Nart Villeneuve, “Tracking GhostNet”:
One of our staff has been working with Tibetian communnities for 10 years.
Art of investigation: raise more questions than answers. This is good, as we have limitations.
Data is hard to come by. Organizations are not generally willing to collect their data or provide you with samples of malicious files, you have to cultivate sources, and earn trust (within NGO community).
We hear a lot of news coverage, they’re often incomplete, with little to no data. (09h11 Tallinn time)
Sometimes there might be political events associated with the attacks.
We fully explore alternative explanations
We try to explore avenues that would try to explain why we’re seeing these types of attacks.
Our investigation was conducted in three stages:
1) Field research in Tibetan communities
2) Analysis of data during field research, identify and explore C&C servers
3) Infection of test computers with malware obtained from C&C computers
Drewla: The domain names that they like to use are misspellings of known software products
Drewla: They employ young Tibetans who speak Chinese who they can go online to communicate a positive message of Tibetans
Tom Skype: Was censoring certain words when you used the text chat (well known in 2006), Skype admitted to it
When we took apart, when I typed certain words, there was an http connection
They hadn’t turned off directory listings
Saw lots of encrypted log files, two logs files up was the decrypt key (09h19 Tallinn time)
Seven such servers
contentfilter*.log – ip, username, message, date, time (+ unknown parameters)
Half were collected because they had porn, others political words
There were a lot of messages that had sensitive in Mandarin
Some were so short that they couldn’t have been captured by just keywords
Were able to map out who was talking to who. If you map with calling data, but also from SkypeOut if you’re calling to landline.
Potentially through one of the means that China was able to obtain records.
Confronted Skype, and they admitted that they were required to do this by the Chinese government
One was a domain for checking in and another was would use to upload files, split into pieces
We asked the owner of this computer: what is this? It contained details of the Dalai Lama’s negotiating position
We didn’t know anything more about the servers
That left us with another set of connections from Office of Dalai Lama
HTTP GET requests to IP in Hainan-Telecom
Found control site by searching IP in Google
Commands in drop-down were relating to force the host to get new malware, or acquire system information from the infected computer
RAM, hard drive, programs, list of file names in your My Documents folder and a dump of all your current network connections
Each command was assigned a unique ID. Would point users to download more software from another server. (9h25 Tallinn time)
Attacker also wants to take real-time control to be able to rifle through files and transfer data, capture audio
This is a common tool
We started collecting other IP addresses and domain names that the attacker used. Some of the servers had directory listings on. What we found was that one of the pieces of malware connected to control server, we started to be able to piece together how the attacker was able to infect those computers.
We didn’t know how they got infected.
Attacker likes to send out PDFs and .docs packed with exploits
Hainan Island was significant
Later versions used lookups
Geographically all of the control servers were in China, except for one, which was on a hosting service in California (that was indexed by Google)
I have a healthy fear of prison — there was no hacking involved.
Direct connections to a server
If you have the Google Toolbar and you visit a website that Google doesn’t know about, it likely will index it
They didn’t put the site behind a password
Started to try to identify who the hosts were. One was the computer name.
Victims were embassies, govt institutions — like Ministry of Foreign Affairs of Latvia, NATO computer infected briefly
Found additional targets: Associated Press, Al Jazeera, Taiwan Stock Exchange, Taiwanese airlines, Deloitte (09h34 Tallinn time)
India was the most targeted country (103 different countries)
Also in Europe, especially Indian Embassy in Washington DC, infected repeatedly over a year, including mail server
Mail servers were targeted often
Taiwanese trade office was hit 77 times in a few days
Other than a few days, there’s a few spikes here and there but it seemed to be a stale network
There wasn’t any new infections, nothing new in 2009
Blue spikes are check-ins.
Earliest infected computer is May 22, 2007 and most recent sample is March 12, 2009.
Amount of time that a host was infected was 145 days, while 90 infected computers were only infected for one day, 145 were infected for over 400 days.
Who is behind this? Obvious elephant in the room is that it was collected by China for military/intel purposes
There are other explanations
The distribution of network could have been random from an intitial high-profile target, could have skewed
We thought initially that it was Tibet specific
Could have been collected for sale to criminals
Or could be a setup. Making use of the fact that there is this frame of reference through China. If I wanted to attack, I probably would hide through China.
Nature of attacks would not lend itself to typical cybercrime attacks.
Was geared towards extracting information
This is off-the-shelf stuff. What you’re exploiting is not code, but people. That’s scary. Even with really unsophisticated stuff, you can take over high profile systems and go undetected.
Collection vs. Exploitation: if you want to make use of this data, you have to have a lot of resources, have to have a lot of political, linguistic skills (09h42 Tallinn time)
Collection is easy. Exploitation is hard.
Ultimately we don’t know who was behind GhostNet. What’s interesting for us is that it existed at all. There’s probably a lot more like it. We just happened to uncover this one. We got lucky with our friend Google.
What do we do with this info now that we have it?
Typically we’d go to CERT — but would I give it to China CERT?
We gave it to Public Safety Canada (CCIRC)
Apparently there are a lot of legal barriers to disclosure of this information.
Since we were able to identify particular people, will that person be harmed.
There are all these legal steps. There still hasn’t been complete disclosure to the organizations that were affected.
After NY Times story hit, 24 hours later, the network started to come down. Took domain names and changed IP addresses. And that’s where things stand. (09h46 Tallinn time)