CCDCOE conference, June 18

Nart Villeneuve, “Tracking GhostNet”:

One of our staff has been working with Tibetian communnities for 10 years.

Art of investigation: raise more questions than answers. This is good, as we have limitations.

Data is hard to come by. Organizations are not generally willing to collect their data or provide you with samples of malicious files, you have to cultivate sources, and earn trust (within NGO community).

We hear a lot of news coverage, they’re often incomplete, with little to no data. (09h11 Tallinn time)

Sometimes there might be political events associated with the attacks.

We fully explore alternative explanations

We try to explore avenues that would try to explain why we’re seeing these types of attacks.

Our investigation was conducted in three stages:

1) Field research in Tibetan communities
2) Analysis of data during field research, identify and explore C&C servers
3) Infection of test computers with malware obtained from C&C computers

Drewla: The domain names that they like to use are misspellings of known software products

Drewla: They employ young Tibetans who speak Chinese who they can go online to communicate a positive message of Tibetans

Tom Skype: Was censoring certain words when you used the text chat (well known in 2006), Skype admitted to it

When we took apart, when I typed certain words, there was an http connection

They hadn’t turned off directory listings

Saw lots of encrypted log files, two logs files up was the decrypt key (09h19 Tallinn time)

Seven such servers

contentfilter*.log – ip, username, message, date, time (+ unknown parameters)

Half were collected because they had porn, others political words

There were a lot of messages that had sensitive in Mandarin

Some were so short that they couldn’t have been captured by just keywords

Were able to map out who was talking to who. If you map with calling data, but also from SkypeOut if you’re calling to landline.

Potentially through one of the means that China was able to obtain records.

Confronted Skype, and they admitted that they were required to do this by the Chinese government

One was a domain for checking in and another was would use to upload files, split into pieces

We asked the owner of this computer: what is this? It contained details of the Dalai Lama’s negotiating position

We didn’t know anything more about the servers

That left us with another set of connections from Office of Dalai Lama

HTTP GET requests to IP in Hainan-Telecom

Found control site by searching IP in Google

Commands in drop-down were relating to force the host to get new malware, or acquire system information from the infected computer

RAM, hard drive, programs, list of file names in your My Documents folder and a dump of all your current network connections

Each command was assigned a unique ID. Would point users to download more software from another server. (9h25 Tallinn time)

Attacker also wants to take real-time control to be able to rifle through files and transfer data, capture audio

This is a common tool

We started collecting other IP addresses and domain names that the attacker used. Some of the servers had directory listings on. What we found was that one of the pieces of malware connected to control server, we started to be able to piece together how the attacker was able to infect those computers.

We didn’t know how they got infected.

Attacker likes to send out PDFs and .docs packed with exploits

Hainan Island was significant

Later versions used lookups

Geographically all of the control servers were in China, except for one, which was on a hosting service in California (that was indexed by Google)

I have a healthy fear of prison — there was no hacking involved.

Direct connections to a server

If you have the Google Toolbar and you visit a website that Google doesn’t know about, it likely will index it

They didn’t put the site behind a password

Started to try to identify who the hosts were. One was the computer name.

Victims were embassies, govt institutions — like Ministry of Foreign Affairs of Latvia, NATO computer infected briefly

Found additional targets: Associated Press, Al Jazeera, Taiwan Stock Exchange, Taiwanese airlines, Deloitte (09h34 Tallinn time)

India was the most targeted country (103 different countries)

Also in Europe, especially Indian Embassy in Washington DC, infected repeatedly over a year, including mail server

Mail servers were targeted often

Taiwanese trade office was hit 77 times in a few days

Other than a few days, there’s a few spikes here and there but it seemed to be a stale network

There wasn’t any new infections, nothing new in 2009

Blue spikes are check-ins.

Earliest infected computer is May 22, 2007 and most recent sample is March 12, 2009.

Amount of time that a host was infected was 145 days, while 90 infected computers were only infected for one day, 145 were infected for over 400 days.


Who is behind this? Obvious elephant in the room is that it was collected by China for military/intel purposes

There are other explanations

The distribution of network could have been random from an intitial high-profile target, could have skewed

We thought initially that it was Tibet specific

Could have been collected for sale to criminals

Or could be a setup. Making use of the fact that there is this frame of reference through China. If I wanted to attack, I probably would hide through China.

Nature of attacks would not lend itself to typical cybercrime attacks.

Was geared towards extracting information

This is off-the-shelf stuff. What you’re exploiting is not code, but people. That’s scary. Even with really unsophisticated stuff, you can take over high profile systems and go undetected.

Collection vs. Exploitation: if you want to make use of this data, you have to have a lot of resources, have to have a lot of political, linguistic skills (09h42 Tallinn time)

Collection is easy. Exploitation is hard.

Ultimately we don’t know who was behind GhostNet. What’s interesting for us is that it existed at all. There’s probably a lot more like it. We just happened to uncover this one. We got lucky with our friend Google.

What do we do with this info now that we have it?

Typically we’d go to CERT — but would I give it to China CERT?

We gave it to Public Safety Canada (CCIRC)

Apparently there are a lot of legal barriers to disclosure of this information.

Since we were able to identify particular people, will that person be harmed.

There are all these legal steps. There still hasn’t been complete disclosure to the organizations that were affected.

After NY Times story hit, 24 hours later, the network started to come down. Took domain names and changed IP addresses. And that’s where things stand. (09h46 Tallinn time)