Cyber-Spy Probe Sought

A cyber-espionage researcher calls on China to open a probe into attacks he says are being launched from within the country.

Share on WhatsApp
Share on WhatsApp
China-Internet-Cafe-305.jpg Chinese netizens surf the Web at an Internet cafe in Hefei, in central China's Anhui province, Jan. 25, 2007.

WASHINGTON—A Canadian researcher who helped uncover a far-reaching cyber-espionage network largely based in China has called on the Chinese government to investigate.

While evidence shows the source of the spy network to be located in China, the researcher stopped short of accusing the Chinese government or government-sanctioned groups there of responsibility.

Greg Walton, from the University of Toronto’s Munk Centre for International Studies, said he was disappointed by the Chinese government’s reaction to a report documenting his findings.

"Unfortunately the [official] New China News Agency, Xinhua, has been deliberately confusing our report with a report from the University of Cambridge … We certainly don’t say that it is in fact the Chinese [government]," Walton said.

China has a responsibility to investigate this."

Greg Walton, Munk Centre for International Studies

"We would like to perhaps reach out to the Chinese government. If this is not the Chinese government, then they should mount a criminal investigation to investigate who is behind these attacks because … there is overwhelming circumstantial evidence that these attacks are coming from computers based in China," he said.

"China has a responsibility to investigate this," Walton said.

Two computer researchers at Cambridge University in Britain released an independent report in which they fault China's government for the attacks and warn that other hackers could adopt similar tactics.

Chinese officials have dismissed the Canadian report as a ploy by groups looking to punish China at a time when the country has gained global political and economic clout.

But Walton’s group called the cyber-attacks “major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.”

Some international law-enforcement and intelligence agencies have expressed “considerable interest" in the report, he said, but he declined to elaborate.

Extensive targets

Walton and his colleagues found that a cyber-espionage network known as GhostNet has infected some 1,295 computers in 103 countries and broken through government systems containing sensitive information.

The Tibetan government-in-exile commissioned the report to investigate a possible computer system security breach. But the researchers found that attacks had targeted a much wider range of systems.

“I first reported this in 2002 in The South China Morning Post. That’s when Tibetan groups that I’m associated with started to receive this malware,” Walton said.

The term "malware" refers to software that is designed to infiltrate or damage a computer system without the user's knowledge or consent.

Walton said he formed a working group with several researchers in 2005 and started to systematically collect malware samples they found had come from China.

“It was a two-phase investigation, so the investigation did indeed begin with the office of His Holiness [the Dalai Lama] and then proceeded to the Tibetan [exile] government and Tibetan NGOs," he said.

The second phase, in Toronto, "uncovered what we call GhostNet, the cyber-espionage network,” Walton said.

“Throughout 2008 I investigated nearly every malware sample that was sent to me from people all over the world including Tibetans, Falun Gong, human rights groups, scholars, lawyers, intellectuals, trade unions—many people who had been targeted, it seemed, by people in China,” he  said.

Remotely controlled

The 10-month study, in conjunction with Ottawa-based think tank SecDev Group, found that attack tools used by the GhostNet system allowed mostly China-based computers to retrieve documents and to remotely turn on Web cameras and audio systems to monitor usage.

“What happens is an email message will arrive in your inbox from someone that you know and someone that you trust. They’ll pick up a thread of conversation that you’ve been having in the past and they’ll ask you to open an attachment,” Walton said.

Walton said a user opening the attachment would see a benign file, such as a Word document, but that a “trojan” virus would simultaneously hide itself on the computer’s hard drive.

“That ‘trojan’ will then phone back to a computer, a control server which is almost invariably located in China, and will start to receive instructions from that control server,” Walton said.

“The control server will then be able to completely take over your computer. They’ll be able to see your hard drive, read your emails, and retrieve documents from your computer,” he said.

The report said GhostNet had infected multiple Tibetan computers, providing attackers with access to potentially sensitive information such as documents from the office of the Dalai Lama.

But GhostNet also targeted the systems of foreign-based embassies of mostly Asian countries including Thailand, Taiwan, Indonesia, and Malaysia, among others.

Tibetan compromise unclear

Walton said it's hard to know how much information from the Tibetan computer system was compromised, but he described monitoring some of the attacks as they happened.

“Whilst I was in the private office of His Holiness the Dalai Lama, we saw a hacker, seemingly based in China, retrieving sensitive documents,” Walton said.

“We found an email contact list of dignitaries that His Holiness had met with being removed from the computer, and even more sensitively, we found a document which referred to His Holiness’s negotiating position with the Beijing government.”

Thupten Samphal, spokesman for the Tibetan government-in-exile in Dharamsala, said information taken from the computer systems wasn't sensitive, but he cited concern over how the information might be used.

“Our government is a democratic transparent government. We have nothing to hide. We’re concerned about who hacked our system,” Thupten Samphal said.

The Dalai Lama said last week that regardless of who is hacking into the computers, the stolen information appears to end up in the hands of the Chinese government.

While he stopped short of directly blaming Beijing for the cyber-assault, the Dalai Lama said people seeking his audience through email requests would find their requests read in Beijing.

“Before that particular person asks for an Indian visa, the Chinese already [have] protested to the Indian government. Such things happen,” he said.

The prime minister of the Tibetan government-in-exile Samdhong Rinpoche went further, saying Chinese officials are complicit in the attacks.

“The involvement of the Chinese authorities is quite clear for the last several years … so whatever correspondence is there in our computer system, it reaches them and they are able to act on them,” he said.

China allegations

Ron Diebert, another researcher from the University of Toronto-based team, said the ways computer systems were violated “circumstantially point to China as the culprit,” but he couldn't say for sure whether Beijing was behind the attacks.

“Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most,” Diebert said.

“This report underscores the growing capabilities of cyber-attacks, the ease by which cyberspace can be used as a vector for signals intelligence, and the importance of taking information security seriously by security professionals and policymakers worldwide,” he said.

Chinese denial

Foreign ministry spokesman Qin Gang told journalists last week that allegations about China’s use of computer spies to hack into the computers of high-level political, economic, and media offices were “lies” created by people seeking to hurt the country’s reputation.

“China pays great attention to computer network security and resolutely opposes and fights any criminal activity harmful to computer networks, such as hacking,” Qin said.

“Some people outside China now are bent on fabricating lies about so-called Chinese computer spies.”

“Their attempt to tarnish China with such lies is doomed to failure,” he said.

Last November, a U.S. congressional panel also warned against a growing Chinese cyber-warfare program capable of breaching U.S. computer networks and stealing sensitive information.

Chinese authorities have also actively engaged the Internet as a means of quieting dissent, blocking some Web sites, and sometimes conducting anti-pornography campaigns as a cover for shutting down dissident sites.

Original reporting by Xin Yu, Xi Hong, and Wen Jian for RFA’s Mandarin service and by Lhundup Tashishar and Ngawang Chopel Lolowogma for RFA’s Tibetan service. Mandarin service director: Jennifer Chou. Tibetan service director: Jigme Ngapo. Translated by Ping Chen and Jigme Ngapo. Written in English by Joshua Lipes. Edited by Sarah Jackson-Han.


Add your comment by filling out the form below in plain text. Comments are approved by a moderator and can be edited in accordance with RFAs Terms of Use. Comments will not appear in real time. RFA is not responsible for the content of the postings. Please, be respectful of others' point of view and stick to the facts.

View Full Site