Summary
The staggering reach of the recently discovered ‘GhostNet’ suggests a new realm of possibilities for international cyberspace espionage. But, who are the Ghosts?
Analysis
A recently published report by the Information Warfare Monitor outlines the dimensions and functionality of a covert international electronic network that they have dubbed GhostNet. According to the report, GhostNet has already compromised 1,295 computers in 103 countries. Most importantly, about 30% of these computers have been classified as ‘high value’ targets insofar that they contain information with a possible intelligence application. These computers belong to the likes of diplomats, military attaches, secretaries to Prime Ministers, private assistants, and media organizations.
The totality of GhostNet control over an infected computer is startling. A hacker can use a tool called GhostRAT to log in to an infected computer, download any file, engage keystroke logging, or even remotely turn on a microphone or webcam. Personal details and contact information are then mined from the infected computer and is in turn used to propagate the malware in the form of an e-mail attachment from a trusted source. If the attachment is executed by a recipient, the document will load without any problems, often leaving no indication that the computer has been infected.
GhostNet represents a stunning example of low-cost, decentralized intelligence gathering. The report however was not able to conclusively discover the party or purpose behind GhostNet.
Most circumstantial evidence in the report indicates Chinese government involvement: The potential ‘high value’ of the intelligence being collected, the targeting of Tibetan and Taiwanese organizations, and the fact that hacker IP addresses repeatedly linked back to Hainan Island, home of the Lingshui signals intelligence facility and the Third Technical Department of the PLA.
However, all of this evidence is of course circumstantial, and the report was unable to identify the kind of data being downloaded off of compromised computers. Beijing has responded to allegations of government involvement with firm denial, even going so far as to suggest that the report’s findings are a propaganda campaign conducted by the Tibetan government in exile.
GhostNet is certainly in keeping with the PLA’s strategic outlook. PLA doctrine regards cyberspace as an extremely important arena; one in which China could possibly redress the existing imbalance between China and the United States in conventional weaponry. U.S military reliance on computer systems is seen as a vulnerability that can be exploited through information warfare. It is therefore assumed that the PLA engages in peacetime computer network operations as a way to hone training and build a pre-emption capacity that could be relied on in the event of a future conflict.
It is also possible that a nationalist third party is behind GhostNet, operating with or without the approval of the Chinese government. There have been many recorded instances of patriotic Chinese hackers taking on their own assignments in the form of denial of service attacks and webpage vandalism. One of the 250 hacker groups operating within China could have taken it upon themselves to gather sensitive intelligence in the hope of eventually selling it to the government.
Finally, it is entirely possible that the perpetrators behind GhostNet have nothing to do with the Chinese government. While it is true that most of GhostNet’s command and control servers are located in China, some are located in South Korea and the United States. The Chinese servers could just be feints aimed at deflecting suspicion from another party. It would not be the first time that Chinese servers have been compromised and used in this fashion. Individual profit is also a potential motivating factor. The ‘high value’ nature of the information on infected computers could sell at a premium to criminal networks, or other foreign governments.
Whoever the culprits, GhostNet represents a potential sea-change in the intelligence gathering field. In this case, computer malware was able to gain access to information that would otherwise require a high-cost covert operative.
Zachary Fillingham is a contributor to Geopoliticalmonitor.com