Media Releases

Groundbreaking cyber espionage report to be released

April 6, 2010

TORONTO, ON – The Infor­ma­tion War­fare Mon­i­tor (Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to and the SecDev Group, Ottawa) and the Shad­owserv­er Foun­da­tion announce today the release of Shad­ows in the Cloud: An inves­ti­ga­tion into cyber espi­onage 2.0.

The report doc­u­ments a com­plex ecosys­tem of cyber espi­onage that sys­tem­at­i­cal­ly tar­get­ed and com­pro­mised com­put­er sys­tems in India, the Offices of the Dalai Lama, the Unit­ed Nations, and sev­er­al oth­er coun­tries.

Mem­bers of the research team are hold­ing a news con­fer­ence at 11 a.m. on Tues­day, April 6, to dis­cuss their lat­est find­ings and to answer ques­tions from the media. The news con­fer­ence will be held at the Camp­bell Con­fer­ence Facil­i­ty, Munk Cen­tre for Inter­na­tion­al Stud­ies, 1 Devon­shire Place, Toron­to, (416–946-8900). The event will also be web­cast live at: http://hosting.epresence.tv/MUNK/1/live/148.aspx

A pdf of the full report can be found at: http://shadows-in-the-cloud.net/

NOTE: Reporters unable to attend the news con­fer­ence may e‑mail ques­tions dur­ing the event to media.relations@utoronto.ca. The ques­tions will be relayed to the pan­el for response.

The inves­ti­ga­tion recov­ered a large quan­ti­ty of stolen doc­u­ments – includ­ing sen­si­tive and clas­si­fied mate­ri­als – belong­ing to gov­ern­ment, busi­ness, aca­d­e­m­ic, and oth­er com­put­er net­work sys­tems and oth­er polit­i­cal­ly sen­si­tive tar­gets. These include doc­u­ments from agen­cies of the Indi­an nation­al secu­ri­ty estab­lish­ment, and the Offices of the Dalai Lama. The stolen data includ­ed infor­ma­tion vol­un­tar­i­ly pro­vid­ed to Indi­an embassies and con­sulates by third-par­ty nation­als, includ­ing Cana­di­an visa appli­ca­tions, as well as those belong­ing to cit­i­zens of oth­er coun­tries. Addi­tion­al­ly, sen­si­tive per­son­al, finan­cial, and busi­ness infor­ma­tion belong­ing to Indi­an offi­cials was sys­tem­at­i­cal­ly har­vest­ed and exfil­trat­ed by the attack­ers.

The report ana­lyzes the mal­ware ecosys­tem employed by the Shad­ows’ attack­ers. The sys­tem lever­aged mul­ti­ple redun­dant cloud com­put­ing sys­tems, social net­work­ing plat­forms, and free web host­ing ser­vices in order to main­tain per­sis­tent con­trol while oper­at­ing core servers locat­ed in the Peo­ple’s Repub­lic of Chi­na (PRC). Although the iden­ti­ty and moti­va­tion of the attack­ers remain unknown, the report pro­vides evi­dence that the attack­ers oper­at­ed or staged their oper­a­tions from Cheng­du, PRC. 

Sum­ma­ry of main find­ings: 

  • Com­plex cyber espi­onage net­work - Doc­u­ment­ed evi­dence of a cyber espi­onage net­work that com­pro­mised gov­ern­ment, busi­ness, and aca­d­e­m­ic com­put­er sys­tems in India, the Office of the Dalai Lama, and the Unit­ed Nations. Numer­ous oth­er insti­tu­tions, includ­ing the Embassy of Pak­istan in the Unit­ed States, were also com­pro­mised. Some of these insti­tu­tions can be pos­i­tive­ly iden­ti­fied, while oth­ers can­not. 
  • Theft of clas­si­fied and sen­si­tive doc­u­ments - Recov­ery and analy­sis of exfil­trat­ed data, includ­ing one doc­u­ment that appears to be encrypt­ed diplo­mat­ic cor­re­spon­dence, two doc­u­ments marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These doc­u­ments are iden­ti­fied as belong­ing to the Indi­an gov­ern­ment. How­ev­er, we do not have direct evi­dence that they were stolen from Indi­an gov­ern­ment com­put­ers and they may have been com­pro­mised as a result of being copied by Indi­an offi­cials onto per­son­al com­put­ers. The recov­ered doc­u­ments also include 1,500 let­ters sent from the Dalai Lama’s office between Jan­u­ary and Novem­ber 2009. The pro­file of doc­u­ments recov­ered sug­gests that the attack­ers tar­get­ed spe­cif­ic sys­tems and pro­files of users. 
  • Evi­dence of Col­lat­er­al Com­pro­mise -  A por­tion of the recov­ered data includ­ed visa appli­ca­tions sub­mit­ted to Indi­an diplo­mat­ic mis­sions in Afghanistan. This data was vol­un­tar­i­ly pro­vid­ed to the Indi­an mis­sions by nation­als of 13 coun­tries as part of the reg­u­lar visa appli­ca­tion process. In a con­text like Afghanistan, this find­ing points to the com­plex nature of  the infor­ma­tion secu­ri­ty chal­lenge where risks to indi­vid­u­als (or oper­a­tional secu­ri­ty) can occur as a result of a data com­pro­mise on secure sys­tems oper­at­ed by trust­ed part­ners. 
  • Com­mand-and-con­trol infra­struc­ture that lever­ages cloud-based social media ser­vices —  Doc­u­men­ta­tion of a com­plex and tiered com­mand and con­trol infra­struc­ture, designed to main­tain per­sis­tence. The infra­struc­ture made use of freely avail­able social media sys­tems that include Twit­ter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top lay­er direct­ed com­pro­mised com­put­ers to accounts on free web host­ing ser­vices, and as the free host­ing servers were dis­abled, to a sta­ble core of com­mand and con­trol servers locat­ed in the PRC. 
  • Links to Chi­nese hack­ing com­mu­ni­ty - Evi­dence of links between the Shad­ow net­work and two indi­vid­u­als liv­ing in Cheng­du, PRC to the under­ground hack­ing com­mu­ni­ty in the PRC.

About the Researcher Col­lab­o­ra­tion:

This inves­ti­ga­tion is a result of a col­lab­o­ra­tion between the Infor­ma­tion War­fare Mon­i­tor and the Shad­owserv­er Foun­da­tion. The Infor­ma­tion War­fare Mon­i­tor (infowar-monitor.net) is a joint activ­i­ty of the Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to, and the SecDev Group, an oper­a­tional con­sul­tan­cy based in Ottawa spe­cial­iz­ing in evi­dence-based research in coun­tries and regions under threat of inse­cu­ri­ty and vio­lence. The Shad­owserv­er Foun­da­tion (shadowserver.org) was estab­lished in 2004 and is com­prised of vol­un­teer secu­ri­ty pro­fes­sion­als that inves­ti­gate and mon­i­tor mal­ware, bot­nets, and mali­cious attacks. Both the Infor­ma­tion War­fare Mon­i­tor and the Shad­owserv­er Foun­da­tion aim to inform the field of cyber secu­ri­ty through accu­rate, evi­dence-based assess­ments and inves­ti­ga­tions

Prin­ci­pal Inves­ti­ga­tors’ Bio and Com­ments:

Steven Adair is a secu­ri­ty researcher with the Shad­owserv­er Foun­da­tion. He fre­quent­ly ana­lyzes mal­ware, tracks bot­nets, and deals with cyber attacks of all kinds with a spe­cial empha­sis on those linked to cyber espi­onage.

“This report is a fas­ci­nat­ing look at the activ­i­ties of indi­vid­u­als involved in cyber espi­onage. It is unfor­tu­nate­ly just a small piece of a very big pie. This is a prob­lem that goes well beyond those detailed in this report and affects orga­ni­za­tions and mis­sions of all sizes all over the globe.”

Ron Deib­ert is Direc­tor of the Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to. He is a co-founder and prin­ci­pal inves­ti­ga­tor of the Open­Net Ini­tia­tive and Infor­ma­tion War­fare Mon­i­tor. He is Vice Pres­i­dent, Pol­i­cy and Out­reach, Psiphon Inc., and a prin­ci­pal with the SecDev Group.

“It is often said that dark clouds have sil­ver lin­ings. What the Shad­ow report shows is that the social media clouds of cyber­space we rely upon today have a dark, hid­den core.  There is a vast, sub­ter­ranean ecosys­tem to cyber­space with­in which crim­i­nal and espi­onage net­works thrive. The Shad­ow net­work we uncov­ered was able to reach into the upper ech­e­lon of the Indi­an nation­al secu­ri­ty estab­lish­ment, as well as many oth­er insti­tu­tions, and extract sen­si­tive infor­ma­tion from unwit­ting vic­tims. Net­works such as these thrive because of a vac­u­um at the glob­al lev­el. Gov­ern­ments are engaged in a com­pet­i­tive arms race in cyber­space, which pre­vents coop­er­a­tion on glob­al cyber secu­ri­ty. For its part, the Cana­di­an gov­ern­ment has nei­ther a domes­tic cyber secu­ri­ty strat­e­gy nor a for­eign pol­i­cy for cyber­space. The Shad­ow report should offer a wake­up call that rec­ti­fies this sit­u­a­tion, or we may find that we are the next vic­tim of the Shad­ows and Ghost­Nets of cyber­space.”

Rafal Rohozin­s­ki is CEO of the SecDev Group and Psiphon Inc. He is a co-founder and prin­ci­pal inves­ti­ga­tor of the Open­Net Ini­tia­tive and Infor­ma­tion War­fare Mon­i­tor, and a senior research advi­sor at the Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to.

“Cyber espi­onage has gone indus­tri­al. We are wit­ness­ing cloud-based tech­niques and trade­craft from cyber­crime being repur­posed to tar­get gov­ern­ment sys­tems and com­put­ers belong­ing to offi­cials entrust­ed with state or com­mer­cial secrets. Whether the attack­ers are work­ing for state agen­cies, or free­lanc­ing and sell­ing stolen data or trade­craft on the glob­al gray­mar­ket —   this report is a clear wake-up call that the threat of advanced per­sis­tent threats is very real and requires mea­sured inter­na­tion­al action. First and fore­most, we need  an agree­ment on the norms that should gov­ern cyber­space sim­i­lar to the treaties we present­ly have for out­er space, the sea or oth­er domains where we have inter­na­tion­al agree­ments. We must take care to pre­serve the open­ness of the glob­al com­mons with­out pre­cip­i­tat­ing an over­re­ac­tion that could dimin­ish or even roll back the very real gains in knowl­edge, empow­er­ment, and to democ­ra­ti­za­tion that cyber­space has cat­alyzed over the last 20 years. We must bal­ance the need to cre­ate poli­cies and prac­tices appro­pri­ate to infor­ma­tion secu­ri­ty in a glob­al net­worked age, while pre­vent­ing unnec­es­sary over­re­ac­tion to what we fear as the dark side of the net.”

Nart Vil­leneuve is the Chief Secu­ri­ty Offi­cer at the SecDev Group, Direc­tor of Oper­a­tions of Psiphon Inc. and a senior SecDev research fel­low at the Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to where he focus­es on elec­tron­ic sur­veil­lance, tar­get­ed mal­ware and polit­i­cal­ly moti­vat­ed dig­i­tal attacks.

“There is no direct evi­dence link­ing these attacks to the Chi­nese gov­ern­ment. We look for­ward to work­ing with Chi­na CERT to shut down this mal­ware net­work.”

Greg Wal­ton con­duct­ed and coor­di­nat­ed the pri­ma­ry field-based research for the Shad­ow inves­ti­ga­tion in His Holi­ness The Dalai Lama’s Office and the Tibetan Gov­ern­ment-in-Exile in Dharam­sala, India. Greg is a SecDev Group asso­ciate and edi­tor of the Infor­ma­tion War­fare Mon­i­tor web­site. He is the SecDev Fel­low at the Cit­i­zen Lab at the Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to.

-30– 

For more infor­ma­tion, please con­tact:

Uni­ver­si­ty of Toron­to media rela­tions
416–978-0100
media.relations@utoronto.ca