Canadian Researchers Reveal the Shadowy Side of Cyber-Espionage

Stuart Freen is a JD candidate at Osgoode Hall Law School.

Earlier this month a joint team of researchers from the Information Warfare Monitor and the Shadowserver Foundation released a new report entitled Shadows in the Cloud. The report details a complex cyber-espionage network operating out of China which has compromised computers and stolen hundreds of files from targets including the Indian government, the Tibetan Government-in-Exile and the Office of the Dalai Lama. More sophisticated than your average hackers, the report reveals how one particular group of anonymous cyber-criminals targeted, hacked, and infiltrated government agencies by exploiting security holes in common software applications and using free social networking services like Facebook, Twitter and Yahoo Mail.

The Shadows report comes a year after the same team released the Tracking GhostNet report which uncovered cyber-espionage activities against the Tibetan government. In many respects Shadows in the Cloud can be considered a continuation of the work started in GhostNet, though it focuses on a different group of hackers with new and updated techniques. Among the authors is Ron Deibert, who recently spoke about cyber warfare at the IP Osgoode/Nathanson Centre Workshop on Media Suppression (watch a video of his presentation here). The report has garnered a fair amount of media attention, perhaps due in part to increased public awareness of cyber-espionage following the Chinese attacks on Google servers in December 2009.

Shadows in the Cloud reveals how Chinese hackers were able to target and compromise numerous computers belonging to nearby governments, with India bearing the brunt of the attacks. While the report is careful not to jump to conclusions regarding the involvement of the Chinese government, it notes the inter-related nature of government, organized crime and the public in some parts of the country. Targets were typically tricked via email or social networking sites into opening infected PDF or Microsoft Office files which would load malicious programs onto their computers. From there, the compromised computers were remotely instructed to upload sensitive documents to online repositories. Notably, the hackers made use of free web services like Twitter and Yahoo Mail to both issue commands to compromised computers and to receive uploaded files.

While many of the techniques used by the cyber-spies were not new and the actual scope of the espionage was fairly small, what is notable is the targeted approach the hackers took to gathering sensitive government documents. The report notes several specific instances where secret or classified documents were successfully “exfiltrated” from compromised computers. As opposed to the broad, scattered approach taken by traditional hackers who are mostly interested in extracting user passwords and causing havoc, this network was apparently focused on certain government agencies. The report suggests that hacking groups are, for whatever reason, moving from traditional areas of cyber-crime into political espionage.

Reading the report, one is struck by the shadowy and anonymous nature of the hacking community. At only one part of the report is an attacker actually traced back to a real person (who happened to be a university student in Chengdu). As with any illegal activity, the actual scope of cyber-espionage remains a mystery. Similarly, the actual motivations behind the spying remain unclear. It’s hard to tell whether the network the team uncovered is a small part of a larger government program, or simply a bunch of patriotic students with too much time on their hands. Nevertheless, the report provides a thorough and technical view into the workings of this particular network, and raises some important concerns regarding the militarization of the internet and the emergence of cyber-espionage.