Go to the Globe and Mail homepage

Jump to main navigationJump to main content

Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)
Nart Villeneuve, Greg Walton and Ronald Deibert, discoverers of GhostNet, at the Munk Centre in Toronto on March 29 2009. (JENNIFER ROBERTS/JENNIFER ROBERTS FOR THE GLOBE AND MAIL)


Meet the Canadians who busted GhostNet Add to ...

Finally, he said: "I put it in Google, man."

The obvious paid off. Soon, Mr. Villeneuve was led to a U.S.-based server that turned out to be one of the so-called "control" servers behind the malicious code. Whoever Mr. Villeneuve was following turned out to be very systematic in his approach, and the researcher found that changing a single number or letter in a piece of code led him to another control server.

Soon, the investigators found four control servers, each containing a list of all infected computers that have reported to the server, as well as code to issue and monitor commands to the infected computers. If the 1,295 infected computers in 103 different countries were the limbs, the four servers were the spine, and three of those servers were located in China.

Prof. Deibert is cautious not to allege that the Chinese government is behind the cyber-spy network, saying he simply does not have hard evidence to support that conclusion. What the researchers do have is circumstantial evidence.

"The evidence that we have shows that the majority of the control servers were located in China," says Mr. Villeneuve. "The interface to controlling the infected hosts on these servers in China was in Chinese. And the remote Trojan favoured by the attackers is a Trojan coded by Chinese hackers."

One of the four servers, located in Hainan Island, also traced back to a Chinese government server.

(Chinese officials in Canada could not be reached for comment yesterday, but Beijing has reportedly denied any involvement in the cyber-spy ring).

Looking to learn more about how the infiltration network functions, the Canadian researchers launched a trap. They set up a "honey-pot" computer and downloaded as much malicious code onto it as possible. They watched as the mysterious entity at the other end of the cyber-spy network took over, first asking for basic information, such as the computer's processor and memory specifications.

Then the thief rummaged through folders such as "My Documents." He also looked for geographic information, where the computer was located.

There was no doubt that this was not a random spy network. The list of infected computers tilted heavily toward pro-Tibet organizations and Indian embassies. The Tibetan headquarters are located in India.

The Canadian researchers were also presented with concrete examples where the virtual snooping had real-world implications. In one case, a young woman who works for a Tibetan outreach group was detained by Chinese intelligence agents at the Nepalese-Tibetan border and interrogated. During the interrogation, she was presented with transcripts of her on-line chats dating back years.

The researchers eventually concluded that about 30 per cent of all infected computers were so-called high-value targets, such as embassies, ministries and news organization machines.

They also traced 12 infected computers back to Canada, but could not pinpoint them. They could make an educated guess about their owners, though - the Canadian computer information returned to the malicious servers included the "name" a user gives their computer, and in many cases the name was a commonly used Tibetan first name, the researchers said, indicating the user is likely Tibetan in origin.

The honey pot computer was eventually instructed to download a copy of the GhostNet "remote access tool," a piece of software that gives an external user the same level of control over a computer as if he were sitting directly in front of the machine. In effect, the entity using this tool could order an infected computer to do everything from turn on its video camera to copy documents to record audio. Not only was the cyber-spy network targeting strategic computers around the world, but also it seemed to have power to fully control them.

After 10 months of investigation, the Canadian researchers decided to go public with their data this weekend. Media outlets from around the world began calling, and governmental bodies began checking and rechecking their machines.

Other agencies, including the FBI, the U.S. National Security Administration and Canada's Communications Security Establishment, also took notice.

Report Typo/Error
Single page

Follow us on Twitter: @GlobeTechnology


Next story




Most popular videos »

More from The Globe and Mail

Most popular