Cyber spy network with global reach raises alarms
University of Toronto researchers say that hackers, using servers in China, infiltrated government and private systems in 103 countries.
• A daily summary of global reports on security issues.
A group of hackers based almost exclusively in China has hacked into 1,295 computers in 103 countries. Canadian researchers at the University of Toronto revealed that cyber spies infiltrated systems in foreign ministries, embassies, international organizations, and the offices of the Dalai Lama. Thirty percent of the targeted computers could be considered "high-value" targets. No US government computers were compromised; however, the cyber spies broke into a NATO computer for half a day.
The Chinese government has denied any connection to the group and it remains unclear who is responsible and whether they worked for an official intelligence agency. In their report (to read it, click here) which was published in the Information Warfare Monitor on Sunday, the researchers said that their investigation "raises more questions than it answers," but their findings should serve as a "wake-up call."
At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spinet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.
The University of Toronto team began its investigation at the request of the office of the Dalai Lama, but ultimately discovered that, in addition to targeting the exiled Tibetan leader, the spy network was focusing on South Asian and Southeast Asian countries, reports Canada's Globe and Mail. Malware installed by the spy network could activate infected computers' cameras and microphones, allowing cybersleuths to see and hear what was happening in the room.
The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies but in most cases the contents of the stolen files have not been determined.
Working with the Tibetans, however, the researchers found specific correspondence had been stolen and the intruders had gained control of the electronic mail server computers of the Dalai Lama's organization.
A map printed in The New York Times shows where computers were infected. The Times also reports that although reports indicate that most of the computers responsible for the cyberespionage are located in China, investigators have cautioned against drawing conclusions that Chinese authorities were involved.
The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as "patriotic hackers."
"We're a bit more careful about it, knowing the nuance of what happens in the subterranean realms," said Ronald J. Deibert, a member of the research group and an associate professor of political science at [the Munk Center for International Studies at the University of Toronto]. "This could well be the C.I.A. or the Russians. It's a murky realm that we're lifting the lid on."
Two other researchers at Cambridge University, who also investigated the cyber spy network, have been "less circumspect" than their Canadian counterparts about pointing a finger at China, reports Threat Level, a Wired Magazine blog.
An abstract of the report by the Cambridge researchers, titled "The Snooping Dragon," says that these attacks are particularly significant because of their ability to collect "actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed." Though the report investigates alleged Chinese hacking, it says that the techniques could be used by individuals and create serious consequences for cyber security in both the public and private sector.
Few organisations outside the defence and intelligence sector could withstand such an attack, and although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual. ... The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.
Meanwhile, in the United Kingdom, intelligence chiefs have voiced concerns that China may have gained the ability to stop the delivery of critical services such as electricity water, and food, reports the Times of London. The UK recently signed a multimillion dollar deal with Huawei, a Chinese telecommunications company, to update the nation's telecom network.
According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT's new network might already contain malicious elements waiting to be activated by China.
Working through Huawei, China was already equipped to make "covert modifications" or to "compromise equipment in ways that are very hard to detect" and that might later "remotely disrupt or even permanently disable the network", the meeting was told.