Go to the Globe and Mail homepage

Jump to main navigationJump to main content

Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)
Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)

Hactivism

Meet the Canadians who busted GhostNet Add to ...

Against the backdrop of humming computers in the underground lab in Toronto's Munk Centre for International Studies, a screen flickered, and the most politically explosive cyber-spy network in the world began to reveal itself.

It was March 6, 12:33 p.m., and Nart Villeneuve was getting frustrated. The 34-year-old international relations student and part-time tech geek had tried everything to track down a piece of malicious software that had infected computers around the world, including those in the offices of the Dalai Lama.

More Related to this Story

Finally, he turned to the ultimate hacker's tool: He entered some of the code from those infected computers into Google. Just like that, he found one of the cyber-spy network's control servers, then another, and another. From that Eureka moment came a flood of information, almost all of it suggesting the ring originated in China.

A team of Canadian researchers revealed this weekend a network, dubbed GhostNet, of more than 1,200 infected computers worldwide that includes such "high-value targets" as Indonesia's Ministry of Foreign Affairs and the Indian Embassy in Kuwait, as well as a dozen computers in Canada.

The revelation left government bodies around the world scrambling to determine what sensitive files may have been compromised by the cyber-spy network, which even now continues to spread and infect, its authors apparently undaunted by all the extra attention.

The revelation that the vast majority of the attacks appear to originate from China has prompted an angry denial from Beijing, which slammed the report as nonsense.

But that hasn't stopped the bombshell investigation from attracting the attention of myriad intelligence and law enforcement agencies, including the FBI, the U.S. Department of Homeland Security and Canada's Communications Security Establishment.

Indeed, it's hard to believe that what has now been revealed as a massive cyber breach began just a few months ago in a room at the foothills of the Himalayas, with a Canadian researcher watching a 'ghost' steal a file from the Dalai Lama.

Greg Walton showed up in Dharamsala, India, in September of last year to determine whether somebody was trying to spy on the Dalai Lama's computer. With a background in international relations and computer science, the British-born 34-year-old had been advising the Tibetan government on security issues since the late 1990s. The Dalai Lama's Geneva-based adviser had recently asked him to check whether Tibetan government computers had been the subject of an attack.

"We were granted unprecedented access to the private office and to the computer systems," says Mr. Walton, who is one of three researchers at the Munk Centre's Citizen Lab - along with Mr. Villeneuve and lab head Ron Deibert - who worked on the 10-month investigation in conjunction with the SecDev Group, an Ottawa-based consultancy.

What Mr. Walton found was a thoroughly compromised computer system, infected with so-called "malware" that allowed a mysterious outside entity to not only spy on the computer, but also extract data from it. Researchers watched someone, somewhere, extract a copy of a document detailing the negotiating positions of the Dalai Lama's envoy.

"What we were witnessing was an international crime taking place," says Prof. Deibert.

Mr. Walton recorded the activity and eventually returned to Toronto with some 1.2-gigabytes of raw data - countless lines of often-incomprehensible code - for Mr. Villeneuve to sift through.

The researchers at the Citizen Lab weren't new to this kind of thing. Last year, they revealed the logging of millions of text messages sent by users of a Chinese Skype service. Mr. Villeneuve had learned some tricks during that endeavour, such as searching for improperly configured servers and sifting through their directories for useful files.

He tried the same tricks this time, but nothing worked. The researchers knew there was a backbone behind the malicious software on the Dalai Lama's office computers, but they couldn't pinpoint it.

Then one day, a couple of weeks ago, Mr. Villeneuve came across a line of code that appeared to begin with a numbers that signified a date.

In an interview yesterday, he was momentarily reluctant to disclose the seemingly elite hacker's tool he unleashed on that piece of code in order to get it to spill its secrets.

Single page
 

In the know

Most popular video »

Highlights

More from The Globe and Mail

Most Popular Stories