Malware, Phishing

U.S.-Canada research team penetrate cyberspy network

Security researchers have uncovered another sophisticated cyberespionage network that stole classified documents from a number of computer systems belonging to government agencies, businesses and other organizations.

The spying operation, dubbed Shadow Network, spread to computers in India, the United Nations and the Office of the Dalai Lama, according to a report published Monday by five researchers, four of whom are based out of the Munk School of Global Affairs at the University of Toronto. The fifth researcher, Steven Adair, is a member of the U.S.-based nonprofit Shadowserver Foundation.

Through their eight-month investigation, the researchers not only isolated infected systems — as they had done in a prior investigation known as GhostNet, which revealed some 1,300 computers that had been infected by servers that traced back to China.

In this case, they also recovered a large amount of stolen data through a "drop zone" used by the attackers. For example, they were able to retrieve two documents marked "secret," five labeled "confidential" and six deemed "restricted." The researchers also recovered 1,500 letters sent from the Dalai Lama's office. India, though, appears to have been the main target, with the researchers unearthing hijacked documents belonging to embassies in Kabul and Moscow, as well as other organizations, such as India's Military Engineer Services and India Strategic defense magazine.

"One day, while exploring open directories on one of the command-and-control (C&C) servers, I noticed that there were files in a directory that was normally empty," Nart Villeneuve, a senior research fellow at the university and one of the report's authors, said in a blog post. "It turned out that the attackers were directing compromised computers to upload data to this directory. The attackers subsequently moved the data off to another location and deleted the files at fairly rapid, but intermittent time intervals."

The investigators suspect the Shadow Network has ties to the Chinese government because one of the individuals who was connected to GhostNet helped to register domains used by the Shadow Network. Also, the researchers believe the nature of the documents recovered show "correlations with the strategic interests of the Chinese state."

"...We were unable to determine any direct connection between these attackers and elements of the Chinese state," Villeneuve said. "However, it would not be implausible to suggest that the stolen data may have ended up in the possession of some entity of the Chinese government." 

China has denied any involvement, according to a report by Xinhua, the Chinese state news agency.

Aside from their ability to install malware that went undetected on a vast number of computer systems, the culprits also leveraged cutting-edge ways to deploy their wares, according to the report. The operators delivered instructions to compromised machines by using social media websites such as Twitter, Blogspot and Google Groups as C&C hubs.

"[The report] points to a disturbing complex ecosystem of malware," the report said. "Although malware networks, cybercrime and espionage have been around for years, the evidence presented here shows how these networks can be aggressively adaptive systems, multiplying and regenerating across multiple vectors and platforms, and exploiting the vulnerabilities within the latest Web 2.0 technologies to expand their reach and impact."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.