Update: Researchers track cyber-espionage ring to China
'Shadow' network detailed in report Tuesday by the Information Warfare Monitor
IDG News Service - Researchers in the U.S. and Canada have tracked and documented a sophisticated cyber-espionage network based in China, dubbed Shadow, that targeted computers in several countries, including systems belonging to the Indian government and military.
The Shadow network of compromised computers was detailed in a report released Tuesday by the Information Warfare Monitor -- a project involving researchers at the University of Toronto's Munk Center for International Studies and The SecDev Group -- and the Shadowserver Foundation. Information Warfare Monitor is the group that uncovered and documented GhostNet, a similar cyber-espionage ring, last year.
The release of the latest report, which details the scope of the Shadow network and discusses some of the Indian government documents that were stolen, was first covered by The New York Times.
"We were able to document another network of compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations as well as numerous other institutions, including the Embassy of Pakistan in the United States," wrote Nart Villeneuve, the SecDev's chief research officer and a research fellow at the Citizen Lab at the University of Toronto's Munk Center for International Studies, in a blog post.
Shadow is the latest example of cyber-espionage efforts linked to China. Others include attacks on Google's Gmail system that ultimately led the company to close the censored search engine it built for China. Like other such networks, such as GhostNet, targeted malware is believed to have allowed the attackers to compromise specific computer systems.
The cyber-espionage ring behind the Shadow network, which was traced to Chengdu, in China's Sichuan province, used social media and blogs to control computers they had compromised using malware.
"In total, we found three Twitter accounts, five Yahoo Mail accounts, 12 Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and 16 blogs on blog.com that were being used as part of the attacker's infrastructure," the report said, noting that those services were being misused but were not compromised.
The attackers used those services to circumvent security systems that might otherwise have blocked their access to compromised computers.
"The use of social networking platforms, blogs and other services offered by trusted companies allows the attackers to maintain control of compromised computers even if direct connections to the command and control servers are blocked at the firewall level," it said.
The primary focus of the attackers appears to be the Indian government.
The "vast majority" of the 44 compromised computers identified by the researchers are either in India or belong to Indian government and military organizations, the report said, citing an analysis of stolen documents recovered from the Shadow network.
"Having reported this incident to the China CERT -- which handles security incidents in China -- I look forward to working with them to shut down this malware network," Villeneuve said, referring to China's National Computer Network Emergency Response Technical Team (CNCERT).
But CNCERT said in a statement that it had not received any reports of a security incident from the University of Toronto, where some of the researchers behind the Shadow report are based. The reason for the contradictory statements was not immediately clear.
"During our investigation, we recovered documents that are extremely sensitive from a national security perspective as well as documents that contain sensitive information that could be exploited by an adversary for intelligence purposes," the report said.
Several documents recovered were labeled "secret," "restricted" or "confidential" and originated from India's National Security Council Secretariat and Indian embassies abroad.
In addition, the Shadow network targeted Indian academics and journalists with a "keen interest" in China, the report said, citing the recovery of stolen documents discussing Chinese military exports, Chinese policy on Taiwan and Sino-Indian relations, as well as other topics related to China.
The Shadow network also collected personal information on individuals belonging to Indian government and military organizations that could be used in future attacks, it said.
The report concludes that Shadow was controlled from China and attributes responsibility for the network to "one or more individuals with strong connections to the Chinese criminal underground." However, it didn't rule out the possibility of a connection between these individuals and the Chinese government.
"Given the often murky relationships that can exist between this underground and elements of the state, the information collected by the Shadow network may end up in the possession of some entity of the Chinese government," it said.
Owen Fletcher in Beijing contributed to this report.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts