Skip to main content

Chinese GhostNet Sleuth Network Compromises Hundreds Of PCs Worldwide

Computers in more than 100 countries worldwide have been infiltrated and compromised by a huge sleuthing computer network, nicknamed Ghostnet, that originates from China.

A 10-month investigation carried out by Canadian-based Information Warfare Monitor (IWM) found out that nearly 1300 computers were infected with most of them found in South East Asia.

In a report called "Tracking Ghostnet", the authors say that although the servers were physically located in China, there was no conclusive evidence that the Chinese government was behind this extensive hack.

But the fact that unlike other similar schemes, Ghostnet was not after any financial gains and it seems that political motives were root cause of the attack.

IWM says that the network was used to penetrate "ministries of foreign affairs, embassies, international organisations, news media, and NGOs" and one of the prime candidates for the attack, the Dalai Lama's office computer network, was the first to be officially identified as being compromised.

Greg Walton of IWM said in the report that they "uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama".

Ghost Net used a Trojan malware called gh0st RAT to infiltrate computers via an email attachment and allowed attackers to gain complete control of the computer, effectively establishing a stealth "remote desktop connection" with the victim PC

This allowed them to packet sniff on content being sent but also do key-logging as well as listening and watching their victims using webcams and other peripherals.

The Dalai Lama's computer networks were not the only one targeted during the attack. Systems in foreign countries like Iran, Bangladesh, Indonesia, Philippines, Brunei, Barbados, Bhutan, India, South Korea, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan were also affected.

You can follow ITProPortal.com on Twitter @ http://www.twitter.com/itproportal (opens in new tab).

Our Comments

A second report published by two researchers of the University of Illinois and Cambridge University points the finger squarely at the Chinese government as the mother ship of all the snooping attacks. Unlike Russia, which prefers direct Cyber-attacks (as it was the case with Lithuania back in 2008), China appears to be more subtle, preferring to collect sensitive data.

Related Links

China analysts dismiss cyber-espionage claims

http://www.cnn.com/2009/TECH/03/30/ghostnet.cyber.espionage/ (opens in new tab)

Remote spy system loots government computers

http://www.fudzilla.com/index.php?option=com_content&task=view&id=12875&Itemid=38 (opens in new tab)

Online plot 'wakeup call'

http://www.torontosun.com/news/canada/2009/03/30/8934691-sun.html (opens in new tab)

Chinese hackers infiltrate Indian embassy data

http://www.siliconindia.com/shownews/Chinese_hackers_infiltrate_Indian_embassy_data-nid-54379.html (opens in new tab)

Major Cyber Spy Operation Unearthed

http://www.techtree.com/India/News/Major_Cyber_Spy_Operation_Unearthed/551-100553-582.html (opens in new tab)

Tracking ‘GhostNet’: Investigating a Cyber Espionage Network

http://www.scribd.com/doc/13759529/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network#document_metadata (opens in new tab)

Investigation points to China as source of attack

http://abclocal.go.com/wjrt/story?section=news/national_world&id=6735093 (opens in new tab)

Massive Chinese spynet targeted Dalai Lama

http://government.zdnet.com/?p=4498 (opens in new tab)

GhostNet?

http://www.pcformat.co.za/modules.php?name=News&file=article&sid=772 (opens in new tab)

Major Chinese cyber spy network infiltrates governments worldwide

http://www.siliconrepublic.com/news/article/12610/cio/major-chinese-cyber-spy-network-infiltrates-governments-worldwide (opens in new tab)

Chinese Cyber-Spies Infiltrate Computers in 103 Countries

http://www.allgov.com/ViewNews/Chinese_Cyber_Spies_Infiltrate_Computers_in_103_Countries_90330 (opens in new tab)

Global 'cyber spy' network revealed

http://english.aljazeera.net/news/americas/2009/03/20093303304496652.html (opens in new tab)

Désiré Athow
Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.