Skip to main content

Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009.JENNIFER ROBERTS

Against the backdrop of humming computers in the underground lab in Toronto's Munk Centre for International Studies, a screen flickered, and the most politically explosive cyber-spy network in the world began to reveal itself.

It was March 6, 12:33 p.m., and Nart Villeneuve was getting frustrated. The 34-year-old international relations student and part-time tech geek had tried everything to track down a piece of malicious software that had infected computers around the world, including those in the offices of the Dalai Lama.

Finally, he turned to the ultimate hacker's tool: He entered some of the code from those infected computers into Google. Just like that, he found one of the cyber-spy network's control servers, then another, and another. From that Eureka moment came a flood of information, almost all of it suggesting the ring originated in China.

A team of Canadian researchers revealed this weekend a network, dubbed GhostNet, of more than 1,200 infected computers worldwide that includes such "high-value targets" as Indonesia's Ministry of Foreign Affairs and the Indian Embassy in Kuwait, as well as a dozen computers in Canada.

The revelation left government bodies around the world scrambling to determine what sensitive files may have been compromised by the cyber-spy network, which even now continues to spread and infect, its authors apparently undaunted by all the extra attention.

The revelation that the vast majority of the attacks appear to originate from China has prompted an angry denial from Beijing, which slammed the report as nonsense.

But that hasn't stopped the bombshell investigation from attracting the attention of myriad intelligence and law enforcement agencies, including the FBI, the U.S. Department of Homeland Security and Canada's Communications Security Establishment.

Indeed, it's hard to believe that what has now been revealed as a massive cyber breach began just a few months ago in a room at the foothills of the Himalayas, with a Canadian researcher watching a 'ghost' steal a file from the Dalai Lama.

Greg Walton showed up in Dharamsala, India, in September of last year to determine whether somebody was trying to spy on the Dalai Lama's computer. With a background in international relations and computer science, the British-born 34-year-old had been advising the Tibetan government on security issues since the late 1990s. The Dalai Lama's Geneva-based adviser had recently asked him to check whether Tibetan government computers had been the subject of an attack.

"We were granted unprecedented access to the private office and to the computer systems," says Mr. Walton, who is one of three researchers at the Munk Centre's Citizen Lab - along with Mr. Villeneuve and lab head Ron Deibert - who worked on the 10-month investigation in conjunction with the SecDev Group, an Ottawa-based consultancy.

What Mr. Walton found was a thoroughly compromised computer system, infected with so-called "malware" that allowed a mysterious outside entity to not only spy on the computer, but also extract data from it. Researchers watched someone, somewhere, extract a copy of a document detailing the negotiating positions of the Dalai Lama's envoy.

"What we were witnessing was an international crime taking place," says Prof. Deibert.

Mr. Walton recorded the activity and eventually returned to Toronto with some 1.2-gigabytes of raw data - countless lines of often-incomprehensible code - for Mr. Villeneuve to sift through.

The researchers at the Citizen Lab weren't new to this kind of thing. Last year, they revealed the logging of millions of text messages sent by users of a Chinese Skype service. Mr. Villeneuve had learned some tricks during that endeavour, such as searching for improperly configured servers and sifting through their directories for useful files.

He tried the same tricks this time, but nothing worked. The researchers knew there was a backbone behind the malicious software on the Dalai Lama's office computers, but they couldn't pinpoint it.

Then one day, a couple of weeks ago, Mr. Villeneuve came across a line of code that appeared to begin with a numbers that signified a date.

In an interview yesterday, he was momentarily reluctant to disclose the seemingly elite hacker's tool he unleashed on that piece of code in order to get it to spill its secrets.

Finally, he said: "I put it in Google, man."

The obvious paid off. Soon, Mr. Villeneuve was led to a U.S.-based server that turned out to be one of the so-called "control" servers behind the malicious code. Whoever Mr. Villeneuve was following turned out to be very systematic in his approach, and the researcher found that changing a single number or letter in a piece of code led him to another control server.

Soon, the investigators found four control servers, each containing a list of all infected computers that have reported to the server, as well as code to issue and monitor commands to the infected computers. If the 1,295 infected computers in 103 different countries were the limbs, the four servers were the spine, and three of those servers were located in China.

Prof. Deibert is cautious not to allege that the Chinese government is behind the cyber-spy network, saying he simply does not have hard evidence to support that conclusion. What the researchers do have is circumstantial evidence.

"The evidence that we have shows that the majority of the control servers were located in China," says Mr. Villeneuve. "The interface to controlling the infected hosts on these servers in China was in Chinese. And the remote Trojan favoured by the attackers is a Trojan coded by Chinese hackers."

One of the four servers, located in Hainan Island, also traced back to a Chinese government server.

(Chinese officials in Canada could not be reached for comment yesterday, but Beijing has reportedly denied any involvement in the cyber-spy ring).

Looking to learn more about how the infiltration network functions, the Canadian researchers launched a trap. They set up a "honey-pot" computer and downloaded as much malicious code onto it as possible. They watched as the mysterious entity at the other end of the cyber-spy network took over, first asking for basic information, such as the computer's processor and memory specifications.

Then the thief rummaged through folders such as "My Documents." He also looked for geographic information, where the computer was located.

There was no doubt that this was not a random spy network. The list of infected computers tilted heavily toward pro-Tibet organizations and Indian embassies. The Tibetan headquarters are located in India.

The Canadian researchers were also presented with concrete examples where the virtual snooping had real-world implications. In one case, a young woman who works for a Tibetan outreach group was detained by Chinese intelligence agents at the Nepalese-Tibetan border and interrogated. During the interrogation, she was presented with transcripts of her on-line chats dating back years.

The researchers eventually concluded that about 30 per cent of all infected computers were so-called high-value targets, such as embassies, ministries and news organization machines.

They also traced 12 infected computers back to Canada, but could not pinpoint them. They could make an educated guess about their owners, though - the Canadian computer information returned to the malicious servers included the "name" a user gives their computer, and in many cases the name was a commonly used Tibetan first name, the researchers said, indicating the user is likely Tibetan in origin.

The honey pot computer was eventually instructed to download a copy of the GhostNet "remote access tool," a piece of software that gives an external user the same level of control over a computer as if he were sitting directly in front of the machine. In effect, the entity using this tool could order an infected computer to do everything from turn on its video camera to copy documents to record audio. Not only was the cyber-spy network targeting strategic computers around the world, but also it seemed to have power to fully control them.

After 10 months of investigation, the Canadian researchers decided to go public with their data this weekend. Media outlets from around the world began calling, and governmental bodies began checking and rechecking their machines.

Other agencies, including the FBI, the U.S. National Security Administration and Canada's Communications Security Establishment, also took notice.

"In air traffic control, we don't have people flying with no flight path," says Rafal Rohozinski, CEO of the SecDev Group and one of the co-authors of the investigation. He and his partners are trying to use their findings to spur governments into action on controlling this kind of information warfare.

"We need to begin thinking about ways of implementing arms control in cyberspace," says Prof. Deibert.

Yesterday, Mr. Villeneuve looked at his computer screen and noticed no slowdown in the cyber-spy ring. The infection, it seems, continues to spread.


Infiltrated 'high-value' locations

Canadian researchers found more than 1,000 infected computers in an illegal cyber spy network. Among the locations of the most "high-value" machines that were infiltrated:

Deloitte & Touche, the United States

The embassies of India in Belgium, Serbia, Germany, Italy, Kuwait and the United States

Embassy of Pakistan in Bahrain

International Campaign for Tibet, the Netherlands

Ministry of Foreign Affairs, Iran

NATO, the Netherlands

Office of Dalai Lama, India

Associated Press, United Kingdom

Department of Science and Technology, Philippines

Prime Minister's Office, Laos.

Students for a Free Tibet, the United States


The infection cycle

The process by which an unsuspecting user's computer becomes infected begins with a simple e-mail and ends with the computer under the complete control of another party.

1. An e-mail message arrives in a user's inbox and contains an attachment such as a Miscrosoft Word or PDF file. It appears harmless but enticing.

2. The user opens the attachment, which unleashes a piece of malicious code on his machine.

3. The code exploits a vulnerability in the user's computer, and uses it to order the computer to connect with a server somewhere else in the world.

4. The computer connects to the server, and in the process essentially opens itself to control by whoever is at the other end of that server.

5. The server to which an infected computer connects is only one of several such servers. That way, if authorities shut down one server, the others can continue to spread the virtual infection. All such servers also communicate with one another.

6. The other servers continue the same infection relationship with other computers, continuing the cycle.