Computer hackers based in China built up a network of compromised computers in the offices of the Dalai Lama and many other national government offices and organisations around the world, Canadian computer security researchers have revealed.

The network, nicknamed GhostNet, included over 1295 computers belonging to the Tibetan Government in Exile, embassies belonging to countries including India, South Korea and Germany, the Association of Southeast Asian Nations, and the Asian Development Bank.

The investigation was carried out by Information Warfare Monitor (IWM) – an organisation formed by Canadian think tank, the Secdev Group – and a laboratory at the Munk Centre for International Studies, University of Toronto.

Email lure

IWM hacked into the control servers running GhostNet, using information gleaned by University of Cambridge computer scientists Ross Anderson and Shishir Nagaraja, who last year cleaned up computers from the Dalai Lama’s office that had been infected with malicious software, nicknamed malware.


IWM say it is unclear whether the attacks were carried out with the support of the Chinese government, or whether they were the work of isolated hackers. The Chinese government has denied all involvement.

GhostNet is run from 10 servers, IWM says. Most of them are in China – at Hainan, Guangdong, Jiangsu and Sichuan – while two others are in Hong Kong and the mainland United States.

The network uses a Trojan, a program that seems innocuous to the computer user but, when run, a hidden part of it causes harm or allows outside access to a machine. In this case, emails were used to spread the Trojan – called gh0st RAT – either by sending the malware as an attachment or by using a web link to direct a person to a site where it was downloaded.

Targeted attacks

The emails seem to have been carefully crafted to maximise the chances of someone installing the Trojan. For example, the Dalai Lama’s office was infected after a member of staff opened an email that apparently came from the email address “campaigns@freetibet.org” and downloaded a Microsoft Word document that appeared to relate to Tibetan independence.

In recent years, security services have frequently blamed cyber attacks on other governments, although comprehensive proof of their being used in such a way has not been made public. The Pentagon is now investing in greater cyber-defences for the US, while the UN recently added cyber weapons to the list of those considered by its body that advises on weapons of mass destruction.

As a sign of the shifting face of war, NATO last year opened its first “cyber defence centre”, dedicated to protecting its member nations from such attacks.

Read the full IWM report