Join our Mailing List

"For a happier, more stable and civilized future, each of us must develop a sincere, warm-hearted feeling of brotherhood and sisterhood."

Lungren: Tibet Provides a Cautionary Tale

July 15, 2010

By Rep. Dan Lungren
Special to Roll Call (USA)
July 12, 2010

A threat is a communicated intent to inflict harm
or loss on another. Unlike the many physical
threats that mankind has engineered over the
centuries to project individual, tribal or
national dominance, the cyberthreat relies on a new medium — cyberspace.

Cyberspace is the interdependent network of
information technology infrastructures, including
telecommunications networks, computer systems and
the Internet. The cyberthreat is not a threat to
individuals but to their digital surroundings —
which, if destroyed, could have catastrophic
consequences. Digital networks in the United
States now underlie our power grid, military
infrastructure, banking, telecommunications and
transportation systems. While this sophisticated
digital infrastructure makes our economy and
military the strongest in the world, it also
makes us uniquely vulnerable to attack through cyberspace.

The former director of national intelligence,
Dennis Blair, testified to Congress in February
that "malicious cyber-activity is growing at an
unprecedented rate" and that our country’s
efforts to defend against cyber-attacks “are not
strong enough.” Shortly after this assessment,
Blair’s predecessor as intelligence chief, Mike
McConnell, wrote, "The United States is fighting
a cyber war today and we are losing.” Earlier
this year, FBI Director Robert Mueller also
warned of the growing cyberthreat: “They seek our
technology, our intelligence, our intellectual
property, even our military weapons and strategies."

This worldwide cybernetwork provides a pipeline
for continuous attack by malicious actors or
nation-states intending to steal sensitive
personal, financial and corporate data and even
state secrets. In order to defend against this
growing cyberthreat, we need to better understand
its dimensions, risks and consequences. The
following case study of alleged cyber-espionage
against the Tibetan community, which was
uncovered by the Information Warfare Monitor and
its investigators in 2008 and 2009, describes the gravity of the cyberthreat.

This case study led all the way to the private
office of the Dalai Lama and the Tibetan
government-in-exile, and it is a revealing exposé
of the inner workings of a cyber-attack. After
representatives of the Dalai Lama inquired about
the potential threat to their computer security,
network monitoring software was installed by the
IWM to collect forensic technical data. This
initial analysis confirmed the existence of
malware — malicious software — and the transfer
of information between infected computers and a
number of control servers. These control servers
were identified and geolocated on the island of
Hainan in the People’s Republic of China.

The Office of His Holiness the Dalai Lama
provides secretarial assistance and is
responsible for all diplomatic, governmental and
personal correspondence. It is the hub of the
Tibetan movement and continuously transmits and
receives extremely sensitive data over its
computer network. The infected computer in the
Dalai Lama’s office was compromised with malware
that was actively communicating with control
servers on an IP address assigned to
Hainan-TELECOM in China. This investigation
uncovered several documents being exfiltrated
from the computer network and uploaded to these
control servers, including documents containing
thousands of e-mail addresses and one detailing
the Dalai Lama’s Sino-Tibetan negotiating position.

The Tibetan government-in-exile was also
compromised by malware that sent communications
to and received communications from control
servers. The follow-up investigation led to the
discovery of nonsecure, Web-based interfaces to
four control servers, which allow attackers to
send instructions and receive data from
compromised computers. This investigation
uncovered the existence of a malware-based
cyber-espionage network called GhostNet with an
operational reach well beyond Tibetan targets. It
is estimated that GhostNet controls at least
1,295 infected computers in 103 countries with
many focused on high-value diplomatic, political,
economic and military targets.

This GhostNet system directs infected computers
to download a Trojan horse known as ghOst RAT
that allows attackers to gain complete, real-time
computer control. Once compromised, the files
located on infected computers were mined for
contact information and used to spread malware
through e-mail and document attachments that
appear to come from legitimate sources. GhostNet
computers can also search and download specific
files, as well as secretly operate attached
devices, including microphones and webcameras.
GhOst RAT is also being spread through commercial
Internet access accounts located on the island of Hainan.

The discovery of GhostNet is a gripping reminder
of the serious cyberthreat that we face in our
digital world. It demonstrates the ease of
introduction and the reach of computer-based
malware and how it can be used to build an
extensive low-cost intelligence capability. It
also demonstrates the potential cyberthreat to
U.S. critical infrastructure (power grid, dams,
telecommunications and transportation), which
often operates on digital control systems. The
cyberthreat is real, and we must bring greater
urgency to securing our critical infrastructure
from this growing cyber-exploitation.

Rep. Dan Lungren (R-Calif.) is the ranking member
on the Homeland Security Subcommittee on Emerging
Threats, Cybersecurity and Science and Technology.
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank