Shadow Network

Last updated

The Shadow Network is a China-based computer espionage operation that stole classified documents and emails from the Indian government, the office of the Dalai Lama, and other high-level government networks. [1] [2] This incident is the second cyber espionage operation of this sort by China, discovered by researchers at the Information Warfare Monitor, following the discovery of GhostNet in March 2009. [3] [4] [5] The Shadow Network report "Shadows in the Cloud: Investigating Cyber Espionage 2.0" was released on 6 April 2010, approximately one year after the publication of "Tracking GhostNet." [6]

Contents

The cyber spying network made use of Internet services, [5] such as social networking and cloud computing platforms. [4] The services included Twitter, Google Groups, Baidu, Yahoo Mail, Blogspot, and blog.com, [5] which were used to host malware [7] and infect computers with malicious software. [4]

Discovery

The Shadow Net report [8] was released following an 8-month collaborative investigation between researchers from the Canada-based Information Warfare Monitor and the United States Shadowserver Foundation. [3] [7] [9] The Shadow Network was discovered during the GhostNet investigation, [3] and researchers said it was more sophisticated and difficult to detect. [3] [5] Following the publication of the GhostNet report, several of the listed command and control servers went offline; [3] [10] however, the cyber attacks on the Tibetan community did not cease. [10]

The researchers conducted field research in Dharamshala, India, and with the consent of the Tibetan organizations, they were able to monitor the networks in order to collect copies of the data from compromised computers and identify command and control servers used by the attackers. [7] [11] The field research done by the Information Warfare Monitor and the Shadowserver Foundation found that computer systems in the Office of His Holiness the Dalai Lama (OHHDL) had been compromised by multiple malware networks, one of which was the Shadow Network. [12]

Further research into the Shadow Network revealed that, while India and the Dalai Lama's offices were the primary focus of the attacks, [5] the operation compromised computers on every continent except Australia and Antarctica. [1] [13]

The research team recovered more than 1,500 e-mails from the Dalai Lama's Office [1] [4] along with a number of documents belonging to the Indian government. [1] This included classified security assessments in several Indian states, reports on Indian missile systems, [10] and documents related to India's relationships in the Middle East, Africa, and Russia. [1] [5] Documents were also stolen related to the movements of NATO forces in Afghanistan, [5] and from the United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP). [4] [5] The hackers were indiscriminate in what they took, which included sensitive information as well as financial and personal information. [4]

Origin

The attackers were tracked through e-mail addresses [4] to the Chinese city of Chengdu in Sichuan province. [1] [3] There was suspicion, but no confirmation, that one of the hackers had a connection to the University of Electronic Science and Technology in Chengdu. [2] The account of another hacker was linked to a Chengdu resident who claimed to know little about the hacking. [5]

Related Research Articles

<span class="mw-page-title-main">Industrial espionage</span> Use of espionage for commercial purposes rather than security

Industrial espionage, also known as economic espionage, corporate spying, or corporate espionage, is a form of espionage conducted for commercial purposes instead of purely national security.

<span class="mw-page-title-main">Citizen Lab</span> Digital research center at the University of Toronto

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness and security of the Internet and that pose threats to human rights. The organization uses a "mixed methods" approach which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods. The organization has played a major role in providing technical support to journalists investigating the use of NSO Group's Pegasus spyware on journalists, politicians and human rights advocates.

The government of the People's Republic of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

Proactive cyber defense, means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defense can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence.

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT. For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak. HBGary was later acquired by a large defense contractor.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa (Canada), and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Principal Investigators and co-founders of the Information Warfare Monitor where Rafal Rohozinski and Ronald Deibert. The Information Warfare Monitor as part of the Citizen Lab’s network of advanced research projects, which include the OpenNet Initiative, the Fusion Methodology Centre, and PsiLab.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

GhostNet is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the People's Republic of China and GhostNet has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.

Cyber espionage, cyber spying, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak, Peter Lee, and Shujun Wang. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and offensive power projection thanks to comparatively advanced technology and a large military budget. Cyberwarfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the military unit cover designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

A cyberattack is any unauthorized effort against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

References

  1. 1 2 3 4 5 6 Anna, Cara (6 April 2010). "'Shadow Network' Of Chinese Hackers Steal Dalai Lama's Emails: REPORT". The Huffington Post. Archived from the original on 3 November 2014. Retrieved 1 Nov 2014.
  2. 1 2 Branigan, Tania (6 April 2010). "Cyber-spies based in China target Indian government and Dalai Lama". The Guardian. Archived from the original on 23 October 2019. Retrieved 1 Nov 2010.
  3. 1 2 3 4 5 6 Zetter, Kim (6 April 2010). "Spy Network Pilfered Classified Docs From Indian Government and Others". Wired. Archived from the original on 2 November 2014. Retrieved 1 Nov 2014.
  4. 1 2 3 4 5 6 7 "Shadow cyber spy network revealed". BBC News. 6 April 2010. Archived from the original on 2 November 2014. Retrieved 1 Nov 2014.
  5. 1 2 3 4 5 6 7 8 9 Markoff, John; Barboza, David (5 April 2010). "Researchers Trace Data Theft to Intruders in China". The New York Times. Archived from the original on 7 March 2017. Retrieved 1 Nov 2014.
  6. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 2. Archived from the original on 19 November 2010. Retrieved 4 Nov 2010.
  7. 1 2 3 Mills, Elinor (6 April 2010). "Report: India targeted by spy network". CNET. Retrieved 1 Nov 2014.
  8. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. Archived from the original on 6 November 2014. Retrieved 1 Nov 2014.
  9. Robertson, Grant (6 April 2010). "Canadian researchers reveal online spy ring based in China". The Globe and Mail. Archived from the original on 2 November 2014. Retrieved 1 Nov 2014.
  10. 1 2 3 Moore, Malcolm (6 April 2010). "Chinese hackers steal Dalai Lama's emails". The Telegraph. Archived from the original on 17 October 2010. Retrieved 1 Nov 2010.
  11. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 9. Archived from the original on 6 November 2014. Retrieved 1 Nov 2014.
  12. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 13. Archived from the original on 6 November 2014. Retrieved 1 Nov 2014.
  13. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 32. Retrieved 1 Nov 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.