A young woman is arrested by the Chinese government while trying to cross the border to Tibet. Her interrogator, a Chinese spy, pulls out a dossier full of information regarding her activity online. It turns out she's been visiting pro-Tibet websites, and for that, she's sentenced to two months in jail. What is GhostNet? Find out how China spies on its own citizens on this episode of Malicious Life.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Episode transcript:

GhostNet

 

“You work for Drewla?” The Chinese spook asked the young Tibetan girl from Dharamshala. She had been arrested on the China-Nepal border barely hours earlier.

 

“No.”

 

“LIAR! You come here to make trouble,” the angry Chinese persisted. “You are DREWLA; online network of Tibetan people who know Chinese language. You talk to innocent Chinese people to get information! SPY!”

 

“No. I am a student. I just wanted to see Lhasa, the land of my ancestors. I wanted to come back,” said the girl.

 

“READ!” said the Chinese and pushed a dossier across to her. One look and the girl knew the charade was pointless. The dossier contained transcripts of her chats with Chinese people over many years.

 

“We watch you all the time. We know who you are. We know what you do. Don’t ever come back to Tibet — tell your friends in Dharamshala too,” said the spook.

 

 

What you just heard wasn’t an excerpt from a novel, or a play.  It comes from a Forbes-India article published almost a decade ago.  The Chinese interrogator was a state police official. The young woman: a member of a pro-Tibetan NGO, “Drewla”, trying to visit her family.  She was not released after this encounter. She would remain imprisoned for two months, before being sent back from whence she came. She never got to visit her family.

 

Hi, I’m Ran Levi, and welcome to Malicious Life.  This woman I just described was not alone in a strange pattern that began to lurk under the Tibetan diaspora during the late 2000s.

 

As far back as September 2002, large-scale, Chinese-based hacks were being wrought on many Tibetan groups and individuals–including NGOs, human rights institutions, writers, scholars, various other Tibetan-friendly organizations, ethnic Tibetans in China and those in exile.  Greg Walton, A cybersecurity researcher working to combat these attacks at the time, reported his findings to the South China Morning Star – a Hong Kong English-language newspaper – but little else happened on the matter for over half a decade. We don’t know much about what happened during those years–perhaps that’s because things quieted down a bit, or, since it was the early 2000s, there wasn’t yet a proper international public awareness about the threat of malware. Or, perhaps, it’s because this silent threat was growing, and growing, into a massive cyber espionage network.

 

And then, in September of 2008, Greg Walton was approached by a Tibetan monastery. They asked him: was the Dalai Lama’s computer hacked?

 

The Office of His Holiness The Dalai Lama (or OHHDL, for short) had good reason to suspect that something was up.  It was sort of like there was a ghost haunting their office. There were crashes in Microsoft applications, and many email spam attacks.  One monk literally watched as Microsoft Outlook Express opened on its own on his monitor, attached documents to an email and sent that email to an address he didn’t recognize. There were plenty of other instances that extended outside the office, such as the case of a diplomat who–mere moments after receiving an email invitation to meet with the Dalai Lama–was contacted by Chinese officials and pressured against doing so.  In fact, multiple foreign dignitaries had similar experiences–strange occurrences like these just seemed to pop up every so often in and around Dharamshala, India, where the Dalai Lama’s camp is located.

 

You can imagine, at this point, that when Greg Walton arrived to take a look at the problem, he wouldn’t be going home empty-handed.  Having worked with the OHHDL since the 90s, Walton was given free access to the Dalai Lama’s own computer and private office. What he discovered was a thoroughly compromised system.  An open wound left untreated, inflamed with dirty code–code that could not only spy on the Dalai Lama’s every doing, but also extract any data it wanted. And none of this was theoretical: during their research, Walton and his team watched in real time as some unknown person in an unknown location siphoned out a copy of a document from the computer, detailing the OHHDL’s political negotiating positions.  It was not a random choice.

 

The infection was so severe that, at this point, their most pressing issue wasn’t even really about fixing anything, or finding the perps.  It surely wasn’t about finding the malware, which had already made itself quite apparent. Walton’s problem, from a processing standpoint, was that there was far too much data to go on.  1.2 gigabytes of too much, to be exact.  Endless rows of raw code, much of it apparently incomprehensible.  He brought the code back to his base at the University of Toronto, and his team started reading.

 

Reading, and reading, and reading. They kept at it, until one team member–Nart Villeneuve–found a code string of just 22 characters embedded in files the program created.  To his eye, the string seemed…of note. It was 12:33 p.m., on March 6th, 2009, and what Villeneuve did with that bit of code was so technically complicated, so marvelously sophisticated, that it totally exposed the entire program underneath.

 

He Googled it.

 

Villeneuve pasted the code string into Google and what he got back was a curiously unencrypted webpage.  The webpage led him to a server. Then, in turn, another server. Then one more. Just like dominos, all rooting out from this single Google search, Nart and Greg’s research group uncovered a command & control infrastructure underpinning a network of 1,295 computers in 103 countries around the world, all infected with the same malicious code.  From the OHHDL to embassies of the United States, Germany, Serbia, Kuwait, Belgium, Italy, and India. The prime minister of Laos, the Associated Press, NATO and more.

 

This was the GhostNet.

 

In March of 2008 rioting broke out among protesters challenging China’s rule over the Tibetan people, spreading out from the Tibetan capital of Lhasa not just throughout the region, but also in the West from sympathizers.  Large army and police forces flooded the affected areas. By the end of it, 18 Chinese embassies and consulates had been attacked. 18 civilians had been killed and 382 injured.

 

The ethnic Tibetans and Chinese have been at odds ever since 1950, when Mao Zedong’s Communist China invaded and took over the region.  In 1959, sparked by rumor that the 14th Dalai Lama was under threat of assassination by the Chinese government, the Tibetans revolted. They failed, leading to the Dalai Lama’s exile to India, a quarter-century of ethnic genocide, and the still-oppressive conditions Tibetans live under to this day.  Suffice to say things haven’t been good for awhile now in that part of the world. When riots began in 2008, and things started to look a little too much like 1959, the Government of the People’s Republic of China were given reason to crack down.

 

Which is why later that year, when Greg Walton, Nart Villeneuve and Ronald Deibert–the third member of the Toronto trio–found that three of the servers providing control of their Tibetan-targeted malware were located in China, it must have seemed more than a little suspicious.

 

News broke about the GhostNet, and all eyes turned to China, who immediately deflected blame.  “These are old stories and they are nonsense” a spokeswoman from China’s consulate in New York announced to the press.  A spokesman for the Chinese embassy in London suggested the whole affair was merely a “propaganda campaign” initiated by the Tibetans in exile.

 

The fact remained, though: in over 100 countries, far more than 1,000 computers were infected.  Circumstantial evidence aside, this just didn’t seem like something an individual or small group, or really anyone outside of a powerful state actor, could pull off.  And there was one other thing: the whole operation…it was really well-executed.

 

Say you’re a monk.  You’re at the office, sitting at your computer.  (Mondays, am I right?) Maybe you’re working, maybe not.  You send out a tweet: “@China u suck!” You scroll Instagram, maybe DM a hot Tibetan model.  Then you get an email.

 

Subject: Kalon Tripa Succession

 

Dear Sir,

 

Attached please find the final Tibetan translation of my English announcement for the Kalon Tripa [head of the Tibetan government-in-exile] succession initiative.  Response to my press release on September 2nd has been very positive and I have been receiving lots of email and phone messages from Tibetans everywhere.

 

Yours sincerely,

 

Pema Rinzin

President

TAC

 

This was a real email, sent to a member of the OHHDL at 8:14 a.m. on September 18th, 2008.  Pretty innocent stuff, right? Nothing to raise any red flags.

 

In transition from the sender’s computer to the OHHDL, GhostNet hackers managed to attach a malicious payload to this email.  All else being totally legitimate, once the recipient clicked on the file his computer was infected. This was some next-level spear phishing, and occurred in many instances during the GhostNet affair.

 

The hackers also created spear phishing emails the old-fashioned way, though–by writing them themselves–and had a couple of very helpful means for gathering data on what sorts of content would make for the most convincing product.  One path they could’ve taken would’ve been to leverage the fact that many of those same monks with administration positions in the OHHDL were also involved in other online activities, such as discussion forums. The hackers may have originally found helpful contextual bits and pieces–names of people and groups, common interests and projects, and other such information–useful for making phishing emails sound  extra legitimate. It’s also quite possible that the hackers first broke into the OHHDL mail backend through compromising their servers, or guessing passwords. Either way, we know now that once the attackers had successfully penetrated even their first victim’s email history, they had plenty to go on from there: most notably the addresses of people he’d emailed, and the types of things he’d talked about in those emails.  The attackers worked their way out from there: sending the malware to more people in the system, and particularly aiming for those at the top.

 

Monks may be trained in resisting temptations, but email is not covered in the Buddhist scriptures..  They often don’t have the resources or training of, say, an official state office. One University of Cambridge study, for example, noted that “some passwords chosen by monks were easily broken with a dictionary attack” using John the Ripper, a free password-cracking software, “in about 15 minutes.”  Let’s face it: monks tend to be a peaceful people, perhaps to a fault when it comes to something like this. So when the hackers laid a trap, the prey waltzed right in.

 

When you, the monk, click on this .doc or PDF attachment, you unknowingly download GhostRAT–the name researchers gave to the malware itself underpinning the GhostNet infrastructure: RAT is short for ‘remote access trojan’.  The code downloads itself, slipping in through what were, at the time, otherwise unseen security vulnerabilities in Microsoft Office and Adobe Acrobat, and then has your computer covertly communicate with a host server back in China.  Sometimes this point in the process causes a flash onscreen, or a crash of the application–part of why the monks were able to pick up on something being wrong–but oftentimes it occurs seamlessly, without the user’s knowledge. At that point, a hacker will have free reign to do whatever they wish with your machine–their powers including, but not limited to: covertly turning on your webcam and microphone, keystroke logging, spying on your documents and other data, application processes, and downloading further malware.

 

When the Toronto team set up a honeypot–intentionally downloading the malware in order to learn more about it–this is exactly what they found.  They observed, in real time, as someone took over the computer, requested information about their location and technical specifications, and then searched through directories such as “My Documents”.  But figuring out how GhostRAT worked did more than give the researchers quality technical information on the malicious code. It also provided further evidence to who may have been behind it…

 

Take two hypothetical scenarios.

 

Scenario A: a woman is found lying dead on her living room floor.

 

Scenario B: same woman, but she died in a hit-and-run in downtown L.A.

 

Who did it?

 

If you were a detective investigating something like Scenario A, you might have a much easier time making heads or tails of suspects than you would Scenario B.  In Scenario B, the woman could’ve been hit by any one of the thousands of cars driving through the area. In Scenario A, you know to look to the spouse, or roommate, or whomever might otherwise have had reason to be in the apartment with her.  Even if it were a stranger–someone robbing the house–there’d likely be evidence to the break-in, or even fingerprints. Tire prints just aren’t the same.

 

As the detectives of the computer world, cybersecurity researchers face similar sorts of scenarios as a real-life detective might, in trying to find the perpetrators of hacking attacks.  All other things being the same, it’s much tougher to find the person or persons behind a broad attack–say, malware designed to steal credit card information from unsuspecting private citizens when they shop online.  That’s the Scenario B of cybersecurity: no specific type of person to suspect, general style of attack, obvious monetary incentive.

 

But the Toronto research team of Walton, Villeneuve and Deibert already saw the pattern of attacks on Tibetan-related entities.  They were already looking for someone with motivation to attack this specific ethno-political group. The character of this malware attack, once it revealed itself to them, provided only further evidence to the point.

 

That email from “Pema Rinzin”–it wasn’t broad and unspecific, like the sorts of Trojan viruses you or I might get directed to our spam folders–it was clearly written for specific people in the OHHDL.  In that same vein, the GhostRAT’s functionality wasn’t by any means simple, or uninvolved–it was designed specifically so that one hacker computer could specifically monitor one victim computer. If 1,295 computers were infected, they were all spied upon individually.  Where basic hacks can be one hacker tagging thousands of victims, GhostNet, despite the size and scope of the operation, involved one-to-one hacker-to-victim relationships. This, of course, means the attackers had very specific victims in mind. As the Toronto squad observed the types of information their hackers were after–“My Documents”, the negotiating positions of the Dalai Lama–it became clearer and clearer that this was a politically-motivated attack.

 

Cut to: China, trying to look innocent.

 

There were at least a few signs pointing away from China.  One of the servers was located in California. Walton’s team wasn’t able to extract data back from the hackers, meaning they couldn’t conclusively figure out to whom such stolen information would have been useful to.  Plus, remember that poor Tibetan woman from the beginning of this episode, who got jailed for two months just for traveling to try to see her family? Experts have noted that the messaging app she was using–TOM-Skype, China’s version of Skype –is known to log messages sent between users.  So it’s entirely possible that officials could’ve found those communications the police presented to her through some backdoor access to that app. There’s no good way to tell whether it was GhostNet related or not.

 

And then there came another wrinkle.

 

Following initial publication and press for the GhostNet affair, two researchers otherwise unaffiliated with the project took it upon themselves to look over the raw data, and came across some interesting, overlooked tidbits of information: email addresses.  Two of them, associated with the web portals Nart Villeneuve found in his Google search. One–[email protected]–lead nowhere. The other–[email protected]–lead them down a path closer to the real GhostNet hackers than even the Toronto team was able to pull off.

 

The two researchers searched for the identity of the person behind [email protected], leading them to a website called Programmers United Development Net, which further directed to a personal blog posted under the name “lost33”.  Lost33’s user profile was signed with the Chinese characters for “hacker”, included a birthdate–July 24th, 1982–a city of residence–Chengdu City, of the Sichuan province of China–and even a personal motto: “The bored soldier swaying on an empty battlefield.”

 

And then, the lead went cold.  It seemed that Lost33 had up and disappeared from the internet as of 2006.  The researchers were at a loss, until one of them came up with a novel idea: people change their online usernames all the time…but never their personal mottos!

 

Quick search for “the bored soldier” and, what do you know, a blog popped up.  It went under the name “damnfootman”. This new blog had links to other hacker sites and programs, and indicated that the blogger attended the University of Electronic Science and Technology of China.  How did the researchers know damnfootman was Lost33? Well, included under the user profile infor mation was a birthdate–July 24th, 1982–and a place of residence–Chengdu City.

 

Chengdu, it just so happened, was found to be the location of one of the four GhostNet servers.  Chengdu is also home to a Chinese military intelligence base.

 

The other three servers were located in the Hainan and Guangdong provinces of China, as well as one from a southern California-based web hosting company.  The Hainan server can be found housed at the Lingshui intelligence and Third Technical Department of the People’s Liberation Army of China. In other words, it’s government-owned and -operated.

 

For all the information drawn from Lost33, somehow it’s seemed to have brought up more questions than it answered.

 

You could, for instance, reasonably look to Lost33 as argument for how we don’t have sufficient evidence to make certain decisions about GhostNet.  If he or she (or, I suppose, them) could have slipped through analysis by almost all official outlets involved in post-GhostNet analysis, what else could have slipped by?

 

There’s also the fact that Lost33 appears to be a private citizen.  Sure, he or she refers to themselves as a “soldier”, but more in a metaphorical way, in the context of their sort of poetic personal motto.  You wouldn’t expect an enlisted Chinese soldier to be involved with underground hacking forums, posting hacker tools online and blogging about themselves.  Does this mean GhostNet was a private-sector campaign, since it involved one or more private citizens?

 

Many cybersecurity experts wouldn’t go so far.  In fact, some have claimed that China has intentionally built up a sort of network of freelance citizen hackers–that they may employ, indirectly or directly, private agents in hacking campaigns.  Why? Well, for the same reason Putin’s Russia outsources their hacking to individual groups–a level of separation from the dirty work, and the plausible deniability that comes therein. They know it makes the job murkier for researchers, and opens up the fear of libel for those asked about such matters in the press.  The Toronto researchers, for example, hedged their bets. “We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” Ronald Diebert told Reuters. “This could well be the CIA or the Russians. It’s a murky realm that we’re lifting the lid on.”

 

This, in the face of all the evidence you’ve heard thus far.  The Tibetan vendetta, the government-military servers, the targeted design of the malware.  How about this: all of the suspect IP addresses found in the OHHDL email server logs were traced to the Xinjiang Uyghur Autonomous Region of China.  Do I even have to tell you at this point that this region is home to the Chinese intelligence branch responsible for overseeing the Tibetan independence campaign?

 

Some researchers did go so far to unequivocally accuse China of building the GhostNet.  In any scenario, it’s worth noting that China retains strict control over internet usage within its borders.  It’s unlikely that much of anything significant–let alone an entire international spy network–could go on without at least their implicit approval.

 

Today the 14th Dalai Lama is still alive and well, and tweeting as ever–presumably in an unhacked manner.

 

GhostNet is a thing of the past, though projects like NSA’s PRISM bring into question whether more GhostNet-like infrastructures exist under our feet right now, without our knowing.

 

Oh, and GhostRAT?  Still pops up in a Google search.  Go ahead–try it. Just don’t click the link!