Wireshark makes it possible to watch an unencrypted Internet chat session while it is taking place, or in the case of Mr. Walton’s research in India, to watch as Internet attackers copied files from the Dalai Lama’s network.

In almost every case, when the Ghostnet system administrators took over a remote computer they would install a clandestine Chinese-designed software program called GhOst RAT  for Remote Administration Terminal. GhOst RAT permits the control of a distant computer via the Internet, to the extent of being able to turn on audio and video recording features and capture the resulting files. The operators of the system  whoever they were  in addition to stealing digital files and e-mail messages, could transform office PCs into remote listening posts.

The spying was of immediate concern to the Tibetans, because the documents that were being stolen were related to negotiating positions the Dalai Lama’s political representatives were planning to take in negotiations the group was engaged in.

After returning to Canada, Mr. Walton shared his captured data with Mr. Villeneuve and the two used a second tool to analyze the information. They uploaded the data into a visualization program that had been provided to the group by Palantir Technologies, a software company that has developed a program that allows investigators to “fuse” large data sets to look for correlations and connections that may otherwise go unnoticed.

The company was founded several years ago by a group of technologists who had pioneered fraud detection techniques at Paypal, the Silicon Valley online payment company. Palantir has developed a pattern recognition tool that is used both by intelligence agencies and financial services companies, and the Citizen Lab researchers have modified it by adding capabilities that are specific to Internet data.

Mr. Villeneuve was using this software to view these data files in a basement at the University of Toronto when he noticed a seemingly innocuous but puzzling string of 22 characters reappearing in different files. On a hunch, he entered the string into Google’s search engine and was instantly directed to similar files stored on a vast computerized surveillance system located on Hainan Island off the coast of China. The Tibetan files were being copied to these computers.

But the researchers were not able to determine with certainty who controlled the system. The system could have been created by so-called patriotic hackers, independent computer activists in China whose actions are closely aligned with, but independent from, the Chinese government. Or it could have been created and run by Internet spies in a third country.