Information Warfare Monitor Whistleblower report: GhostNet cyber spies hacked into five Maltese computers

Malta Independent Tuesday, 31 March 2009, 00:00 Last update: about 12 years ago

A total of five computers at Maltese embassies and a former government entity were hacked by GhostNet, a China-based network of cyber spies who are understood to have gained full control of 1,295 high value computer terminals around the world.

The Malta Embassy to Belgium had one terminal which had four infections on it, while the rest were based in Libya, Australia, Malta and the Malta External Trade Corporation.

The report was compiled by the highly respected Information Warfare Monitor, based in Canada, after Toronto researchers were asked by the Dalai Lama’s offices to examine their computers. Officials had become concerned that communications were being intercepted. The researchers found that computers had been infected by a virus created by malicious software – or malware. The scam kicks off after opening an email from the address campaign@freetibet. org which contains a trojan embedded in a Word document.

That discovery led researchers to a group of servers on Hainan Island, off China. Other servers they tracked were based in China’s Xinjiang Uyghur autonomous region, where intelligence units dealing with Tibetan independence groups are based.

The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries, the BBC and AP wire services reported. The network has been termed GhostNet.

Up to 30 per cent of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organisations, news media, and NGOs. Five Maltese computers were hacked at embassies in Libya, Australia, an unidentified one based in Malta and Brussels while a terminal belonging to the Malta External Trade Corporation had also been targeted. The Brussels-based computer had four infections on it.

The Malta Independent, which carried a story on the report in yesterday’s edition, contacted the IT Ministry to ask about the security of the compromised terminals, but no replies were forthcoming.

The report serves as a wake-up call, say the researchers, as the large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spinet.

Some of the terminals infected include those at the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organisations; and an unclassified computer located at NATO headquarters.

The GhostNet system directs infected computers to download a Trojan known as gh0st RAT that allows attackers to gain complete, real-time control. GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.

Once compromised, files located on infected computers may be mined for contact information, and used to spread malware through e-mail and document attachments that appear to come from legitimate sources, and contain legitimate documents and messages.

“At our Laboratory, we have analysed our own infected “honey pot” computer and discovered that the capabilities of GhostNet are potent and wide ranging. Almost certainly, documents are being removed without the targets’ knowledge, keystrokes logged, web cameras are being silently triggered, and audio inputs surreptitiously activated,” the researchers said.

• Documented evidence of a cyber espionage network – GhostNet – infecting at least 1,295 computers in 103 countries, of which close to 30 per cent can be considered as high-value diplomatic, political, economic, and military targets.

• Documented evidence of GhostNet penetration of computer systems containing sensitive and secret information at the private offices of the Dalai Lama and other Tibetan targets.

• Documentation and reverse engineering of the modus operandi of the GhostNet system – including vectors, targeting, delivery mechanisms, data retrieval and control systems – reveals a covert, difficult-to-detect and elaborate cyber-espionage system capable of taking full control of affected systems.