Chinese hackers infiltrate world embassies?

Apparently China is spying on the computers of various international embassies by using malware to snatch data from their hard disc and to relay it back to China.

From the pen of Charmaine Horonha.

Researchers: Cyber spies break into govt computers

A cyber spy network based mainly in China hacked into classified documents from government and private organizations in 103 countries, including the computers of the Dalai Lama and Tibetan exiles, Canadian researchers said Saturday.

The work of the Information Warfare Monitor initially focused on allegations of Chinese cyber espionage against the Tibetan community in exile, and eventually led to a much wider network of compromised machines, the Internet-based research group said.

"We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama," investigator Greg Walton said.

The research group said that while it's analysis points to China as the main source of the network, it has not conclusively been able to detect the identity or motivation of the hackers.

Calls to China's Foreign Ministry and Industry and Information Ministry rang unanswered Sunday. The Chinese Embassy in Toronto did not immediately return calls for comment Saturday.

Students For a Free Tibet activist Bhutila Karpoche said her organization's computers have been hacked into numerous times over the past four or five years, and particularly in the past year. She said she often gets e-mails that contain viruses that crash the group's computers.

The IWM is composed of researchers from Ottawa-based think tank SecDev Group and the University of Toronto's Munk Centre for International Studies. The group's initial findings led to a 10-month investigation summarized in the report to be released online Sunday.

The researchers detected a cyber espionage network involving over 1,295 compromised computers from the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan. They also discovered hacked systems in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan.

Once the hackers infiltrated the systems, they gained control using malware — software they install on the compromised computers — and sent and received data from them, the researchers said.

Two researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans are also releasing their own report Sunday.

In an online abstract for "The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement," Shishir Nagaraja and Ross Anderson write that while malware attacks are not new, these attacks should be noted for their ability to collect "actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed."

They say prevention against such attacks will be difficult since traditional defense against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tedious operational security procedures.

The Dalai Lama fled over the Himalaya mountains into exile 50 years ago when China quashed an uprising in Tibet, placing it under its direct rule for the first time. The spiritual leader and the Tibetan government in exile are based in Dharmsala, India.

Although ACB doesn't doubt for a minute that China is spying on the West - which incidentally makes no bones about the fact that it's spying on China - there are a couple of things about this story that do not yet add up, but which hopefully will be covered when full details of the researcher's findings are released.

Amongst the unanswered questions is how, exactly, did IWM confirm infection at the embassies stated. Embassies are notoriously difficult when it comes to allowing other people access to their computers, and are notoriously reluctant to admit breaches of their security. Thus they are unlikely to allow IWM staff to check their computers for compromising software or to admit to its presence if they find it themselves. Furthermore as a diplomatic enclaves their communications are protected by the articles of the Vienna Convention, meaning that if IWM were scanning their Internet connections for Trojan activity without their consent then they would themselves be breeching international law.

Another question that still has to be answered is "who exactly is China?". According to preliminary reports IWM was not able to find the source of the malware, and were only able to track the traffic generated by it to China. Leaving the question open as to whether the compromising software originated from Beijing, from private Chinese citizens, from organized crime, or from Chinese corporations seeking to gain economically from recovered data?

This vagary about the attack's source also leave open the question as to whether the incursion actually originated from China, or if China was itself a victim? With a foreign hacking group compromising Chinese serves and using them as relays for their incursion . If the latter is true, then it leaves open the possibility that the incursion could be a false flag operation. An operation in which a foreign group or government plants evidence implicating China in a crime that it itself is committing.

Of course, this is largely speculation at this point. And ACB hopes that IWM will clear things up when their final report is released.

On a side note, ACB notes that computers which are properly patched and updated, and which have quality antiv-virus/malware protection installed, don't get infected with malware unless somebody does something stupid to open the door. Indicating that either the 1,295 compromised computers were either left open to attack due to thier own internal IT security failings, or due to staff members doing something stupid such as opening a booby trapped email marked "discount Viagra and cheap hookers for consular staff".

Then again, somebody in China could hypothetically have come up with a super malware program that is able to cut through the security systems on a diplomatic computer and install itself undetected through multiple layers of software and hardware protection.Then start sending data out without embassy IT security noticing.

Personally, if ACB werea senior embassy official ACB would start asking some serious questions, not of Beijing, but of the people responsible for IT security.

links: digg this    del.icio.us    technorati    reddit