[Air-L] Tracking GhostNet: Investigating a Cyber Espionage Network re Tibet

Barry Wellman wellman at chass.utoronto.ca
Sat Mar 28 13:59:54 PDT 2009

fyi. Ron Deibert is a highly regarded colleague and friend. Runs
CitizensLab at the University of Toronto.

 Barry Wellman

  S.D. Clark Professor of Sociology, FRSC               NetLab Director
  Department of Sociology                         University of Toronto
  725 Spadina Avenue, Room 388                   Toronto Canada M5S 2J4
  http://www.chass.utoronto.ca/~wellman             fax:+1-416-978-3963
  twitter: barrywellman                  secondlife: wikiwarrior swords
  Updating history:      http://chass.utoronto.ca/oldnew/cybertimes.php


---------- Forwarded message ----------
Date: Sat, 28 Mar 2009 16:49:15 -0400
From: Ronald Deibert <r.deibert at utoronto.ca>
To: Ronald Deibert <r.deibert at utoronto.ca>
Subject: Tracking GhostNet: Investigating a Cyber Espionage Network.

Tracking GhostNet: Investigating a Cyber Espionage Network.

The report has now been covered in an exclusive story by the New York
Times' John Markoff.  Download the New York Times story here

Researchers at the Information Warfare Monitor uncovered a suspected
cyber espionage network of over 1,295 infected hosts in 103
countries.  This finding comes at the close of a 10-month
investigation of alleged Chinese cyber spying against Tibetan
institutions that consisted of fieldwork, technical scouting, and
laboratory analysis.

Close to 30% of the infected hosts are considered high-value and
include computers located at ministries of foreign affairs, embassies,
international organizations, news media, and NGOs.  The investigation
was able to conclude that  Tibetan computer systems were compromised
by multiple infections that gave attackers unprecedented access to
potentially sensitive information,  including  documents from the
private office of the Dalai Lama.

Who is ultimately in control of the GhostNet system? While our
analysis reveals that numerous politically sensitive and high value
computer systems were compromised in ways that circumstantially point
to China as the culprit, we do not know the exact motivation or the
identity of the attacker(s), or how to accurately characterize this
network of infections as a whole.  One of the characteristics of cyber-
attacks of the sort we document here is the ease by which attribution
can be obscured.

Regardless of who or what is ultimately in control of GhostNet, it is
the capabilities of exploitation, and the strategic intelligence that
can be harvested from it, which matters most. Indeed, although the
Achilles’ heel of the GhostNet system allowed us to monitor and
document its far-reaching network of infiltration, we can safely
hypothesize that it is neither the first nor the only one of its kind.

As Information Warfare Monitor principal investigators Ron Deibert and
Rafal Rohozinski say in the foreword to the report, “This report
serves as a wake-up call.  At the very least, a large percentage of
high-value targets compromised by this network demonstrate the
relative ease with which a technically unsophisticated approach can
quickly be harnessed to create a very effective spynet
These are major
disruptive capabilities that the professional information security
community, as well as policymakers, need to come to terms with rapidly.”

Download the full report on 29 March 2009 at

Ronald J. Deibert
Director, The Citizen Lab
Munk Centre for International Studies
University of Toronto
r.deibert at utoronto.ca

More information about the Air-L mailing list