Investigators find Chinese botnet on Dalai Lama’s PC

A 10-month investigation has led to the discovery of the world’s largest alleged cyber espionage network, dubbed ‘GhostNet’.

The botnet was uncovered following manual investigation of a computer system in the private offices of the Dalai Lama by Canadian researchers from the Munk Centre for International Studies and the SecDev Group, based in Ottawa.

Beyond evidence of cyber espionage against Tibet, the investigation also uncovered 1295 infected hosts in 103 countries, 30% of them ‘high-value’ targets including computers located in foreign affairs ministries, embassies, international organisations, NGOs and news media outlets.

According to the researchers, the ‘gh0st RAT’ malware is delivered as an email attachment or web link, specifically crafted using social engineering to encourage the victim to unwittingly install the Trojan.

In the Tibetan case, attackers sent an email with the spoof address ‘’ and an attachment ‘Translation of Freedom Movement ID Book for Tibetans in Exile.doc’ to encourage the user to open the infected file.

“It is common to see legitimate documents recycled for such attacks or the attacker injecting their message into an ongoing group conversation,” the report noted.

Worryingly, only 11 of the 34 anti-virus programs tested by investigators recognised the embedded Trojan.

Noting the obvious political implications of the attack, investigators emphasised that the evidence did not point “definitively to China as the culprit.”

“Certainly Chinese cyber-espionage is a major global concern. But attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading,” the report said.

“Numbers can tell a different story. China is presently the world’s largest Internet population. The sheer number of young digital natives online can more than account for the increase in Chinese malware. With more creative people using computers, it’s expected that China (and Chinese individuals) will account for a larger proportion of cybercrime.”

The report also claimed that “from the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value.”

However the report’s authors criticised the security of the high-value targets compromised by the “technically unsophisticated” approach used by the attackers to create “a very effective spynet”.

“This report serves as a wake-up call,” they said. “These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.”

Meanwhile, the security community is buzzing over the impending impact of the Conficker virus, which is set to activate itself on April Fools day.

Computers infected by the worm will ‘phone home’ for further instructions on April 1, most likely triggering a flood of spam or possibly a denial-of-service attack.

Rick Howard, head of Verisign’ idefense cybercrime research arm, said the worm was nothing more than a new variant of an old worm virus, albeit with an unknown payload.

“The press has definitely overhyped this issue,” Howard said. “Although dangerous, the security community has known about this worm since the first variant. The mitigation recommendations are the same for this fourth variant as they were for the first.”

Related Topics