Made in China: Cyber-spying system, with focus on India

Reports of a China-based cyber spy network targetting the Indian military and the consequent alert sounded by Army authorities may be only the tip of the iceberg -- investigations have revealed a fully dedicated India-specific espionage system aimed at business, diplomatic, strategic and academic interests. The detailed research and investigations carried out by Canada-based authors of the report 'Shadows in the Cloud' and experts from India's NTRO have pointed to a command and control system that used free web-hosting services and social networking sites like Twitter, Baidu blogs and Google. These accounts were manipulated by a "core" of servers based in Chengdu in China.

The report, released in early April, received fairly wide publicity but its fuller implications are only now beginning to sink in. The largely India-centric cyber warfare system is described as "son of ghost net", an allusion to a Chinese effort to infiltrate the Tibetan exile community.

The current investigations also began in Dharamshala but revealed a larger intent linked to an underground hacking community in Chengdu. An email used in ghostnet turned up in the Shadows probe as well and is identified as losttemp33@hotmail and was associated with Xfocus and Isbase, two popular Chinese hacking forums and possibly was a student of master hackers Glacier and Sunwear. The individual is believed to have studied at University of Electronic Science and Technology at Chengdu in Sichuan.

The Canadian team used a domain name system (DNS) sinkhole to turn IP addresses into domain names by grabbing suspect servers abandoned after ghostnet investigations. The list of compromised Indian computers is disturbing: machines at Indian missions at Kabul, Moscow, Dubai, Abuja, US, Serbia, Belgium, Germany, Cyprus, UK and Zimbabwe were infected. A machine at the National Security Council Secretariat was tapped as were computers at military engineering services at Kolkata, Bangalore and Jalandhar. Computers linked to the 21 Mountain Artillery Brigade, the Air Force Station at Race Course Road opposite the PM's residence, the Army Institute of Technology at Pune and Military College of Electronics and Mechanical Engineering at Secunderabad were also compromised.

Thinktanks such as the Institute for Defence Studies and Analyses and publications like India Strategic and FORCE were also targeted as were corporations like DLF Limited, Tata and YKK India. Computers at the National Maritime Foundation and Gujarat Chemical Port Terminal Compnay were also hit. On-ground investigations at Dharamshala, where the Tibetan exile community is headquartered, showed that computers were beaconing with server 'jdusnemsaz' in Chongqing in China. Interestingly, while Chengdu has a military research bureau, Chongqing is host to several triads -- criminal networks with connections to the Chinese government and Communist Party.

In a lucky break, the Canadian team was able to recover data being removed by attackers and discovered a list of compromised computers. Registering and monitoring four of the domain names revealed by the earlier ghostnet probe, they reached those used in the shadows network like www.assam2008.net, aaa.msnxy,net, sysroots.net, www.lookbyturns.com and www.macfeeresponse.org. The investigations showed that the infected email or social networking accounts were infiltrated with malware which then allowed the compromised computer to receive more sophisticated software through attachments. All through, there was a core of master servers based in China that kept a close check on infiltration of computers and transfer of all sorts of documents from personal details to missile analysis to safe drop zones.........................Source

Posted in: