The article discusses “Big Data”, which refers to “the endless digital grains of sand we produce as we move, think and act” on the Web. Professor Deibert argues that a massive cyber industrial complex has emerged around the commercial exploitation of large volumes of information about each and every one of us. He maintains that civil society, including NGOs like Privacy International, plays a critical role in “maintaining a vigilant watch on the cyber security industrial complex” in order to preserve human rights and democracy.

Click here to read the full article.

Since the publication of that report, there have been several new developments which provide further evidence that Blue Coat technologies are in use in the Burma. These new findings are documented in a new Citizen Lab blog post, Behind Blue Coat: An Update from Burma.

In recent weeks, users of Burmese ISP Yatanarpon Teleport have been presented with a network status message in their web browser which refers to Blue Coat systems. This message is consistent with the manner in which Blue Coat devices present notification messages to users. These findings contribute further evidence that Blue Coat devices are actively in use in Burma.

The Citizen Lab continues to call on Blue Coat to investigate these claims and take action to prevent the further use of its technology in Syria and Burma.

Click here to read the full update.

The venomous furor surrounding WikiLeaks, including charges of “terrorism” and calls for the assassination of Julian Assange, has to rank as one of the biggest temper tantrums in recent years. Granted, it must be frustrating for U.S. government officials and others to see thousands of secret cables splashed across the globe. But stamping feet and lashing out at Assange is simply misdirected anger.

When Assange said that from now on geopolitics would be divided into pre- and post-Cablegate eras, he hit upon something important, but missed the bull’s-eye by overestimating his own organization’s impact on history. We have indeed entered a new era, but not because of WikiLeaks, which is only a symptom of a much larger trend.

As we discovered in our Tracking Ghostnet and Shadows in the Clouds reports, the means to engage in cyber espionage have expanded dramatically because of the shift to networked infrastructures and social networking habits. With Ghostnet, the confidential information of dozens of ministries of foreign affairs, embassies, international organizations and private firms was pilfered by the use of a free (and open source) Trojan horse. In the Shadows in the Clouds case, a likely single attacker vacuumed minutes of the Indian National Security Council secretariat as efficiently as making photocopies during the meeting itself. Cyberspace has brought us the world of do-it-yourself signals intelligence.

Many lament the loss of individual privacy as we leave digital traces that are then harvested and collated by large organizations with ever-increasing precision. But if individuals are subject to this new ecosystem, what would make anyone think governments or organizations are immune? Blaming WikiLeaks for this state of affairs is like blaming a tremor for tectonic plate shifts.

Blaming WikiLeaks for the new state of affairs is like blaming a tremor for tectonic plate shifts.

Certainly a portion of that anger could be mitigated by the conduct of WikiLeaks itself. The cult of personality around Assange, his photoshopped image now pasted across the WikiLeaks Web site, only plays into this animosity. So do vigilante cyberattacks carried out by supporters of WikiLeaks that contribute to a climate of lawlessness and vengeance seeking. If everyone can blast Web sites and services with which they disagree into oblivion — be it WikiLeaks or MasterCard — a total information war will ensue to the detriment of the public sphere.

An organization like WikiLeaks should professionalize and depersonalize itself as much as possible. It should hold itself to the highest possible ethical standards. It should act with the utmost discretion in releasing into the public domain otherwise classified information that comes its way only on the basis of an obvious transgression of law or morality. This has not happened. The latest batch of China cables, for example, shows no evidence of any wrongdoing on the part of the State Department, but they might unintentionally reveal the identities of Chinese dissidents who shared their views with U.S. officials.

WikiLeaks is only a symptom of a much larger phenomenon to which governments, businesses and individuals will all have to get accustomed. Our lives have been turned inside out by a digital world of our own spinning. We will need new rules, norms and principles to adjust to this new environment. Meanwhile, some timeless legal and ethical principles should always apply.

Near the end of a hall in the basement of University of Toronto’s Munk School of Global Affairs, in Room 63, is The Citizen Lab. The room is quiet, save for the staccato click of keyboards. By all appearances, the dozen or so people here, sitting on Ikea office chairs at their computers, are an everyday group of U of T researchers. But it was in this room that the Citizen Lab and its affiliates, part of the Information Warfare Monitor, uncovered an international cyber spy ring that was unprecedented in its scope. The world would never view online security in the same way again.

In 2008, then Citizen Lab researcher Greg Walton traveled to the Dalai Lama’s safe-haven in Dharamsala, India, after catching wind of suspicious online activity taking place against the Tibetan community. Once there, it didn’t take long for him to determine that computers at the Tibetan leader’s offices had been infiltrated with malicious software (better known as malware), and that sensitive files were being surreptitiously uploaded to a server somewhere in China. Walton could see the names of the files that were being accessed and, ominously, was told that one of them was a document concerning the Dalai Lama’s negotiating position with China.

Back in Canada, senior Citizen Lab researcher Nart Villeneuve and other principal investigators at the Information Warfare Monitor conducted a detailed analysis of Walton’s field review. Villeneuve, a tall, affable man with short brown hair, was already a veteran in the realm of online censorship and surveillance. By this time, he had just completed a report titled “Breaching Trust,” after confirming that TOM-Skype (the Chinese version of the popular chat application) was not only censoring certain messages, it was saving them in an archive and logging the IP addresses of its users. His method for exposing the surveillance was genius in its simplicity: he typed expletives into TOM-Skype’s instant messenger and noticed an extra connection, which he followed in Firefox. “There are people who are technically amazing,” he admits. “I’m not one of them.” His report highlighted the dangerous potential for citizens to be monitored while online, but it was small potatoes compared to what the Information Warfare Monitor was about to unearth.

The analysis of Walton’s field report found that the cyber infiltration of the Dalai Lama’s office was far more widespread than it had initially appeared. Many of the computers had been made to form a “botnet”: that’s techie lingo for a collection of computers that have effectively been zombified by malware. In this case, that malware included a powerful Trojan horse known as “gh0st RAT” that gave the attackers complete, real-time control of the infected computers and all the data on them. Every email, document and file on the botnet was accessible by the botnet’s controller.

Like common computer viruses, these attacks can be difficult to detect because their true source can be easily masked. Malware threats could appear in the guise of an innocuous attachment, like a Word document or a PDF, and they could appear to come from an affiliate. “What if they look like they’re from your boss?” Villeneuve asks, describing the various ways hackers get a foot in the door. “What if the message says, ‘The executive director needs you to read this message?’” When the attachment is opened, it silently installs malware that connects to the attacker’s control server. At that point, depending on the complexity of the malware, they can essentially do whatever they want. “Once you open up that PDF, you’re finished,” he continues. After gaining a foothold, attackers could view email, move files back and forth or even operate a webcam.

This time, though, the attackers had made a major mistake by not properly securing access to their command-and-control servers. The ever-persistent Villeneuve had managed to find a website—completely unprotected by a password—that provided access to the source of the attacks. He had performed a simple Google search of a string of characters embedded within the files of gh0st RAT. “When they screw up, you’ve got to catch it,” Villeneuve says.

In order to further monitor the attacks, the Information Warfare Monitor team performed an old-fashioned sting, essentially, except for the fact that it took place entirely online. The plan, in computer parlance, is called “a honeypot,” and involved a bait computer that was set up to entice the attackers. It didn’t take long for the trap to work. Soon, attackers had taken control of the computer and the team in Room 63 was able to watch everything they did.

After more than 10 months of observation, technical scouting and lab analysis, the Information Warfare Monitor uncovered a massive cyber spy network, which it dubbed GhostNet, that had reached far beyond the Tibetan community. The attacks had affected computers across the globe, and had likely compromised a number of diplomatic missions. Infiltrated systems were found in the ministries of foreign affairs in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan, and the embassies of South Korea, Indonesia, Romania, Cyprus, Malta and Thailand. Eventually, over 1,295 infiltrated computers were revealed in 103 countries, including computers in the NATO headquarters in Brussels and the embassy of India in the US. Researchers were also able to track the IP addresses of the attackers, many of which led to China’s Hainan Island.

The Information Warfare Monitor’s report on the newly discovered spy ring was cautious to accuse the Chinese government of any wrongdoing, stating, “Alternative explanations are certainly possible.” Hainan Island, though, isn’t just an idyllic vacation spot in the South China Sea. It also happens to be the site of the Lingshui intelligence facility that, according to globalsecurity.org, houses more than 1,000 intelligence analysts of the Third Technical Department of the People’s Liberation Army. Villeneuve, for his part, thinks that the location of the offending IP addresses is purely coincidental. The Chinese government, of course, denied any involvement in hacking, but a separate 2009 report from the University of Cambridge concluded that Chinese agents had, in the past, infiltrated the computer system at the office of the Dalai Lama. In light of the uncertainty of following digital footprints, however, speculation is futile. “People ask, ‘When are you going to find the smoking gun?’” Villeneuve says. “It’s not going to happen; it’s impossible.”

This investigation into GhostNet was conducted by civilian researchers at a university, not a government or military organization. Still, as threats like the one posed by GhostNet continue to grow, Canada has yet to establish a formal domestic or foreign cyberspace strategy. The Canadian Cyber Incident Response Centre is geared towards cyber protection on a national level, but at the moment it merely handles incident reports, Villeneuve says. Meanwhile, any NGO or individual here who falls victim to the scourge of cyber attacks is, essentially, on their own to deal with it.

This kind of activity, as disturbing as it currently is, will only get worse, according to Villeneuve. He admits that a well-executed cyber attack on certain targets could be devastating (“Why would you go and blow up a bridge,” he wonders, “if you could hack the radio frequency that controls opening and closing it?”), but he’s no doomsayer, and is careful to avoid exaggerating the ability of computer hackers to wage all-out cyber war by affecting the services we depend on. “Within the community, there are those who think it is likely,” he says, “but I’d say opinion is divided.”

Not so with Richard Clarke, a trusted authority on the subject, who believes that the threat of international cyber war is very real. Clarke served as the chief counterterrorism advisor to presidents Clinton and George W. Bush, and in 2001, months before the September 11 attacks, tried in vain to convince the Bush administration of the likelihood of an impending strike by al-Qaeda. In a recent interview on National Public Radio’s Fresh Air, he painted a bleak scenario in which computer hackers are able to wreak widespread havoc at the touch of a keyboard.

“What could cyber-war do? It could derail trains all over the country,” he told NPR. “It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out or confuse financial records so that we would not know who owned what, and the financial system would be badly damaged.”

Clarke goes so far as to suggest a cyber arms race is already under way between nations like the US and China. Citing The Wall Street Journal and other reputable news organizations, Clarke points out the possibility that China has already planted “logic bombs” within the American power grid, so that in a period of tension Chinese cyber-spies could systematically and anonymously shut down targeted power systems. If that’s the case, Clarke continues, then the US has likely reciprocated any such virtual warfare.

This all may reek of sensationalism, but critical infrastructure has been the target of hackers in the past. In 2000, Vitek Boden, a recently fired employee from an Australian sewage treatment plant, used his laptop and some radio equipment to gain control of some 140 sewage pumping stations. From a safe distance away from the plant, he was able to cause millions of gallons of noxious sludge to spill into nearby rivers and parks before eventually getting arrested. Boden had taken advantage of vulnerabilities in a software system known as Supervisory Control and Data Acquisition (SCADA). Many industrial and infrastructure processes, like power generation, water treatment, oil pipelines, and railways are dependent on this type of software. The fact that these systems do not always connect to the Internet does not make them safe, partly because they often rely on radio signals to control devices. In this case, Boden was able to wirelessly usurp control of the plant he formerly worked at. As an ex-employee, he was intimately familiar with that SCADA system in a way that no foreign cyber attacker would be, but it still illustrates the potential for critical infrastructure to be hacked.

Blackouts, in particular, have had a penchant for stirring up speculations of cyber terrorism. In a speech last year, US President Barack Obama said, “In other countries cyber attacks have plunged entire cities into darkness.” Obama didn’t get any more specific than that, but a massive 2007 blackout in Brazil was attributed by CBS’s 60 Minutes to a cyber attack. The news program used several anonymous sources to support its case, but the Brazilian government would later deny the claims, according to Wired magazine, citing sooty insulators as the cause. A Brazilian official said that he investigated the claims and found no evidence of a hacker attack, adding that Brazil’s electric operating systems are not directly connected to the Internet. The true trigger of that blackout may never be known, but the power grid remains a concern for hacker vulnerability.

Recall 2003, when eight US states and parts of Canada—over 50 million inhabitants—lost power in the biggest blackout in North American history. While no cyber terrorists have been implicated in that mishap, there was likely a cyber element to it. The official story is that some power lines in Ohio had brushed against a few overgrown trees, causing a fault that should have been easy to contain. A series of failures prevented technicians from stopping the problem until it got out of hand, and one of those failures, as Wired would later report, may have been a software glitch that stopped an alarm from alerting power system operators. Other news organizations have reported that the Blaster worm—which was making its rounds on the Internet at the time—may have increased the severity of the blackout. No hackers, perhaps, but the point remains that where critical infrastructure is concerned, compromised software often equates to compromised services.

Professor Paul T. Mitchell, from the Canadian Forces College in Toronto—where future generals go to learn the art of advanced warfare—is presently conducting research on the impact of networks on military operations and is due to publish additional findings in early 2011.

Canada has been slow to adapt to cyber threats, but Mitchell downplays the severity of the issue. “My opinion on the subject is that while cyber security is undoubtedly an important national and even personal security issue, it is much like crime,” he says. “Unchecked, it can pose real problems for stability, but it is something that can be effectively kept in a box by governments. The effects of a successful major cyber assault can be compared more to the effects of a significant weather event, like a major snowstorm. While normal services are affected, the threat to life and limb are secondary to the attack and limited in numbers.” He does not share Clarke’s bleak outlook. “Electronic Pearl Harbours make for good copy, but the reality of pulling off such a stunt is highly complex and difficult to do.”

It may let paranoid Canadians sleep a bit better knowing that they are unlikely to wake up to a world where everything from their toaster to traffic signals can crash as the result of a cyber strike. And Dr. Mitchell makes his case by saying, “The concept [of cyber war] has been around for nearly 20 years and yet no one single instance of such an attack has yet occurred. If this is such a strategic mace to be used, why hasn’t it?”

NEW DELHI: Reports of a China-based cyber spy network targetting the Indian military and the consequent alert sounded by Army authorities may be only the tip of the iceberg — investigations have revealed a fully dedicated India-specific espionage system aimed at business, diplomatic, strategic and academic interests.

The detailed research and investigations carried out by Canada-based authors of the report ‘Shadows in the Cloud’ and experts from India’s NTRO have pointed to a command and control system that used free web-hosting services and social networking sites like Twitter, Baidu blogs and Google. These accounts were manipulated by a “core” of servers based in Chengdu in China.

The report, released in early April, received fairly wide publicity but its fuller implications are only now beginning to sink in. The largely India-centric cyber warfare system is described as “son of ghost net”, an allusion to a Chinese effort to infiltrate the Tibetan exile community. The current investigations also began in Dharamshala but revealed a larger intent linked to an underground hacking community in Chengdu.

An email used in ghostnet turned up in the Shadows probe as well and is identified as losttemp33@hotmail and was associated with Xfocus and Isbase, two popular Chinese hacking forums and possibly was a student of master hackers Glacier and Sunwear. The individual is believed to have studied at University of Electronic Science and Technology at Chengdu in Sichuan.

The Canadian team used a domain name system (DNS) sinkhole to turn IP addresses into domain names by grabbing suspect servers abandoned after ghostnet investigations. The list of compromised Indian computers is disturbing: machines at Indian missions at Kabul, Moscow, Dubai, Abuja, US, Serbia, Belgium, Germany, Cyprus, UK and Zimbabwe were infected.

A machine at the National Security Council Secretariat was tapped as were computers at military engineering services at Kolkata, Bangalore and Jalandhar. Computers linked to the 21 Mountain Artillery Brigade, the Air Force Station at Race Course Road opposite the PM’s residence, the Army Institute of Technology at Pune and Military College of Electronics and Mechanical Engineering at Secunderabad were also compromised.

Thinktanks such as the Institute for Defence Studies and Analyses and publications like India Strategic and FORCE were also targeted as were corporations like DLF Limited, Tata and YKK India. Computers at the National Maritime Foundation and Gujarat Chemical Port Terminal Compnay were also hit.

On-ground investigations at Dharamshala, where the Tibetan exile community is headquartered, showed that computers were beaconing with server ‘jdusnemsaz’ in Chongqing in China. Interestingly, while Chengdu has a military research bureau, Chongqing is host to several triads — criminal networks with connections to the Chinese government and Communist Party.

In a lucky break, the Canadian team was able to recover data being removed by attackers and discovered a list of compromised computers. Registering and monitoring four of the domain names revealed by the earlier ghostnet probe, they reached those used in the shadows network like www.assam2008.net, aaa.msnxy,net, sysroots.net, www.lookbyturns.com and www.macfeeresponse.org.

The investigations showed that the infected email or social networking accounts were infiltrated with malware which then allowed the compromised computer to receive more sophisticated software through attachments. All through, there was a core of master servers based in China that kept a close check on infiltration of computers and transfer of all sorts of documents from personal details to missile analysis to safe drop zones.

http://timesofindia.indiatimes.com/India/Made-in-China-Cyber-spying-system-with-focus-on-India/articleshow/5891039.cms

Crime and espionage form a dark underworld of cyberspace. Whereas crime is usually the first to seek out new opportunities and methods, espionage usually follows in its wake, borrowing techniques and tradecraft. The Shadows in the Cloud report, released today, illustrates the increasingly dangerous ecosystem of crime and espionage and its embeddedness in the fabric of global cyberspace.

As our everyday lives move online, criminals and spies have migrated to this domain. They leverage complex, adaptive attack techniques to take advantage of the fissures that have emerged in an era where “e” is everything. Every new software, social networking site, cloud-computing system, or web-hosting service represents opportunities for the predatory criminal ecosystem to subvert, adapt, and exploit.

The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. FULL REPORT.

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

The full report can be accessed here

A New York Times story by John Markoff on the report can be accessed here

Members of the research team are holding a news conference at 11 a.m. on Tuesday, April 6, to discuss their latest findings and to answer questions from the media. The news conference will also be webcast live from: here.

The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

Summary of main findings:

Complex cyber espionage network – Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents – Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied by Indian officials onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of Collateral Compromise – A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services – Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.

Links to Chinese hacking community – Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

About the Researcher Collaboration:

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (http://infowar-monitor.net/) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (http://shadowserver.org/) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.

The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. FULL REPORT.

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

The full report can be accessed here

A New York Times story by John Markoff on the report can be accessed here

Members of the research team are holding a news conference at 11 a.m. on Tuesday, April 6, to discuss their latest findings and to answer questions from the media. The news conference will also be webcast live from: here.

The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

Summary of main findings:

Complex cyber espionage network – Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents – Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied by Indian officials onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of Collateral Compromise – A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services – Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.

Links to Chinese hacking community – Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

About the Researcher Collaboration:

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (http://infowar-monitor.net/) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (http://shadowserver.org/) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.

Event Details:

Join us for the inaugural Palantir Night Live (PNL) forum with Nart Villeneuve, Chief Security Officer for the Secdev Group, who will discuss some of his experiences as a lead technical investigator on GhostNet, the Chinese cyberspying ring that most notably hacked into the Dalai Lama’s account (read the New York Times article for more details), as well as a variety of other cyber investigations.

Attendance is limited, in order to allow for an open forum conducive to discussion.

Registration is first come, first served. Food and refreshments will be available.

Please email questions/comments to: pnl@palantirtech.com

March 23rd, 5:30-7:30pm EST
Palantir Technologies
1660 International Drive
Suite 800
McLean, VA 22102

Read about Sergey Brin’s GhostNet talk at the 2010 TED conference.