Civil society must get up to speed on cyber security, watchdog warns
As states encroach on Internet governance around the world, IDRC is supporting a major new initiative that will investigate the impacts of Internet censorship in Asia.
State-sponsored attacks that block websites and shut down mobile phone networks are increasingly being used to “disrupt the work of civil society at times when their input could be critical to political or social processes,” Rafal Rohozinski told a public meeting at the International Development Research Centre (IDRC).
Well-meaning groups working in the developing world also risk endangering the very individuals and communities they seek to help if they fail to get up to speed on information security in the digital era, he says.
Rohozinski, founder of the Ottawa-based think tank SecDev Group, collaborates with a team of cyber sleuths burrowed in the Citizen Lab in the basement of the University of Toronto’s Munk Centre for International Studies. For 10 months, the researchers tracked an electronic espionage ring they dubbed GhostNet, before bringing it to light in March 2009.
Key members of the team included Citizen Lab director Ron Deibert and research fellow Nart Villeneuve, along with the SecDev Group’s Greg Walton, who conducted the India-based field testing. (They also work together on OpenNet Initiative Asia, an IDRC-funded project that is helping to build a regional network of experts in the field of Internet censorship and surveillance.)
|Ron Deibert, Citizen Lab director|
By the time the researchers lifted the lid on GhostNet, the covert intelligence-gathering operation had compromised almost 1300 computers in 103 countries. It was active for close to two years before abruptly shutting down two days after its existence was revealed in The New York Times on March 29, 2009.
Almost one-third of the affected computers were “high-value” targets, located in foreign ministries, embassies, news organizations, international organizations, and NGOs. They included the offices of the Dalai Lama, the Russian embassy in Beijing, foreign affairs ministries in Iran and Indonesia, the Indian diplomatic service, and the Asian Development Bank. Computers were infiltrated for an average of 145 days, and for as long as 660 days.
The network’s command and control centre appears to have been based on Hainan Island in southern China, but the researchers are careful not to ascribe blame. They say they were unable to determine conclusively whether GhostNet was a government or criminal operation, or even a do-it-yourself effort by freelance hackers.
“Ultimately, the question of who is behind GhostNet may matter less than the strategic significance of the collection of affected targets,” the researchers write in their report, Tracking GhostNet: Investigating a Cyber Espionage Network. “What this study discovered is serious evidence that information security is an item requiring urgent attention at the highest levels.”
Cyber spying ‘easy and cheap’
At first glance, electronic spying might appear to be a cloak and dagger realm of little relevance to groups working in the field of international development. “Yet cyber security and cyber espionage have far-reaching implications for our work,” Rohozinski says.
In the past, traditional “signals intelligence” focused on intercepting communications — whether sent by telex, fax, phone, or mail — as they were in transit to their intended recipients. But the Internet has changed all that. Information can now be retrieved at source before it moves anywhere, and the cost of collecting it — using low-tech tools available to anyone — is minimal. It is now easy and cheap to vacuum up information, Rohozinski says — “and NGOs are more of a target than they were 15 years ago.”
A Rat in the honeypot
The investigators had been tracking GhostNet for nine months when Nart Villeneuve, a research fellow at the Citizen Lab, identified a 22-character string of code that was showing up repeatedly in infected computers. After punching the code into Google, he was astonished to stumble on one of the spy network’s control servers, located in China.
This discovery led the researchers to three other GhostNet servers — two in China and one at a Web-hosting company in the United States. They staked out the servers, virtually, observing all incoming and outgoing traffic, while being careful not to break privacy laws.
Then Villeneuve set a trap. A “honeypot” computer, isolated from the researchers’ own network, could allow them to witness GhostNet’s functioning up close. The attacker(s) took the bait and infected the honeypot with a Rat — a “remote administration tool.”
A Rat is a kind of malicious software, or malware, that gives an external user full control over a computer. It can lift documents off a targeted computer, turn its Webcam on and off, or record audio using its built-in microphone.
“It can also use your Outlook email box to send legitimate messages from your account to another legitimate user, so it’s undetectable as malware,” says GhostNet investigator Rafal Rohozinski. “And it can steal data. We were able to view in real time a sensitive document that was selected, grabbed, and carried off the computer.”
Kelly Haggart is a senior writer at IDRC.