China’s Cyber Activities that Target the United States, and the Resulting Impacts on U.S. National Security PDF
Source: http://www.uscc.gov/annual_report/2009/09report_chapters.php
. . The ‘‘GhostNet’’
In March 2009, researchers of the Information Warfare Mon-
itor—a collaborative initiative of the The SecDev Group, a think
tank based in Ottawa, Canada, and the Citizen Lab, an inter-
disciplinary information technology and social science research in-
stitute based at the University of Toronto406—released a highly de-
tailed report on their research into a wide-ranging cyber espionage
network. Their forensic investigation revealed that the network,
which they came to call ‘‘GhostNet,’’ had infected 1,295 host com-
puters in 103 different countries around the world, many of them
belonging to embassies, ministries of foreign affairs, and other
high-profile government targets.407 While Information Warfare
Monitor could not conclusively identify GhostNet’s operators, the
circumstantial evidence surrounding GhostNet’s pattern of activity
strongly suggested Chinese state involvement.
The Information Warfare Monitor forensic investigation started
in the summer and autumn of 2008 with examinations of com-
puters used by the personal office of the Dalai Lama; the Tibetan
government-in-exile in Dharamsala, India; and Tibetan govern-
ment-in-exile offices in New York, Brussels, and London. The re-
searchers found multiple computers that had been infected with
malicious software (malware) implanted by e-mails masquerading
as legitimate messages sent either by professional contacts or by
persons politically sympathetic to the intended victim. The e-mails
contained either attached documents or Internet links that, when
activated, installed malware. This malware would later connect to
an external control server and download additional malware, in-
cluding a remote administration tool (RAT) titled ‘‘gh0st RAT.’’
‘‘gh0st RAT’’ is a Trojan horse*that allows an attacker to remotely
take full, real-time control of the computer. Once gh0st RAT was
installed, the attacker could exfiltrate files, log keystrokes, and ac-
tivate Webcams, among many other functions, all without the
knowledge of the computer’s legitimate operator.408
By intentionally infecting a computer with the GhostNet
malware, the Information Warfare Monitor researchers were able
to observe the network’s activities and thereby identify the external
servers issuing instructions to infected computers. They identified
26 ‘‘command’’ and ‘‘control’’ servers for GhostNet, all of which were
located in China.409The team also found that the control interface
to the GhostNet network used the Chinese language.410
The report also provides at least one concrete example that di-
rectly links Chinese intelligence officials to Internet monitoring of
Tibetan exile groups. It describes the case of a young woman who
had worked for two years in Dharamsala for a Tibetan nongovern-
mental organization named ‘‘Drewla,’’ an online outreach initiative
founded in 2005 that uses Tibetans with Chinese language skills
to engage young Chinese in online discussions.411When attempting
to enter Tibet from Nepal to visit her family, she was arrested and
detained for two months. During this time, she was interrogated by
PRC intelligence officials, who presented her with transcripts of
her Internet chats. She was warned that her group was under sur-
veillance and that its members were not welcome to return to
Tibet.412
The report is cautious in ascribing responsibility for GhostNet
and warns against a ‘‘rush to judgment in spite of circumstantial
and other evidence.’’ In its conclusion, however, the report does
state that
[the explanation] in which the circumstantial evidence tilts
the strongest, would be that this set of high profile targets
has been exploited by the Chinese state for military and
strategic-intelligence purposes … many of the high con-
fidence, high-value targets that we identified are clearly
linked to Chinese foreign and defence policy, particularly in
South and South East Asia. Like radar sweeping around
the southern border of China, there is an arc of infected
nodes from India, Bhutan, Bangladesh and Vietnam,
through Laos, Brunei, Philippines, Hong Kong, and Tai-
wan. Many of the high profile targets reflect some of Chi-
na’s most vexing foreign and security policy issues, includ-
ing Tibet and Taiwan.413
One of the authors of the GhostNet report, Rafal A. Rohozinski,
principal and chief executive officer of The SecDev Group and advi-
sory board member of the Citizen Lab at the University of Toronto,
testified before the Commission in April 2009 and assented to a fol-
low-on interview with Commission staff in September 2009. Mr.
Rohozinski was cautious in ascribing GhostNet’s activity to the
Chinese government but stated that ‘‘all the circumstantial evi-
dence does point to a network which, in effect, is Chinese oper-
ated.’’ He also indicated that, based on analysis of Internet Protocol
addresses, the team believed with ‘‘a high degree of confidence that
the attackers were located in Hainan Island in China.’’414
Mr. Rohozinski also identified characteristics of GhostNet that
indicated state sponsorship rather than the work of cyber crimi-
nals. He noted that the network was directed toward the collection
of political intelligence rather than financial or personal data of in-
terest to cyber criminals and that the particular targets—such as
Tibetan exile groups and government ministries—were unlikely
targets for profitable financial fraud.415 He also noted that while
the collection methods of GhostNet were relatively low-tech,
[t]he requirements that would be needed to put in place to
exploit the information gathered through [GhostNet] do re-
quire a scale larger than a small [nongovernmental organi-
zation]. Why? Linguistically, 103 different targets, includ-
ing the Prime Minister’s Office of Laos, the Israeli Con-
sulate in Hong Kong, the Russian Embassy in Beijing, the
Iranian Foreign Ministry, requires linguistic skills as well
as domain expertise in terms of being able to know what to
look for and what to make of it.416
This analysis suggests that while the GhostNet’s methods for the
collection of information were available to semiskilled private hack-
ers, effective exploitation and analysis of that material probably re-
quired state resources. Mr. Rohozinski suggested that the intel-
ligence collection of GhostNet likely represented state-sponsored
activity carried out by private actors working on behalf of the gov-
ernment. As he stated,
[O]ur suspicion is that this was an operation which was es-
sentially outsourced to third parties, essentially third-party
actors possessing the equivalent of a letter of marque, legal
pirates of the state, which had either some contractual ar-
rangements or had some assurance of financial remunera-
tion or reward in return for maintaining a specific kind of
network such as this.
In support of this analysis, Mr. Rohozinski noted signs that
GhostNet involved attackers from multiple vectors, with forensic
analysis showing the affected computers to contain multiple infec-
tions of malware, ‘‘which means that it wasn’t just one GhostNet,
it was a multiple of GhostNets.’’417This analysis, which postulates
private hacking groups undertaking intelligence collection under
the sponsorship of the government, accords with the view of one of
the leading western analysts of Chinese hacker organizations.418It
also accords with activity discernible in human espionage and ille-
gal technology acquisition conducted on behalf of the PRC, in which
multiple private ‘‘entrepreneurial’’ actors are at work, and even in
competition with one another, to procure information and tech-
nology on behalf of PRC institutions. (For more on this latter topic,
see chap. 2, sec. 3, of this Report, ‘‘China’s Human Espionage Ac-
tivities that Target the United States, and the Resulting Impacts
on U.S. Security.’’)