Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve

More documents

Recommendations

Info

JR02-2009 Tracking GhostNet - PART TWO 43 Table 2: Selected infections (cont’d) Organization Confidence Location Infections Embassy of Romania, Norway H NO 1 Embassy of Romania, PRC H CN 1 Embassy of Thailand, Philippines H PH 2 Embassy of the Republic of Korea, China H CN 2 Government Integrated Telecommunication Network, Malaysia L MY 2 High Commission of India, Cyprus H CY 1 High Commission Of India, United Kingdom H GB 1 Institute for Information Industry, Taiwan L TW 1 International Campaign for Tibet H NL 7 International Chamber of Shipping, United Kingdom L GB 1 Lanka Education and Research Network, Sri Lanka L LK 1 Malta External Trade Corporation Ltd. H MT 1 Maritime Police, Solomon Islands H SB 1 Ministry of Communications, Brunei H BN 1 Ministry of Education, Solomon Islands H SB 1 Ministry of Foreign Affairs, Bangladesh H BD 4 Ministry of Foreign Affairs, Barbados M BB 5 Ministry of Foreign Affairs, Bhutan L BT 11 Ministry of Foreign Affairs, Brunei L BN 1 Ministry Of Foreign Affairs, Iran H IR 1 Ministry of Foreign Affairs, Latvia H LV 2 Ministry of Industry and Trade, Vietnam L VN 30 Ministry of Labour and Human Resources, Bhutan H BT 1 National Informatics Centre, India L IN 12 NATO, (SHAPE HQ) H NL 1 Net Trade, Taiwan H TW 1 New Tang Dynasty Television, United States L US 1 Office of the Dalai Lama, India H IN 2 Pakistan Mission to The United Nations L US, JP 4 Permanent Delegation of Cyprus to the European Union L BE 1 Permanent Mission of Cuba to the United Nations L US 1 PetroVietnam L VN 74 Prime Minister’s Office, Laos H LA 5 Public Service Division, Solomon Islands H SB 1 Russian Federal University Network, Russian Federation H RU 1 Software Technology Parks of India, India L IN 2 South Asian Association for Regional Cooperation L BD, US 5 Students for a Free Tibet, United States H US 2 TAITRA, Taiwan H TW, NG 79
JR02-2009 Tracking GhostNet - PART TWO 44 Table 2: Selected infections (cont’d) Organization Confidence Location Infections Taiwan Government Service Network, Taiwan H TW 1 Tibetan Government in Exile, India H IN, US 4 Trade and Industry Department, Government of Hong Kong H HK 1 Infection timeline The earliest infected computer called home to the control server on May 22, 2007. The most recent entry in our sample is March 12, 2009. On average, the amount of time that a host was actively infected was 145 days. 49 While 90 infected computers were only infected for one day, 145 were infected for over 400 days. The longest infection span was 660 days. In total, 422 hosts checked in March 1-12, 2009; 373 of these computers were infected in 2008. The data indicates that despite a reduction in new infections, the network continues to be operational. (See Fig. 13 - p. 45) There are significant spikes in infection rates in December 2007 and August 2008. There were 320 infections in December 2007 spread across 56 countries. However, 113 were located within Taiwan and the majority of these infections occurred within a single organization: the Taiwan External Trade Development Council. During this same period, computers at the Embassies of India in Belgium and Zimbabwe were infected as were the Embassies of Indonesia and the Republic of Korea in the People’s Republic of China. In addition, computers at the Ministry of Foreign Affairs in Iran were infected as were several computers at the Tibetan Government-in-Exile. The spike in August 2008 totalled 258 infections spread across 46 countries. The OHHDL computer was infected during one of these spikes in August 2008 (It last checked in to the control server in September 2008). This spike included the Chinese Embassy in the United States, 50 3 computers at the Embassy of India in the Unites States, and the High Commission of India in the United Kingdom and in Cyprus. It also included the Embassy of Cyprus in Germany, the Embassy of Malaysia in Cuba, the Embassy of Thailand in the Philippines and the Ministry of Industry in Vietnam. Several companies were also compromised, including Net Trade in Taiwan, the New York Office of Deloitte & Touche, and PetroVietnam, the government-owned oil and gas Company. 49 The average number of days from the initial infection to the last time an infected computer “checked in” with a control server. 50 It is unclear whether the affected embassy is the Republic of China (Taiwan) or People’s Republic of China.
Page 1 and 2: JR02-2009 Tracking GhostNet: Invest
Page 3 and 4: JR02-2009 Tracking GhostNet - FOREW
Page 5 and 6: JR02-2009 Tracking GhostNet - TABLE
Page 7 and 8: JR02-2009 Tracking GhostNet - SUMMA
Page 9 and 10: JR02-2009 Tracking GhostNet - INTRO
Page 11 and 12: PART ONE: Context and background
Page 13 and 14: JR02-2009 Tracking GhostNet - PART
Page 17 and 18: PART TWO: Tracking GhostNet
Page 43: JR02-2009 Tracking GhostNet - PART
Page 47 and 48: PART THREE: Investigating GhostNet:
Page 51 and 52: PART FOUR: About Information Warfar
Page 53: 52 2. Open Source Trend Analysis. W

Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve

Create successful ePaper yourself

Delete template?

Save as template?