Two eye opening reports have been published recently. Both deal with what has been termed Ghostnet which has been discovered in tracking the infiltration of Tibetan computer networks. The two reports are: ‘Tracking GhostNet’ (University of Toronto’s Munk Centre for International Studies and The SecDev Group) and ‘The Snooping Dragon: social-malware surveillance of the Tibetan movement’ (University of Cambridge Computer Laboratory) – see the end of this post for a copy of this report.
The reports bring to light just how simply computer networks may be compromised and just how much damage may be done by such attacks. Neither reports are able to identify the originators of GhostNet but both name the Chinese Government as the potential aggressors. Potentially even more worrying than governments being involved in the espionage and information gathering activities is the possibility that the attacks were profit motivated by individuals (i.e. criminals ‘stealing’ the information and selling this competitive intelligence to competing organizations or even being hired to attain the information).
The simplicity with which the Office of His Holiness the Dalai Lama (OHHDL) computer network was infiltrated is almost too simple to be true (this is not a specific criticism of the OHHDL as many computer networks are said to be just as vulnerable); the OHHDL was using unencrypted passwords and often common words as found in a dictionary as a password. The hacker/s accessed an OHHDL email server using one of the attained passwords and intercepted an email with a doc (Microsoft Word Document) or PDF attachment. A script was inserted into the attachment and the message sent to the originally intended recipient. The recipient would have been unaware that the email message had been intercepted and tampered with and would have opened the attached doc or PDF file. Opening the file would have run the damaging script which would unknowingly have then been transmitted by email to other recipients. The script prompted a background download of Trojan software called gh0st RAT. With gh0st RAT the external party (hackers) would have been able to access files on the computer as well as record conversations (if a microphone was present on the computer) and even activate a webcam….all without the knowledge of the computer user.
As the Cambridge report makes evident, even with encrypted email and passwords, the hackers would still have found a means of accessing the OHHDL network. The potential damage caused by such an intrusion could be enormous and devastating for both organizations and even countries. Two sentences in the Cambridge Report sum up the severity of the findings; ‘the best practice that one sees in the corporate sector comes nowhere even close to preventing such an attack’ and ‘in short, we predict that the criminals who adapt social malware to fraud will enjoy many years of rich pickings. Indeed, if either of us were inclined to crime, this would be what we’d go for’.