Groundbreaking cyber espionage report released; Identifies Dalai Lama as target

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

Members of the research team held a news conference on April 6, to discuss their latest findings and to answer questions from the media.

The investigation recovered a large quantity of stolen documents -- including sensitive and classified materials -- belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows' attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People's Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

Summary of main findings:

• Complex cyber espionage network -- Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.
• Theft of classified and sensitive documents -- Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked "SECRET," six as "RESTRICTED," and five as "CONFIDENTIAL." These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied by Indian officials onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama's office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.
• Evidence of Collateral Compromise -- A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.
• Command-and-control infrastructure that leverages cloud-based social media services -- Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the PRC.
• Links to Chinese hacking community -- Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

About the Researcher Collaboration:

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (infowar-monitor.net) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (shadowserver.org) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations.

Principal Investigators' Bio and Comments:

Steven Adair is a security researcher with the Shadowserver Foundation. He frequently analyzes malware, tracks botnets, and deals with cyber attacks of all kinds with a special emphasis on those linked to cyber espionage.

"This report is a fascinating look at the activities of individuals involved in cyber espionage. It is unfortunately just a small piece of a very big pie. This is a problem that goes well beyond those detailed in this report and affects organizations and missions of all sizes all over the globe."

Ron Deibert is Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon Inc., and a principal with the SecDev Group.

"It is often said that dark clouds have silver linings. What the Shadow report shows is that the social media clouds of cyberspace we rely upon today have a dark, hidden core. There is a vast, subterranean ecosystem to cyberspace within which criminal and espionage networks thrive. The Shadow network we uncovered was able to reach into the upper echelon of the Indian national security establishment, as well as many other institutions, and extract sensitive information from unwitting victims. Networks such as these thrive because of a vacuum at the global level. Governments are engaged in a competitive arms race in cyberspace, which prevents cooperation on global cyber security. For its part, the Canadian government has neither a domestic cyber security strategy or a foreign policy for cyberspace. The Shadow report should offer a wakeup call that rectifies this situation, or we may find that we are the next victim of the Shadows and GhostNets of cyberspace."

Rafal Rohozinski is CEO of the SecDev Group and Psiphon Inc. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto.

"Cyber espionage has gone industrial. We are witnessing cloud-based techniques and tradecraft from cybercrime being repurposed to target government systems and computers belonging to officials entrusted with state or commercial secrets. Whether the attackers are working for state agencies, or freelancing and selling stolen data or tradecraft on the global graymarket -- this report is a clear wake-up call that the threat of advanced persistent threats is very real and requires measured international action. First and foremost, we need an agreement on the norms that should govern cyberspace similar to the treaties we presently have for outer space, the sea or other domains where we have international agreements. We must take care to preserve the openness of the global commons without precipitating an overreaction that could diminish or even roll back the very real gains in knowledge, empowerment, and to democratization that cyberspace has catalyzed over the last 20 years. We must balance the need to create policies and practices appropriate to information security in a global networked age, while preventing unnecessary overreaction to what we fear as the dark side of the net."

Nart Villeneuve is the Chief Security Officer at the SecDev Group, Director of Operations of Psiphon Inc. and a senior SecDev research fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto where he focuses on electronic surveillance, targeted malware and politically motivated digital attacks.

"There is no direct evidence linking these attacks to the Chinese government. We look forward to working with China CERT to shut down this malware network."

Greg Walton conducted and coordinated the primary field-based research for the Shadow investigation in His Holiness The Dalai Lama's Office and the Tibetan Government-in-Exile in Dharamsala, India. Greg is a SecDev Group associate and editor of the Information Warfare Monitor website. He is the SecDev Fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto.