Chengdu’s Spy Network

An elite gang of hackers based out of Chengdu accessed a years worth of e-mail from the Dalai Lama, sensitive documents from the Indian Government and broke into consulates, companies and other organizations all over the world. This is the second time an elite unversity with strong government ties has been implicated in cyber-espionage. The Chinese government denies knowledge of the gang, but all fingers point to the one who stands to gain the most.

Shadows in the Cloud

A report released Monday by the Munk School of Global Affairs at the University of Toronto, called Shadows in the Cloud (pdf), implicates a spy network called GhostNet based out of Chengdu in a year-long cyber-espionage campaign targeting Tibetans, the HackersDalai Lama and the Indian government. Although the authors of the report stop short of attributing the cyber-attacks to the Chinese government, the hackers’ relationship with Chengdu’s elite University of Electronic Science and Technology (UESTC) strongly points to that possibility. The report identifies one of the hackers, who goes by the alias “lost33”, as a possible apprentice to Glacier, the “Godfather of the Chinese Trojan” and a former student of the university. By tracing his IP address, his presence in Chengdu has been confirmed. Security agencies across the world are now focused on this gang of hackers who operate out of the city we live in. From Shadows in the Cloud:

“The Dark Visitor was able to determine this individual has connections to the forums of Xfocus and Isbase (the Green Army), NSfocus and Eviloctal, as well as connections to the hackers Glacier and Sunwear. He was born on July 24, 1982, lives in Chengdu, Sichuan, and attended the University of Electronic Science and Technology of China, which is also located in Chengdu,” the report states. “Our investigation also indicated strong links to Chengdu, Sichuan. The attacker used Yahoo! Mail accounts as com- mand and control servers, from which the attacker sent emails containing new malware to the already compromised targets. All of the IP addresses the attacker used when sending these emails are located in Chengdu, Sichuan.”

The Dark Visitor, a blog that focuses on Chinese hackers, claims in a recent post that they had a conversation (via QQ) with the hacker who goes by lost33.

History of Government Involvement

ChengduLiving recently spoke with a graduate of UESTC currently working in the information systems industry and, according to him, the PLA holds annual recruiting sessions targeting students with expertise in computer security. The graduate, who refused to be named for this story, knows former classmates who work for the government but are forced to keep secret about the work that they do.

“When I was at school, PLA recruiters tried to draft many of us,” said the graduate. “Anyone who agrees has to lead a double life; one which is normal and the other as an agent for the military. They are not allowed to talk to their friends, their spouses or anyone else about what they do.”

UESTC was founded in 1956 as the Chengdu Institute of Radio Engineering and became the UESTC after parts of the electronics divisions of Shanghai Jiaotong University (also implicated in cyber-espionage), Southeast University and South China University of Technology combined to form a new instituition. Since its founding in the late 1950s, the university has played a huge role in China’s high-tech development. Alumni include the CEO of China Unicom, the Chairman of Huawei, the director of China’s spacecraft command center and now one of the world’s most infamous hackers, lost33.

Geographic representation
A geographical display of the regions affected, red indicating the most activity. Included in Shadows of the Cloud (pdf)

Mao’s Inland Migration

During and after WWII, Chairman Mao moved the vast bulk of China’s high-tech and senstive equipment inland to avoid damage from enemy attacks. Sichuan, and especially Chengdu, became the center for China’s electronics, aeronautics, space and information technologies. Joint Sino-Pakistani scientists developed a new fighter jet here, the Jian-10 Multirole Fighter and China’s first forays into space flight took off from Xichang, in southern Sichuan. The development of these technologies drew heavily on UESTC’s world class programs and graduates. The decisions by international tech giants such as Intel, Alcatel and Symantec to set up reseach facilities in Chengdu was also influenced by the large pool of accessible talent. UESTC’s core discipline, electronic information science and technology, is a key national program and receives direct funding and support from the Ministry of Education.

According to the report, GhostNet’s links to underground hacker networks and UESTC are undeniable, but any relationship between GhostNet and the PLA is and will probably remain unclear:

“The infrastructure of this particular network is tied to individuals in Chengdu, Sichuan. At least one of these individuals has ties to the underground hacking community in the PRC and to the University of Electronic Science and Technology of China in Chengdu. Interestingly, when the Honker Union of China, one of the largest hack- ing groups in the PRC, was re-established in 2005, its new leader was a student at the University of Electronic Science and Technology in Chengdu. Chengdu is also the location of one of the People’s Liberation Army (PLA)’s technical reconnaissance bureaus tasked with signals intelligence collection. While it would be disin-genuous to ignore these correlations entirely, they are loose at best and certainly do not meet the requirements of determining motivation and attribution. However, the links between the command and control infrastructure and individuals in the PRC provide a variety of scenarios that point toward attribution.”

Targeting Tibet and India

Compromised computers
A chart of compromised computers, by country

The hackers focused primarily on computers and documents belonging to Tibetans-in-exile and Indian government officials. A year’s worth of correspondence were stolen from the Dalai Lama and classified information regarding Indian missile systems and visa applications for Afghanistan were also stolen. Targeting the Dalai Lama seems natural enough for the Chinese government and any patriotic Chinese hacker interested in gaining money or notoriety. The Dalai Lama is aging and both sides are gearing up for a transition that might lead to a further radicalization of both sides, as Peter Lee writes in the Asia Times. China also has an uneasy relationship with India, which might help to explain why the hackers focused on them.

Another Asia Times correspondent, MK Bhadrakumar, has written extensively on Sino-Indian and Sino-Pakistani relations and according to his analysis, information on Indians travelling to Afghanistan could be quite valuable. Other targets, such as foreign universities and companies, might indicate a desire to steal information regarding information security systems. Here is a list of some of the organizations targeted by the hackers, compiled by the authors of Shadows in the Cloud:

  • Honeywell, United States
  • New York University, United States
  • University of Western Ontario, Canada
  • High Commission of India, United Kingdom
  • Vytautas Magnus University, Lithuania
  • Kaunas University of Technology, Lithuania
  • National Informatics Centre, India
  • New Delhi Railway station (*railnet.gov.in), India
  • Times of India, India
  • Petro IT, (reserved123.petroitg.com), India
  • Federation of Indian Chambers of Commerce and Industry, India
  • Commission for Science and Technology for Sustainable Development in the South, Pakistan

“This looks like something the government would do,” said the graduate of UESTC we spoke to recently. “Whenever you uncover an issue like this, you have to look to see who benefits and with the information that GhostNet was stealing, who stands to benefit?”

No Hard Evidence for Government Sponsorship

So far, the Chinese government has denied any involvement with GhostNet. Ministry of Foreign Affairs spokeswoman Jiang Yu released a statement refuting any claims that the government had anything to do with the attacks, citing Chinese laws which expressly forbid “all Internet crime, including hacking.”

Shadows in the Cloud
The report filed by Canadian and US researchers

“We did not find any hard evidence that links these attacks to the Chinese government,” said Nart Villeneuve, one of the report’s authors, at a Toronto news conference. “We’ve actually had very healthy cooperation with the Chinese computer emergency response team, who are actively working to understand what we’ve uncovered and have indicated they will work to deal with this. It’s been a very encouraging development.”

Shadows in the Cloud comes on the heels ofGoogle’s exit from the Mainlandamidst censorship issues and allegations that Chinese hackers spied on Google and associates via information experts at Shanghai’s Jiaotong University. Secretary of State Hillary Clinton and President Obama have both given speeches on the importance of Internet freedom — speeches conspicuous for not mentioning China explicitly. Regardless if evidence ever emerges definitively linking the PLA to GhostNet, China’s government is expected to do more than issue a statement condemning cyber-espionage. Arresting “lost33” is the very least India would like to see, but it is hard to imagine the Chinese doing anything but throwing up walls and keeping their silence when it comes to hackers and cyberspace.

Note: Thanks to Charlie for helping to research and assemble this post

17 thoughts on “Chengdu’s Spy Network”

  1. Surprise surprise, I can’t really imagine how GhostNet themselves would benefit from information about the Indian train network, but hey maybe they are planning a weekend trainspotting break in New Delhi. Anything’s possible eh?

    Reply
  2. I wouldn’t call these attacks the work of hackers. Script kiddies is a more appropriate name. They target computers without the latest windows updates or virus software en masse infecting them with malware. They can then control them anonymously through a public source; yahoo mail, IRC, twitter, etc. Usually computers are targeted at random, but sometimes they will purposely try to infect computers on a specific network. Often these script kiddies have no idea how the particular attack/control software they are using works.

    For even an unskilled hacker it’s extremely easy to hide your IP on the internet. Once you have gained access to a new computer, you simply forward all your connections through that computer. Forward your connection through a few different computers on different networks in different countries and you become untraceable.

    I would hope that a graduate in computer security would be capable of a far more advanced and untraceable attack.

    Reply
    • Wow that is the kind of inside point of view that we need here. Ben, what do you think about the report issued by the Munk Institute? Think they are glory riding on the back of some kids? You think this might have been the work of someone clever, using recent Chinese “espionage” as a cover?

      Could it even be as sinister as a planted story?

      do you think this has any chance of being a government sponsored operation?

      Reply
      • I’m not one for conspiracy theories. I think it’s just some kids working independently trying to find some information they can sell. The Munk Institute are simply drawing attention to what has become a huge global problem by using a popular media target, China.

        These malware networks are a threat to the Internet. A malware network originating from Spain discovered last year had 12 million infected computers in it. With that kind of power you could crash any website you didn’t like, harvest credit card numbers, view personal photos and confidential email. You could even crash networks disabling peoples internet service.

        The internet is an essential part of our lives. It’s time people started being more cautious when using it. Install some decent anti-virus software and make sure they have the latest OS and browser patches. If not they could find themselves not only loosing private and work related data, but also unknowingly being party to an attack on other computers.

        Reply
      • Hackers is a term which has had many different meanings since its first use in the 60s. There is still allot of debate, mostly taking place on IRC, as to what the word means and to who it should be used to refer to. This wikipedia article sheds some light on the subject: http://tinyurl.com/yb23jzp.

        Personally I believe that a hacker is someone who skilfully writes, rewrites and patches code. Possibly with the intent to attack or secure a network. Script kiddies don’t fall in to this definition.

        Reply
  3. these chinese people stole crucial information classified as secret and confidential. They got information out of the military centers of India and about the naxal and maoists movements inside India. can’t be just a script kiddie.

    Reply

Leave a Comment