A Canadian group has uncovered what appears to be one of the largest and most invasive phishing operations ever detected.
The phishing scheme was brought to light when the Dalai Lama had the computers used by him and his staff.
The group who unearthed the problem are based at University of Toronto's Munk Center for International Studies.
The phishing operation which appears to be predominantly centered in China has been operating for at least two years and has attacked more than 1.295 computers in at least 103 countries.
The targets have been primarily government offices, the Dalai Lama and others who are opposed to the Chinese government in one form or another.
The GhostNet system has been used to control some opponents of the Tibetan invasion by China in 1959 and other South Asian and Southeast Asian nations.
The researchers at the Munk Center for International Studies have been careful to not ascribe the phishing attack to the Chinese government but have instead simply made note that the computers being attacked have been those which might benefit the government of China to have access to.
One interesting item in the report from the
New York Times has been the ability of the phishing program to remotely control the microphone and camera of an infected computer to be able to watch and listen in to what is occurring at the computers vicinity.
The phishing or, due to its size, whaling operation is still an ongoing operation was not random in nature, but instead was seeking specific targets with information of value to the Chinese Government. That is a far cry from the random operations from typical low level scam artists looking for information to use in identity theft or monetary theft operations.
The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.
Additional reports are being released by the Munk group and two researchers in Britain from Cambridge University who worked on part of the investigation.
The two researchers in Britain have blamed the Chinese government and are releasing an independent report soon.
“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movem
ent.”
It can be difficult to perceive how such a controlled nation as China might have rogue operators working such schemes when Internet access is rather carefully monitored and controlled in China.
The break in detecting the scope of the operation and its origins was found by Mr. Villeneuve in Totonto.
In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.
Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.
With the operation still ongoing, the full scope of the phishing operation is yet to be determined
As (DJ) John Hesling mentioned in the comments section there isa far more in depth artice at Scribd entitled
Information Warfare Monitor.
Thaks John!
