The existence and operation of massive, coordinated, government-affiliated online espionage networks is typically the province of television or the silver screen, rather than the subject of research. In the real world, even a direct link between online and offline action (Russia's invasion of Georgia and the simultaneous online attacks against that country are a good example) is not enough to automatically prove that the government behind the one is automatically behind the other. We've covered the rise of hacktivism previously on Ars; as more citizens come online, we'll undoubtedly see more of this type of crowdsourced aggression in the future.

Researchers in Toronto, however, may have actually discovered and tracked a hacking effort that can be traced back to a foreign intelligence network—China's, in this case—over the past ten months. The team, which is affiliated with the Munk Centre for International Studies, has published an extensive report on the activities of what they dub GhostNet. Their investigation took place from June 2008 through March of 2009, and focused on allegations that the Chinese had engaged in systemic online espionage activities against the Tibetan community. GhostNet was spread through the use of a wide variety of Trojans, many of which were controlled through a program nicknamed gh0st RAT (Remote Access Tool).

The report can be read (PDF) in one of two ways: either as a primer on the operation and capabilities of both the gh0st RAT tool and the GhostNet network, or as an intelligence document detailing (with some redactions) where GhostNet infections were found and, perhaps more importantly, where the espionage network's C&C servers appear to be located. For the purposes of this discussion, we're going to focus more on the sociopolitical implications of GhostNet and less on the technical details. It will have to suffice to say that gh0st RAT is apparently a complex and nasty bit of business that does not rely on the successful installation of one particular Trojan in order to operate.

Its various payloads appear to have been delivered using standard social engineering and/or spear phishing techniques. This could be seen as further proof that relatively simple attack vectors are sufficient to overwhelm the security training and/or antivirus software of high-level government institutions; many of the targets GhostNet infiltrated should never be susceptible to a gussied up version of a social engineering attack.

Just because you're paranoid...

China has been accused of attacking a number of groups and institutions through the use of cyber espionage, a fact which already put it high on the research team's "countries of interest" list. The team's investigation ended up focused on Tibet in particular "because of the unprecedented access that we were granted to Tibetan institutions through one of our researchers and persistent allegations that confidential information on secure computers was somehow being compromised." The report notes that the lead field researcher had a substantial history of working with the Tibetan community, and was able to secure access to "the private office of the Dalai Lama, the Tibetan Government-in-Exile (TGIE), and a number of Tibetan non-governmental organizations" (NGOs).

The group's on-site research identified infected systems within the Office of His Holiness the Dalai Lama (OHHDL), the network of the TGIE, and the offices of a Tibetan NGO, TibTec. In the latter's case, there was already anecdotal evidence of espionage within the Drewla Initiative Project. According to its description, "Drewla ('connection' in Tibetan) is an online outreach project...that employs Tibetan youth with Chinese language skills to chat with people in mainland China and in the diaspora, raising awareness about the Tibetan situation, sharing the Dala Lama's teachings, and supplying information on how to circumvent...government censorship on the Internet."

This is rather obviously the sort of project the Chinese government would be less than fond of. The anecdotal evidence we mentioned is given on page 29/53 of the PDF, which tells the story of a young member of Drewla who was returning to her family in Tibet after two years away. She was detained at the Nepalese/Tibetan border and held for two months. Accused of participating in the Drewla Initiative, "She denied having been politically active and insisted that she had gone to Dharamsala for studies. In response...the intelligence officers pulled out a dossier on her activitiies and presented her with full transcripts of her Internet chats over the years. They indicated that they were fully aware of, and were monitoring, the Drewla outreach initiative."

...doesn't mean they aren't out to get you

GhostNet is extremely selective for a malware network. The Toronto researchers listed the following systems as ones they are highly confident have been compromised:

ASEAN (Association of Southeast Asian Nations)

Asian Development Bank

Associated Press, UK

Consulate General of Malaysia, Hong Kong

Department of Foreign Affairs, Indonesia

Department of Foreign Affairs, Philippines

International Campaign for Tibet

NATO (SHAPE HQ)

Office of the Dalai Lama, India

Russian Federal University Network, Russian Federation

Students for a Free Tibet, US

Taiwan Government Service network, Taiwan

Tibetan Government in Exile, India

Ommitted from that list is any mention of the dozen-plus embassies believed to be infected across Southeast Asia or in other geographical areas of interest to China. As the authors themselves point out, there are plausible explanations for GhostNet that do not require it to be an espionage tool of the Chinese government, though they think that this explanation is both the most obvious and "the one in which the circumstantial evidence tilts the strongest." The fact that the attack IPs examined resolve back "in at least several instances to Hainan Island, home of the Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army" definitely helps this case.

Alternatives must, however, be considered. These include the possibility that GhostNet is essentially a fluke, a deliberate creation of a foreign power other than China (but with a similar set of interests), or the creation of a group searching for information to sell at a profit. This last option is most plausible if we consider the likelihood that there are many GhostNets in operation around the world, each designed to monitor its own particular interests. As the authors note, they "can safely hypothesize that it [GhostNet] is neither the first nor the only one of its kind."