Canadian researchers have uncovered a vast "Shadow Network" of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data from computers around the world.
Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad.
The findings, which are part of a report that will be made public today in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto's Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and a U.S. cyber sleuthing organization known as the Shadowserver Foundation, the report is expected to be controversial.
The researchers have found a global network of "botnets," computers controlled remotely and made to report to servers in China. Along with those servers, the investigators located where the hackers stashed their stolen files, allowing a glimpse into what the spy ring is looking for.
"Essentially we went behind the backs of the attackers and picked their pockets," said Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs, which investigated the spy ring.
The report, titled Shadows in the Cloud, comes one year after the same team discovered a spy ring with links to China that it dubbed GhostNet. Using information gleaned from that investigation, investigators followed a trail of websites that led to a much larger operation, also with links to China.
Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? Rafal Rohozinski, co-author of the report
The report is careful not to conclude the Chinese government is behind the operation, since it is difficult to tell who is orchestrating the attacks. Last year, the Chinese government denied any involvement in GhostNet after the researchers uncovered nearly 1,300 infected computers in 103 countries linked to servers in China.
But computers belonging to exiled Tibetan leader, the Dalai Lama, who is denounced by China, have been the most compromised.
Almost every e-mail sent to or from the Dalai Lama's offices in 2009 has shown up in the files, the report says. Nearby India has also taken the brunt of the cyber attacks, with numerous secret government documents recovered by the Canadian researchers. They include 78 documents related to the financing of military projects in India, details of live fire exercises and missile projects, and two documents marked "secret" belonging to the national security council.
Sensitive data from 16 countries, such as visa applications by Canadian citizens, were also recovered. It is believed the hackers accessed those files through computers at India's embassies in Kabul, Dubai, Nigeria and Moscow, which were corrupted.
Rafal Rohozinski, a principal of the SecDev Group and a principal investigator and co-author of the report, said such a collection of sensitive information represents a new era in online spying. A decade ago, hackers generally looked for quick paydays - for example, by blocking access to a gambling site and demanding a ransom. But the Shadow Network operation exposes much bigger game: information that, if it isn't being collected by governments, could be sold to the state.
"It's like the world of art theft, where you steal things that have a very high value, so long as you can find a buyer," Mr. Rohozinski said.
"So the question of course is, who's the buyer? Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? That's one of those things that we don't really have a good answer for."
A small number of computers at the University of Western Ontario were also found to be connected to the network, and potentially used to surrender files, although it is not clear how they were affected. Similarly, computers at New York University and Kaunas University of Technology in Lithuania were also linked to the infected network.
The Shadow Network structure was ingenious for its simplicity. Command servers, which are used to issue instructions to computers - such as "send me all of your documents" - connected to victims through a variety of seemingly innocent networks such as Google groups, Yahoo e-mail and Twitter accounts. Those intermediaries were used to relay links or files to a recipient in a target organization. Once the user clicks on the link or opens an attachment in an infected e-mail, the computer relays a beacon to the command server, which instructs it to start sending files to a dump zone.
The revelations are a warning to governments, Mr. Deibert said, since countries are only as strong as their weakest link in a global data network. So while files may be safe in paper form in a locked cabinet, as soon as nations begin exchanging data electronically, cracks can be exploited, as they appear to have been with India.
"Unfortunately, Canada has no cyber security strategy, although one's been promised for many years," Mr. Deibert said. "We have no foreign policy for cyberspace either, which is mind boggling, considering how important this domain is for us."