Villeneuve, N. (2010). Koobface: Inside a Crimeware Network.

This report documents the inner workings of Koobface—a botnet that spreads by compromising the computers of users of social networking platforms and placing them under the control of the botnet’s operators for the purpose of monetization.

Between April and November 2010, the Information Warfare Monitor conducted an investigation into the operations and monetization strategies of the Koobface botnet. The researchers discovered archived copies of Koobface’s infrastructure on a well-known Koobface command and control server. The data revealed a wealth of information about the inner workings of the botnet, including information on the malware, code, and database used to maintain the botnet as well as its monetization strategies. With this data, the Information Warfare Monitor was able to gain an in-depth understanding of how Koobface worked.

Koobface: Inside a Crimeware Network details Koobface’s propagation strategies, counter-security measures, and business model. The report contributes to the cybercrime literature by shedding light on the malware ecosystem that enables and sustains cybercriminal activity, and by demonstrating that it is possible to leverage the mistakes made by cybercriminals in order to better understand the scope of their operations.

Information Warfare Monitor. (2010). Shadows in the Cloud: Investigating Cyber Espionage 2.0.

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

ghostnetcover Information Warfare Monitor. (2009). Tracking GhostNet: Investigating a Cyber Espionage Network.

This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.

breachingtrustcover Villeneuve, N. (2008). Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform.

This report reveals troubling security and privacy breaches affecting TOM-Skype – the Chinese version of the popular voice and text chat software Skype, marketed by the domestic Chinese company TOM Online. TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform. These records are kept on publicly-accessible servers, along with the information required to decrypt these log files. These files contain the full text of chat messages sent and/or received by TOM-Skype users that contain particular keywords that trigger TOM-Skype’s content-filtering capability.

The collected data affects all TOM-Skype users and also captures the personal information of any Skype users that interacted with registered TOM-Skype users. This represents a severe security and privacy breach. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies. The captured messages contain keywords relating to sensitive topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?

Related Work


Deibert R. and Rohozinski, R. (2010) “Beyond Denial: Introducing Next-Generation Information Access Controls.” In Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace, ed. Deibert R., Palfrey, J., Rohozinski, R., Zittrain, J. MIT Press.

Next-generation techniques employ the use of legal regulations to supplement or legitimize technical filtering measures, extralegal or covert practices, including offensive methods, and the
outsourcing or privatizing of controls to ‘‘third parties,’’ to restrict what type of information can be posted, hosted, accessed, or communicated online. Examples of next generation techniques include the infiltration and exploitation of computer systems by targeted viruses and the employment of distributed denial-of-service (DDoS) attacks, surveillance at key choke points of the Internet’s infrastructure, legal takedown notices, stifling terms-of-usage policies, and national information-shaping strategies.

They emerge from a desire to shape and influence as much as tightly control national and global populations that are increasingly reliant on cyberspace as their main source of information. These next-generation controls raise important and sometimes troubling public policy issues—particularly for the relationship between citizens and states.


Deibert, R. and Rohozinski, R. (2010). “Control and Subversion in Russian Cyberspace.” In Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace, ed. Deibert R., Palfrey, J., Rohozinski, R., Zittrain, J. MIT Press.

In our chapter, we explore this seeming disjuncture between authoritarianism in the CIS and the relative freedom enjoyed in Russian cyberspace, commonly known as RUNET. We argue that attempts to regulate and impose controls over cyberspace in the CIS are not necessarily absent (as ONI testing results may suggest) but are different than in other regions of the world. We hypothesize that CIS control strategies have evolved several generations ahead of those used in other regions of the world (including China and the Middle East). In RUNET, control strategies tend to be more subtle and sophisticated and designed to shape and affect when and how information is received by users, rather than denying access outright.

BulletsAndBlogs Collings, D, & Rohozinski, R,. (2009) “Bullets and Blogs: New Media and the War Fighter.”

The explosive growth of new media within the Global Information Environment (GIE) presents sustained challenges and opportunities for the U.S. military. In recent years, adversaries – armed with new media capabilities and an information-led warfighting strategy – have proven themselves capable of challenging the most powerful militaries in the world. The current and future geo-strategic environment requires preparation for a battlespace in which symbolic informational wins may precipitate strategic effects equivalent to, or greater than, lethal operations.

In order to address these new media challenges, the U.S. Army War College (USAWC), Center for Strategic Leadership in partnership with the SecDev Group (Canada) hosted a workshop entitled “Bullets and Blogs: New Media and the Warfighter.” This workshop brought together leading practitioners from the Department of Defense, Department of State, Intelligence Community, and experts from academia. This report is a synthesis of workshop discussions in terms of key takeaways addressing what is required to “win” in today’s operational environment, where cyberspace and new media capabilities are significant components of the battlespace.

accessdenied Deibert, R. & Rohozinski, R. (2008). “Good for Liberty, Bad for Security? Global Civil Society and the Securitization of the Internet.” In Access Denied: The Practice and Policy of Global Internet Filtering, ed. Deibert R., Palfrey, J., Rohozinski, R., Zittrain, J. MIT Press.

The spectacular rise and spread of NGOs and other civil society actors over the past two decades is attributable in part to the emergence and rapid spread of the Internet, which has made networking among like-minded individuals and groups possible on a global scale.

But the technological explosion of global civil society has not emerged without unintended and even negative consequences. Just as progressive and social justice groups have made use of the Internet to advance global norms, so too have a wide variety of resistance networks, militant groups, extremists, criminal organizations, and terrorists. Whereas once the promotion of new information communications technologies (ICTs) was widely considered benign public policy, today states of all stripes have been pressed to find ways to limit and control them as a way to check their unintended and perceived negative public policy and national security consequences.

shiftingfire Collings, D. & Rohozinski, R. (2006). Shifting Fire: Information Effects in Counterinsurgency and Stability Operations- A Workshop Report.

The “Information Operations and Winning the Peace” workshop, held at the U.S. Army War College (USAWC), Carlisle Barracks, Pennsylvania, was a collaboration between the War College’s Center for Strategic Leadership (CSL) and the Advanced Network Research Group, University of Cambridge (UK).

Three case studies drawn from the Israeli-Palestinian conflict served as the “driver” for small group work. These case studies examined aspects of the second Intifada phase of that conflict (circa 2002) and looked at the realities and challenges of managing “information effects” in a counterinsurgency at the tactical, operational and strategic levels. The case studies provided a jumping off point for discussion of the issues and challenges facing U.S. and coalition militaries in adapting to the complexities of the “long war.” The workshop was an unclassified event, and the Israeli-Palestinian case studies allowed participants to engage issues without prejudice or risk to on-going operations.


Deibert R. & Stein J. (2003). “Social and Electronic Networks in the War on Terror,” in Robert Latham, (ed.) Bombs and Bandwidth: The Emerging Relationship between IT and Security, New York: Free Press.

Rohozinski, R. (2003). “Bullets to Bytes: Reflection on ICT and ‘Local’ Conflicts,” in Robert Latham, (ed.) Bombs and Bandwidth: The Emerging Relationship between IT and Security, New York: Free Press.

Information Technology (IT) has become central to the way governments, businesses, social movements and even terrorist and criminal organizations pursue their increasingly globalized objectives. With the emergence of the Internet and new digital technologies, traditional boundaries are increasingly irrelevant, and traditional concepts – from privacy to surveillance, vulnerability, and above all, security – need to be reconsidered. In the post-9/11 era of “homeland security,” the relationship between IT and security has acquired a new and pressing relevance. Bombs and Bandwidth, a project of the Social Science Research Council, assembles leading scholars in a range of disciplines to explore the new nature of IT-related threats, the new power structures emerging around IT, and the ethical and political implications arising from this complex and important field.