Go to the Globe and Mail homepage

Jump to main navigationJump to main content

Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)
Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)

Hactivism

Meet the Canadians who busted GhostNet Add to ...

"In air traffic control, we don't have people flying with no flight path," says Rafal Rohozinski, CEO of the SecDev Group and one of the co-authors of the investigation. He and his partners are trying to use their findings to spur governments into action on controlling this kind of information warfare.

"We need to begin thinking about ways of implementing arms control in cyberspace," says Prof. Deibert.

Yesterday, Mr. Villeneuve looked at his computer screen and noticed no slowdown in the cyber-spy ring. The infection, it seems, continues to spread.

***

Infiltrated 'high-value' locations

Canadian researchers found more than 1,000 infected computers in an illegal cyber spy network. Among the locations of the most "high-value" machines that were infiltrated:

Deloitte & Touche, the United States

The embassies of India in Belgium, Serbia, Germany, Italy, Kuwait and the United States

Embassy of Pakistan in Bahrain

International Campaign for Tibet, the Netherlands

Ministry of Foreign Affairs, Iran

NATO, the Netherlands

Office of Dalai Lama, India

Associated Press, United Kingdom

Department of Science and Technology, Philippines

Prime Minister's Office, Laos.

Students for a Free Tibet, the United States

***

The infection cycle

The process by which an unsuspecting user's computer becomes infected begins with a simple e-mail and ends with the computer under the complete control of another party.

1. An e-mail message arrives in a user's inbox and contains an attachment such as a Miscrosoft Word or PDF file. It appears harmless but enticing.

2. The user opens the attachment, which unleashes a piece of malicious code on his machine.

3. The code exploits a vulnerability in the user's computer, and uses it to order the computer to connect with a server somewhere else in the world.

4. The computer connects to the server, and in the process essentially opens itself to control by whoever is at the other end of that server.

5. The server to which an infected computer connects is only one of several such servers. That way, if authorities shut down one server, the others can continue to spread the virtual infection. All such servers also communicate with one another.

6. The other servers continue the same infection relationship with other computers, continuing the cycle.

CARRIE COCKBURN/THE GLOBE AND MAIL

SOURCE: TRACKING GHOSTNET, INFORMATION WARFARE MONITOR, MARCH 29, 2009

Single page

Follow on Twitter: @omarelakkad

 

In the know

Most popular video »

Highlights

More from The Globe and Mail

Most Popular Stories