was stopped by Chinese intelligence officers and shown transcripts of her online conversations.^[8]

While a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the attacks,^[9] the researchers from the University of Toronto stated they could not conclude that the Chinese government was responsible for the spy network, and noted alternative possibilities such as an operation run by private citizens in China for profit or for patriotic reasons, or intelligence agencies from other countries such as Russia or the United States.^[1] The Chinese government has denied any involvement, stating that China "strictly forbids any cyber crime".^[4][3]

The system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. Once infected, a computer can be controlled or inspected by its hackers. The malware even has the ability to turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room.^[1]

• Surveillance
• Hacking
• Skynet

• Citizen Lab at the University of Toronto
• Tracking GhostNet: Investigating a Cyber Espionage Network (University of Toronto Report about GhostNet, March 29, 2009)
• F-Secure Mirror of the report PDF