Chengdu’s Spy Network
An elite gang of hackers based out of Chengdu accessed a years worth of e-mail from the Dalai Lama, sensitive documents from the Indian Government and broke into consulates, companies and other organizations all over the world. This is the second time an elite unversity with strong government ties has been implicated in cyber-espionage. The Chinese government denies knowledge of the gang, but all fingers point to the one who stands to gain the most.
Shadows in the Cloud
A report released Monday by the Munk School of Global Affairs at the University of Toronto, called Shadows in the Cloud (pdf), implicates a spy network called GhostNet based out of Chengdu in a year-long cyber-espionage campaign targeting Tibetans, the Dalai Lama and the Indian government. Although the authors of the report stop short of attributing the cyber-attacks to the Chinese government, the hackers’ relationship with Chengdu’s elite University of Electronic Science and Technology (UESTC) strongly points to that possibility. The report identifies one of the hackers, who goes by the alias “lost33″, as a possible apprentice to Glacier, the “Godfather of the Chinese Trojan” and a former student of the university. By tracing his IP address, his presence in Chengdu has been confirmed. Security agencies across the world are now focused on this gang of hackers who operate out of the city we live in. From Shadows in the Cloud:
“The Dark Visitor was able to determine this individual has connections to the forums of Xfocus and Isbase (the Green Army), NSfocus and Eviloctal, as well as connections to the hackers Glacier and Sunwear. He was born on July 24, 1982, lives in Chengdu, Sichuan, and attended the University of Electronic Science and Technology of China, which is also located in Chengdu,” the report states. “Our investigation also indicated strong links to Chengdu, Sichuan. The attacker used Yahoo! Mail accounts as com- mand and control servers, from which the attacker sent emails containing new malware to the already compromised targets. All of the IP addresses the attacker used when sending these emails are located in Chengdu, Sichuan.”
History of Government Involvement
ChengduLiving recently spoke with a graduate of UESTC currently working in the information systems industry and, according to him, the PLA holds annual recruiting sessions targeting students with expertise in computer security. The graduate, who refused to be named for this story, knows former classmates who work for the government but are forced to keep secret about the work that they do.
“When I was at school, PLA recruiters tried to draft many of us,” said the graduate. “Anyone who agrees has to lead a double life; one which is normal and the other as an agent for the military. They are not allowed to talk to their friends, their spouses or anyone else about what they do.”
UESTC was founded in 1956 as the Chengdu Institute of Radio Engineering and became the UESTC after parts of the electronics divisions of Shanghai Jiaotong University (also implicated in cyber-espionage), Southeast University and South China University of Technology combined to form a new instituition. Since its founding in the late 1950s, the university has played a huge role in China’s high-tech development. Alumni include the CEO of China Unicom, the Chairman of Huawei, the director of China’s spacecraft command center and now one of the world’s most infamous hackers, lost33.
Mao’s Inland Migration
During and after WWII, Chairman Mao moved the vast bulk of China’s high-tech and senstive equipment inland to avoid damage from enemy attacks. Sichuan, and especially Chengdu, became the center for China’s electronics, aeronautics, space and information technologies. Joint Sino-Pakistani scientists developed a new fighter jet here, the Jian-10 Multirole Fighter and China’s first forays into space flight took off from Xichang, in southern Sichuan. The development of these technologies drew heavily on UESTC’s world class programs and graduates. The decisions by international tech giants such as Intel, Alcatel and Symantec to set up reseach facilities in Chengdu was also influenced by the large pool of accessible talent. UESTC’s core discipline, electronic information science and technology, is a key national program and receives direct funding and support from the Ministry of Education.
According to the report, GhostNet’s links to underground hacker networks and UESTC are undeniable, but any relationship between GhostNet and the PLA is and will probably remain unclear:
“The infrastructure of this particular network is tied to individuals in Chengdu, Sichuan. At least one of these individuals has ties to the underground hacking community in the PRC and to the University of Electronic Science and Technology of China in Chengdu. Interestingly, when the Honker Union of China, one of the largest hack- ing groups in the PRC, was re-established in 2005, its new leader was a student at the University of Electronic Science and Technology in Chengdu. Chengdu is also the location of one of the People’s Liberation Army (PLA)’s technical reconnaissance bureaus tasked with signals intelligence collection. While it would be disin-genuous to ignore these correlations entirely, they are loose at best and certainly do not meet the requirements of determining motivation and attribution. However, the links between the command and control infrastructure and individuals in the PRC provide a variety of scenarios that point toward attribution.”
Targeting Tibet and India
The hackers focused primarily on computers and documents belonging to Tibetans-in-exile and Indian government officials. A year’s worth of correspondence were stolen from the Dalai Lama and classified information regarding Indian missile systems and visa applications for Afghanistan were also stolen. Targeting the Dalai Lama seems natural enough for the Chinese government and any patriotic Chinese hacker interested in gaining money or notoriety. The Dalai Lama is aging and both sides are gearing up for a transition that might lead to a further radicalization of both sides, as Peter Lee writes in the Asia Times. China also has an uneasy relationship with India, which might help to explain why the hackers focused on them.
Another Asia Times correspondent, MK Bhadrakumar, has written extensively on Sino-Indian and Sino-Pakistani relations and according to his analysis, information on Indians travelling to Afghanistan could be quite valuable. Other targets, such as foreign universities and companies, might indicate a desire to steal information regarding information security systems. Here is a list of some of the organizations targeted by the hackers, compiled by the authors of Shadows in the Cloud:
- Honeywell, United States
- New York University, United States
- University of Western Ontario, Canada
- High Commission of India, United Kingdom
- Vytautas Magnus University, Lithuania
- Kaunas University of Technology, Lithuania
- National Informatics Centre, India
- New Delhi Railway station (*railnet.gov.in), India
- Times of India, India
- Petro IT, (reserved123.petroitg.com), India
- Federation of Indian Chambers of Commerce and Industry, India
- Commission for Science and Technology for Sustainable Development in the South, Pakistan
“This looks like something the government would do,” said the graduate of UESTC we spoke to recently. “Whenever you uncover an issue like this, you have to look to see who benefits and with the information that GhostNet was stealing, who stands to benefit?”
No Hard Evidence for Government Sponsorship
So far, the Chinese government has denied any involvement with GhostNet. Ministry of Foreign Affairs spokeswoman Jiang Yu released a statement refuting any claims that the government had anything to do with the attacks, citing Chinese laws which expressly forbid “all Internet crime, including hacking.”
“We did not find any hard evidence that links these attacks to the Chinese government,” said Nart Villeneuve, one of the report’s authors, at a Toronto news conference. “We’ve actually had very healthy cooperation with the Chinese computer emergency response team, who are actively working to understand what we’ve uncovered and have indicated they will work to deal with this. It’s been a very encouraging development.”
Shadows in the Cloud comes on the heels ofGoogle’s exit from the Mainlandamidst censorship issues and allegations that Chinese hackers spied on Google and associates via information experts at Shanghai’s Jiaotong University. Secretary of State Hillary Clinton and President Obama have both given speeches on the importance of Internet freedom — speeches conspicuous for not mentioning China explicitly. Regardless if evidence ever emerges definitively linking the PLA to GhostNet, China’s government is expected to do more than issue a statement condemning cyber-espionage. Arresting “lost33″ is the very least India would like to see, but it is hard to imagine the Chinese doing anything but throwing up walls and keeping their silence when it comes to hackers and cyberspace.
Note: Thanks to Charlie for helping to research and assemble this post