IT wasn’t until Sunday of last week that Scott Henderson knew he’d been duped. The former US army intelligence officer, along with his colleague “Jumper” had been tracking an alleged Chinese hacker, nicknamed Lost33, who had promised him an interview. “Lost33 did not make contact with Jumper last night. In fact, it seems he spent the night changing his QQ number” — QQ is a popular Chinese instant messaging service — “and deleting all info from his blog. The Web site is now completely empty, except for a change to his personal data,” said Henderson on his blog (bit.ly/darkvisitor).
Henderson had been tracking Lost33 after his e-mail address — firstname.lastname@example.org — turned up in an investigation called GhostNet (bit.ly/ghostnet2). GhostNet started when Information Warfare Monitor (IWF, bit.ly/infowar), a team of cyberwarfare researchers created by the University of Toronto and the Canadian security think tank SecDev, had been asked to conduct a security audit for the Tibetan government in exile. It had found malicious software on the Dalai Lama’s most sensitive computers.
The investigation found links back to command and control servers located mainly in China. From there, the IWF found infected computers under the control of those servers in 103 countries. They identified roughly a third of them, and found them all to be sensitive computers in organizations important to Chinese interests, including numerous embassies, telecommunications companies, and even Vietnamese petroleum firms. Just as Lost33’s identity and motives are shrouded in mystery, the final link between GhostNet and the Chinese government is also lacking.
Ostensibly, this looks like a state-sponsored cyber-spying ring. Especially when you read the part of the report in which a member of an online Tibetan outreach project was detained for two months and interrogated by Chinese officials. They presented her with copies of her Internet chat logs. The project’s machines were compromised by the same malware that filched the Dalai Lama’s files, and communicated with the GhostNet control servers.
But there could be other motives and actors, says the IWF. GhostNet could be a
for-profit initiative, operated by cyber-criminals. It could be operated from outside China, using compromised Chinese computers as proxies (one of the control servers — also the first to be shut down when GhostNet was discovered — was based in the US).
“Even ‘patriotic hackers’ could be acting on their own volition, or with the tacit approval of their government, as operators of the GhostNet,” says the IWF report. The problem is that all of these things are happening in China anyway. Henderson says that patriotic hacking has been a mainstay of the Chinese hacking underground since the mid-1990s.
After the Internet arrived in China in 1994, people began experimenting with the technology, and in 1997, the Green Army hacker group was formed. This gave way to the Red Hacker Alliance, a loosely connected set of groups that emerged after the Jakarta riots of 1998, when Chinese nationals were accused of destabilizing the country. Indonesian Web sites were defaced by outraged Chinese hackers, and a nationalistic movement took on force.
Since then, for-profit motives have emerged. “The history has changed from being a group wanting to protect the motherland, to being specialized hacker groups that are there for the purpose of making money,” Henderson says. Now, for example, hackers have broken the rule of thumb that prevented them from attacking Chinese IP addresses. That wouldn’t have been appropriate when cyber-attacks were motivated by nationalism. Now, in the age of commercialized cybercrime, anyone is fair game.