Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
JR02-2009 <strong>Tracking</strong> <strong>GhostNet</strong> - PART THREE<br />
47<br />
The evidence presented in this report—through a combination of field investigations,<br />
interviews, technical scouting, data analysis, mining and visualization—paints a<br />
disturbing picture.<br />
<strong>GhostNet</strong> represents a network of compromised computers resident in high-value political,<br />
economic, and media locations spread across numerous countries worldwide. At the time of writing,<br />
these organizations are almost certainly oblivious to the compromised situation in which they find<br />
themselves. The computers of diplomats, military attachés, private assistants, secretaries to Prime<br />
Ministers, journalists and others are under the concealed control of unknown assailant(s).<br />
In Dharamsala and elsewhere, we have witnessed machines being profiled and sensitive documents<br />
being removed. At our Laboratory, we have analysed our own infected “honey pot” computer<br />
and discovered that the capabilities of <strong>GhostNet</strong> are potent and wide ranging. Almost certainly,<br />
documents are being removed without the targets’ knowledge, keystrokes logged, web cameras are<br />
being silently triggered, and audio inputs surreptitiously activated.<br />
This raises the question, how many sensitive activities have been preemptively anticipated by<br />
intelligence gathered through this network How many illegal transactions have been facilitated by<br />
information harvested through <strong>GhostNet</strong> Worst of all, how many people may have been put at risk<br />
While these questions are compelling, it would be imprudent to read these findings as an indictment,<br />
or to attribute to the owners of <strong>GhostNet</strong> motivations and intentions for which there is no evidence.<br />
Alternative explanations<br />
The list of computers controlled by the <strong>GhostNet</strong> is significant, and certainly atypical for a cybercrime<br />
network. The size of the network is small, and the concentration of high-value systems is significant.<br />
At the same time, penetrations of this type are not uncommon. Recently, several large-scale spy<br />
nets have been discovered, including ones containing lists of affected computers of a magnitude<br />
higher than that harvested by <strong>GhostNet</strong>.<br />
This trend is predictable, converging with accumulating incidents of cyber-attacks facilitated by<br />
lower entry-thresholds for computer exploitation methods and technologies. The tools we profile in<br />
our investigation, though apparently amassed in a complex way to achieve a definite purpose, are<br />
not restricted to an exclusive guild of experts with specialized and confidential knowledge.<br />
Today, pirated cyber-crime kits circulate extensively on the Internet and can be downloaded by<br />
anyone about as easily as the latest pirated DVD. 51 <strong>Cyber</strong>space has empowered individuals and small<br />
groups of non-state actors to do many things, including executing sophisticated computer network<br />
operations that were previously only the domain of state intelligence agencies. We have entered<br />
the era of do-it-yourself (DIY) signals intelligence.<br />
51 http://ddanchev.blogspot.com/2008/11/zeus-crimeware-kit-gets-carding-layout.html