Infiltrated Chinese software spies on Tibetan government in exile's computers
Academics at the Munk Centre for International Studies in Toronto, while checking the computer system of the Dalai Lama's Tibetan government in exile, located in India, have discovered the biggest computer-controlled espionage network yet known. They say the network, which they call Ghostnet, is controlled by computers almost exclusively located in China and has infected 1295 computer in 103 countries in the last two years, picking up another dozen computers every week. This botnet doesn't operate at random, they say, but purposefully attempts to infiltrate computers belonging to governments and embassies in the Asian area.
Last summer, the Dalai Lama invited two Information Warfare Monitor workers to check the security of the Tibetan government in exile's computer system. That's what put the investigators on the track of Ghostnet.
They report that, not only can the espionage software monitor email and documents on infected computers, it can also control a PC remotely, switching on any cameras or microphones attached to it, to carry out surveillance of its surroundings. This is said already to have caused tangible damage to the Tibetan government in exile. The Chinese government is reported to have called a diplomat and advised him to cancel an emailed invitation he had sent to the Dalai Lama. A female activist who had arranged contacts between exiled Tibetans and Chinese is reported to have been arrested by the Chinese authorities on Tibet's border. Officials are said to have shown her intercepted email and ordered her to stop her political work.
In spite of these events, the Canadian academics refrain from saying the botnet is run by the Chinese government. They think it's also possible that patriotic individuals in China, or even the CIA or Russia, could be behind the espionage network. A spokesman at the Chinese consulate in New York denied that the Chinese government had any connection with the botnet. "These are old stories and they are nonsense", he told the New York Times. "The Chinese government is opposed to and strictly forbids any cybercrime."
Academics at Cambridge University who were simultaneously investigating the botnet directly accuse the Chinese government in their detailed report. According to them, the espionage software was contained in email sent to Tibetan monks, ostensibly by fellow monks. The attackers are thought to have penetrated a Tibetan mail server and read the email on it. The information obtained enabled them to send fake email, or to replace files attached to genuine emails with infected ones. The espionage software was hidden in the Windows system using root kit techniques and forwarded documents and email via the HTTP protocol to servers in the Chinese province of Sichuan. In order to conceal the connections, the stolen documents are said to have been passed later through anonymising Dynaweb proxy servers assigned to the Falun Gong sect. A key logger enabled the software to monitor all keyboard input. One monk even reported that his Outlook Express software opened before his very eyes and, without his doing anything, sent an infected email to one of his acquaintances.
Although the web site of the Information Warfare Monitor is currently off line, its study has now been published online. According to the report, among the 1,295 infected computers are systems of the foreign ministries in Iran, Bangladesh, Lithuania, Indonesia, the Philippines, Brunei, Barbados and Bhutan. To these are added the consulates of India, South Korea, Indonesia, Rumania, Cyprus, Malta, Thailand, Taiwan, Portugal, Pakistan and Germany, the secretariat of ASEAN (Association of South East Asian Nations), the South Asian Association for Regional Cooperation (SAARC), the Asian Development Bank, news agencies, and a computer at NATO headquarters.