Shadow Network

Last updated

The Shadow Network is a China-based computer espionage operation that stole classified documents and emails from the Indian government, the office of the Dalai Lama, and other high-level government networks. [1] [2] This incident is the second cyber espionage operation of this sort by China, discovered by researchers at the Information Warfare Monitor, following the discovery of GhostNet in March 2009. [3] [4] [5] The Shadow Network report "Shadows in the Cloud: Investigating Cyber Espionage 2.0" was released on 6 April 2010, approximately one year after the publication of "Tracking GhostNet." [6]

Contents

The cyber spying network made use of Internet services, [5] such as social networking and cloud computing platforms. [4] The services included Twitter, Google Groups, Baidu, Yahoo Mail, Blogspot, and blog.com, [5] which were used to host malware [7] and infect computers with malicious software. [4]

Discovery

The Shadow Net report [8] was released following an 8-month collaborative investigation between researchers from the Canada-based Information Warfare Monitor and the United States Shadowserver Foundation. [3] [7] [9] The Shadow Network was discovered during the GhostNet investigation, [3] and researchers said it was more sophisticated and difficult to detect. [3] [5] Following the publication of the GhostNet report, several of the listed command and control servers went offline; [3] [10] however, the cyber attacks on the Tibetan community did not cease. [10]

The researchers conducted field research in Dharamshala, India, and with the consent of the Tibetan organizations, they were able to monitor the networks in order to collect copies of the data from compromised computers and identify command and control servers used by the attackers. [7] [11] The field research done by the Information Warfare Monitor and the Shadowserver Foundation found that computer systems in the Office of His Holiness the Dalai Lama (OHHDL) had been compromised by multiple malware networks, one of which was the Shadow Network. [12]

Further research into the Shadow Network revealed that, while India and the Dalai Lama's offices were the primary focus of the attacks, [5] the operation compromised computers on every continent except Australia and Antarctica. [1] [13]

The research team recovered more than 1,500 e-mails from the Dalai Lama's Office [1] [4] along with a number of documents belonging to the Indian government. [1] This included classified security assessments in several Indian states, reports on Indian missile systems, [10] and documents related to India's relationships in the Middle East, Africa, and Russia. [1] [5] Documents were also stolen related to the movements of NATO forces in Afghanistan, [5] and from the United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP). [4] [5] The hackers were indiscriminate in what they took, which included sensitive information as well as financial and personal information. [4]

Origin

The attackers were tracked through e-mail addresses [4] to the Chinese city of Chengdu in Sichuan province. [1] [3] There was suspicion, but no confirmation, that one of the hackers had a connection to the University of Electronic Science and Technology in Chengdu. [2] The account of another hacker was linked to a Chengdu resident who claimed to know little about the hacking. [5]

Related Research Articles

<span class="mw-page-title-main">Industrial espionage</span> Use of espionage for commercial purposes rather than security

Industrial espionage, economic espionage, corporate spying, or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security.

<span class="mw-page-title-main">Citizen Lab</span>

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. It was founded by Ronald Deibert in 2001. The laboratory studies information controls that impact the openness and security of the Internet and that pose threats to human rights. The organization uses a "mixed methods" approach which combines computer-generated interrogation, data mining, and analysis with intensive field research, qualitative social science, and legal and policy analysis methods.

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA); and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as the exertion of political influence via the UFWD through the co-optation of ethnic Chinese diaspora communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, to which various US officials contend economic damages, prosperity and stolen innovations have resulted in $US320-445 billion annually since its inception and activities.

Proactive cyber defence means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defence can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence. Common methods include cyber deception, attribution, threat hunting and adversarial pursuit. The mission of the pre-emptive and proactive operations is to conduct aggressive interception and disruption activities against an adversary using: psychological operations, managed information dissemination, precision targeting, information warfare operations, computer network exploitation, and other active threat reduction measures. The proactive defense strategy is meant to improve information collection by stimulating reactions of the threat agents and to provide strike options as well as to enhance operational preparation of the real or virtual battlespace. Proactive cyber defence can be a measure for detecting and obtaining information before a cyber attack, or it can also be impending cyber operation and be determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber counter-operation.

<span class="mw-page-title-main">14th Dalai Lama</span> Current foremost spiritual leader of Tibet

The 14th Dalai Lama, known as Gyalwa Rinpoche to the Tibetan people, is the current Dalai Lama. He is the highest spiritual leader and former head of state of Tibet. Born on 6 July 1935, or in the Tibetan calendar, in the Wood-Pig Year, 5th month, 5th day. He is considered a living Bodhisattva; specifically, an emanation of Avalokiteśvara in Sanskrit and Chenrezig in Tibetan. He is also the leader and an ordained monk of the Gelug school, the newest school of Tibetan Buddhism, formally headed by the Ganden Tripa. The central government of Tibet, the Ganden Phodrang, invested the Dalai Lama with temporal duties until his exile in 1959.

The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The SecDev Group, an operational think tank based in Ottawa (Canada), and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Principal Investigators and co-founders of the Information Warfare Monitor are Rafal Rohozinski and Ronald Deibert. The Information Warfare Monitor is part of the Citizen Lab’s network of advanced research projects, which include the OpenNet Initiative, the Fusion Methodology Centre, and PsiLab.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

GhostNet is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies undetected. Its command and control infrastructure is based mainly in the People's Republic of China and GhostNet has infiltrated high-value political, economic and media locations in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised.

Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attacks began in mid-2009 and continued through December 2009.

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">Chinese espionage in the United States</span> Espionage against the United States of America committed by the Peoples Republic of China

The United States has often accused the government of the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-Tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak and Peter Lee.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

Cyberweapon is commonly defined as a malware agent employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce corrupted code into existing software, causing a computer to perform actions or processes unintended by its operator.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai.

Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021. In March 2022, Google announced that it would acquire the company for $5.4 billion and integrate it into its Google Cloud division. The deal closed in September.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

References

  1. 1 2 3 4 5 6 Anna, Cara (6 April 2010). "'Shadow Network' Of Chinese Hackers Steal Dalai Lama's Emails: REPORT". The Huffington Post. Retrieved 1 Nov 2014.
  2. 1 2 Branigan, Tania (6 April 2010). "Cyber-spies based in China target Indian government and Dalai Lama". The Guardian. Retrieved 1 Nov 2010.
  3. 1 2 3 4 5 6 Zetter, Kim (6 April 2010). "Spy Network Pilfered Classified Docs From Indian Government and Others". Wired. Retrieved 1 Nov 2014.
  4. 1 2 3 4 5 6 7 "Shadow cyber spy network revealed". BBC News. 6 April 2010. Retrieved 1 Nov 2014.
  5. 1 2 3 4 5 6 7 8 9 Markoff, John; Barboza, David (5 April 2010). "Researchers Trace Data Theft to Intruders in China". The New York Times. Retrieved 1 Nov 2014.
  6. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 2. Retrieved 4 Nov 2010.
  7. 1 2 3 Mills, Elinor (6 April 2010). "Report: India targeted by spy network". CNET. Retrieved 1 Nov 2014.
  8. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. Retrieved 1 Nov 2014.
  9. Robertson, Grant (6 April 2010). "Canadian researchers reveal online spy ring based in China". The Globe and Mail. Retrieved 1 Nov 2014.
  10. 1 2 3 Moore, Malcolm (6 April 2010). "Chinese hackers steal Dalai Lama's emails". The Telegraph. Retrieved 1 Nov 2010.
  11. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 9. Retrieved 1 Nov 2014.
  12. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 13. Retrieved 1 Nov 2014.
  13. "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". Scribd. The SecDev Group. 6 April 2010. p. 32. Retrieved 1 Nov 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.