Groundbreaking Cyber Espionage Report Released
A cyber espionage report titled Shadows in the Cloud: An investigation into cyber espionage 2.0 documents a complex ecosystem that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. Jointly released by The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation, members of the research team held a news conference April 6, 2010, to discuss their latest findings.
The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms and free Web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.
The investigation recovered a large quantity of stolen documents — including sensitive and classified materials — belonging to government, business, academic and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.
• Complex cyber espionage network — Documented evidence of a cyber espionage network that compromised government, business and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, also were compromised. Some of these institutions can be positively identified, while others cannot.
• Theft of classified and sensitive documents — Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET,” six as “RESTRICTED” and five as “CONFIDENTIAL.” These documents are identified as belonging to the Indian government. However, the researchers do not have direct evidence that they were stolen from Indian government computers, and they may have been compromised as a result of being copied by Indian officials onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.
• Evidence of Collateral Compromise — A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.
• Command-and-control infrastructure that leverages cloud-based social media services — Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free Web hosting services and, as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.
• Links to Chinese hacking community — Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specializing in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation was established in 2004 and is comprised of volunteer security professionals who investigate and monitor malware, botnets and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.
• Steven Adair is a security researcher with the Shadowserver Foundation. He frequently analyzes malware, tracks botnets and deals with cyber attacks of all kinds with a special emphasis on those linked to cyber espionage.
• Ron Deibert is Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon, and a principal with the SecDev Group.
• Rafal Rohozinski is CEO of the SecDev Group and Psiphon. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto.
• Nart Villeneuve is the Chief Security Officer at the SecDev Group, Director of Operations of Psiphon and a senior SecDev research fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto where he focuses on electronic surveillance, targeted malware and politically motivated digital attacks.
• Greg Walton conducted and coordinated the primary field-based research for the Shadow investigation in His Holiness The Dalai Lama’s Office and the Tibetan Government-in-Exile in Dharamsala, India. Greg is a SecDev Group associate and editor of the Information Warfare Monitor Web site. He is the SecDev Fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto.