Examine individual changes

'{{dablink|For the fishing net, see [[Ghost net]].}} '''GhostNet''' ({{zh|t=幽靈網|s=幽灵网|p=YōuLíngWǎng}}) is the name given{{Clarify me|date=April 2009}}<!--by whom--> to a large-scale [[cyber spying]]<ref name="bbc" /><ref name="guardian">{{cite news|last=Glaister|first=Dan|title=China Accused of Global Cyberspying|work=[[The Guardian Weekly]]|volume=180|issue=16|page=5|date=March 30, 2009|url=http://www.guardian.co.uk/world/2009/mar/30/china-dalai-lama-spying-computers|accessdate=April 7, 2009}}</ref><!-- correct print title --> operation discovered in March 2009. It is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations<ref name="nato"/> in 103 countries. Computer systems belonging to [[embassy|embassies]], foreign ministries and other government offices, and the [[14th Dalai Lama|Dalai Lama]]'s [[Tibet]]an exile centers in India, London and New York City were compromised. Although the activity is mostly based in China, there is no conclusive evidence that the [[Government of the People's Republic of China|Chinese government]] is involved in its operation.<ref name="NY-TIMES">{{cite news| title=Vast Spy System Loots Computers in 103 Countries | url=http://www.nytimes.com/2009/03/29/technology/29spy.html | work = [[New York Times]] | date=March 28, 2009 | accessdate=March 29, 2009}}</ref> ==Discovery== GhostNet was discovered and named following a 10-month investigation by the [[Infowar Monitor]] (IWM), carried out at the instigation of the [[Central Tibetan Administration|Tibetan government in exile]], who suspected that their computer network had been infiltrated.<ref name="BBC_3003">{{cite news|url=http://news.bbc.co.uk/1/hi/world/americas/7972702.stm|title=China denies spying allegations|work=[[BBC News]]|date=March 30, 2009|accessdate=March 31, 2009}}</ref> The IWM is composed of researchers from [[Secdev Group]] and Canadian consultancy and the [[Citizen Lab]], [[Munk Centre for International Studies]] at the [[University of Toronto]]; the research findings were published in the [[Infowar Monitor]], an affiliated publication.<ref name="NY-TIMES"/> Researchers from the [[University of Cambridge]]'s [[University of Cambridge Computer Laboratory|Computer Laboratory]], supported by the [[Institute for Information Infrastructure Protection]],<ref name="Cambridge_p2">{{cite web|url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf|title=The snooping dragon: social-malware surveillance of the Tibetan movement|author=Shishir Nagaraja, Ross Anderson|publisher=[[University of Cambridge]]|month=March|year=2009|page=2|accessdate=March 31, 2009|format=PDF}}</ref> also contributed to the investigation at one of the three locations in [[Dharamsala]], where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by ''[[The New York Times]]'' on March 29, 2009.<ref name="NY-TIMES"/><ref>{{cite news| title=Researchers: Cyber spies break into govt computers | url=http://www.google.com/hostednews/ap/article/ALeqM5jQLLlzAwWMnd6PID1d_id1LYOwfwD977GQ0G0 | work=[[Associated Press]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref> Investigators focused initially on allegations of Chinese cyber-espionage against the Tibetan exile community, such as instances where email correspondence and other data were extracted.<ref name=bp>[http://www.bangkokpost.com/news/world/138995/china-based-spies-target-us China-based spies target Thailand]. [[Bangkok Post]], March 30, 2009. Retrieved on March 30, 2009.</ref> Compromised systems were discovered in the [[Embassy|embassies]] of [[India]], [[South Korea]], [[Indonesia]], [[Romania]], [[Cyprus]], [[Malta]], [[Thailand]], [[Taiwan]], [[Portugal]], [[Germany]] and [[Pakistan]] and the office of the Prime Minister of [[Laos]]. The [[Foreign ministry|foreign ministries]] of [[Iran]], [[Bangladesh]], [[Latvia]], [[Indonesia]], [[Philippines]], [[Brunei]], [[Barbados]] and [[Bhutan]] were also targeted.<ref name=bbc>{{cite news| title=Major cyber spy network uncovered | url=http://news.bbc.co.uk/1/hi/world/americas/7970471.stm | work=[[BBC News]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref><ref name=Reuters>{{cite news| title=Canadians find vast computer spy network: report | url=http://www.reuters.com/article/newsOne/idUSTRE52R2HQ20090328 | work=[[Reuters]] | date=March 28, 2009 | accessdate=March 29, 2009}}</ref> No evidence was found that U.S. or U.K. government offices were infiltrated, although a [[NATO]] computer was monitored for half a day and the computers of the [[Embassy of India in Washington, D.C.|Indian embassy]] in [[Washington, D.C.]], were infiltrated.<ref name="nato">{{cite news| title=Chinese hackers ‘using ghost network to control embassy computers’ | url=http://www.timesonline.co.uk/tol/news/uk/crime/article5996253.ece | work=[[The Times]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref><ref name=Reuters/><ref>{{cite news| title=Spying operation by China infiltrated computers: Report | url=http://www.thehindubusinessline.com/blnus/10291335.htm | work=[[The Hindu]] | date=March 29, 2009 | accessdate=March 29, 2009}}</ref> ==Technical functionality== Emails are sent to target organizations that contain contextually relevant information. These emails contain malicious attachments, that when opened, drop a Trojan horse on to the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer will then execute the command specified by the control server. Occasionally, the command specified by the control server will cause the infected computer to download and install a [[Trojan horse (computing)|Trojan]] known as [[Gh0st Rat]] that allows attackers to gain complete, real-time control of computers.<ref name="nato"/> Such a computer can be controlled or inspected by attackers, and even has the ability to turn on camera and audio-recording functions, if present, of infected computers, enabling monitors to perform surveillance.<ref name="NY-TIMES"/> ==Origin== The researchers from the IWM stated they could not conclude that the Chinese government was responsible for the spy network. <ref name=uoft>[http://www.f-secure.com/weblog/archives/ghostnet.pdf Tracking GhostNet: Investigating a Cyber Espionage Network]. [[The SecDev Group]] and [[Munk Centre for International Studies]]. March 29, 2009</ref> However, a report from researchers at the [[University of Cambridge]] says they believe that the Chinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.<ref name=snoop>{{cite web | url = http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf | title = The snooping dragon: social-malware surveillance of the Tibetan movement | first = Shishir | last = Nagaraja | coauthors = Anderson, Ross| publisher = Computer Laboratory, University of Cambridge | date = March 2009 | format = PDF }}</ref> Researchers have also noted the possibility that GhostNet was an operation run by private citizens in China for profit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United States.<ref name="NY-TIMES"/> The Chinese government has stated that China "strictly forbids any cyber crime".<ref name=bbc/><ref name=bp/> The "Ghostnet Report" documents several unrelated infections at Tibetan-related organizations in addition to the Ghostnet infections. By using the email addresses provided by the IWM report, [[Scott J. Henderson]], the author of the book ''[[The Dark Visitor]]'' (2007),<ref>{{Cite web|title=The Dark Visitor (paperback)|url=http://books.google.ca/books?id=scwuOAAACAAJ&dq=The+Dark+Visitor|publisher = Google|accessdate=April 2, 2009}}</ref> had managed to trace one of the operators of one of the infections (non-Ghostnet) to [[Chengdu]]. He identifies the hacker as a 27-year-old man who had attended the [[University of Electronic Science and Technology of China]], and currently connected with the Chinese hacker [[Underground culture|underground]].<ref>{{Cite web|last=Henderson|first=Scott|publication-date=April 2, 2009|title=Hunting the GhostNet Hacker|url=http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/|publisher = The Dark Visitor|accessdate=April 2, 2009}}</ref> Despite the lack of evidence to pinpoint Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that corresponded with the information obtained via computer instrusions. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the [[14th Dalai Lama|Dalai Lama]] from his representatives.<ref name="snoop"/> Another incident was about a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.<ref name=uoft>[http://www.f-secure.com/weblog/archives/ghostnet.pdf Tracking GhostNet: Investigating a Cyber Espionage Network]. [[Munk Centre for International Studies]]. March 29, 2009</ref><ref>[http://www.thestar.com/article/610071 U of T team tracks China-based cyber spies] [[Toronto Star]] March 29, 2009{{Dead link|date=March 2009}}</ref> However, there are other possible explanations for this event. Drelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found that TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users. It is possible that the Chinese authorities acquired the chat transcripts through this means.<ref>[http://www.nartv.org/mirror/breachingtrust.pdf]</ref> The researchers from IWM had also found that instances of Gh0st Rat were consistently controlled from IP addresses located on the island of [[Hainan]], China, and pointed out that Hainan is home to the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army.<ref name="nato"/> Furthermore, one of the four control servers were traced back to a government server. <ref> http://www.theglobeandmail.com/servlet/story/RTGAM.20090329.wcomputerspy0329/BNStory/Technology/home?cid=al_gam_mostview Meet the Canadians who busted Ghostnet] [[Globe and Mail]] Martch 29, 2009 </ref> The Chinese embassy in London has denied the involvement of its government, stating that there is no evidence that his government was involved. He has called the accusation part of a "propaganda campaign" and "just some video footage pieced together from different sources to attack China".<ref name="BBC_3003" /> Foreign Ministry spokesman Qin Gang said that his country was committed to security of the computer network. "''China is opposed to and would seriously deter hacking activities, and had enacted clear laws against hacking. Rumours about Chinese cyber-espionage are completely unfounded, and those attempting to smear China in this way would not succeed.''" <ref>{{zh icon}}{{cite news|url=http://www.fmprc.gov.cn/chn/xwfw/fyrth/t477173.htm|title=外交部发言人秦刚就所谓中国网络间谍系统入侵多国电脑事答记者问|publisher=Chinese Foreign Ministry|date=March 31, 2009|accessdate=March 31, 2009}} reference in Chinese</ref> ==See also== * [[Honker Union]] * [[Cyber-warfare]] * [[Titan Rain]] * [[Chinese intelligence activity in other countries]] * [[Internet censorship in the People's Republic of China]] ==References== {{reflist|2}} ==External links== * [http://www.secdev.ca The SecDev Group] Ottawa, Canada * [http://www.citizenlab.org Citizen Lab] at the University of Toronto * [http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network Tracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and Citize Lab), March 29, 2009)] * [http://www.f-secure.com/weblog/archives/00001637.html F-Secure] Mirror of the report PDF * [http://infowar-monitor.net/index.php Information Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)] * [http://twitter.com/InfowarMonitor Twitter: InfowarMonitor] * {{citation|journal|url=http://www.thestar.com/News/World/Article/610860|title=Cyberspies' code a click away - Simple Google search quickly finds link to software for Ghost Rat program used to target governments|periodical=[[Toronto Star]] (Canada)|publication_place=Toronto, Ontario, Canada|date=March 31, 2009|accessdate=April 4, 2009}} * {{cite web |url=http://www.atimes.com/atimes/China/KD08Ad01.html |title=Cyber-skirmish at the top of the world |first=Peter |last=Lee |work=[[Asia Times Online]] |date=April 8, 2009 |accessdate=April 9, 2009}} [[Category:Open source intelligence]] [[Category:Spyware]] [[Category:Espionage projects]] [[Category:Internet in the People's Republic of China]] [[Category:2009 in China]] [[Category:Mass intelligence-gathering systems]] [[Category:Cyberattacks]] [[da:GhostNet]] [[de:GhostNet]] [[es:GhostNet]] [[fr:GhostNet]] [[he:GhostNet]] [[pl:GhostNet]] [[ro:GhostNet]] [[fi:GhostNet]] [[vi:GhostNet]] [[zh:幽灵网]] {{use mdy dates}}'