Black Code: Inside the Battle for Cyberspace (4 page)

For months we had a bird’s-eye view of the attackers’ command-and-control network, could see everything they were doing. They had made the mistake of not password-protecting all of their
computer directories, assuming that no one would be able to access them if they were not linked to publicly. But Villeneuve spotted that string of twenty-two characters used repeatedly in the networking traffic collected from Tibetan organizations’ computers, and on a hunch he copied then Googled it. Two results came up for obscure websites based in China, and he was then able to map almost all of the command-and-control infrastructure of the attackers, allowing us to see inside their operations without their knowledge. For weeks we watched transfixed, while an ever-expanding list of victims had their computers tapped, as cyber espionage on a massive scale unfolded in real time. We were able to isolate an individual at the Indian embassy in Washington, D.C., whose computer had been compromised by correlating data from the attacker’s web interface with open-source information via Google, and this led us to his bio and contact information website. We thought about calling him with a warning –
unplug your computer now!
– but decided against doing so because we were concerned about tipping off the attackers. Better to analyze all of the data first, we thought. We were inside an international spy operation, the attackers and their hundreds of victims had no idea, and yet we were also, in our own way, engaging in a kind of cyber espionage.

We set up a sting operation by infecting an isolated computer at the Citizen Lab, our “honeypot,” with the same trojan horse – a program in which malicious code is contained inside apparently harmless data – used by the attackers. Then we waited. A few days later our honeypot lit up. A visitor was poking around. He came and went quickly, but stayed just long enough for us to see that he was connecting from a digital subscriber line (DSL) through an IP address on Hainan Island, the same location as one of the command servers, which happened to be a government of Hainan computer. Hainan Island is home to the Lingshui signals intelligence facility and the Third Technical Department of the Government of
China’s People’s Liberation Army (PLA). Established in the 1960s, and upgraded substantially in the 1990s, the signals intelligence facility is staffed by thousands of analysts, and its primary mission is to monitor U.S. naval activity in the South China Sea. (It’s a big island, to be sure, but that a signals intelligence facility of some renown happens to be located there is intriguing.)

The tool used to hack into government agencies, media outlets, and others, was a trojan called Ghost RAT that gave the attackers the ability to remove any file from the computers under their control. (RAT stands for “remote access trojan.”) We had seen this through Greg Walton’s monitoring of the network traffic of Tibetan organizations – connections were then made to China-based IP addresses, hidden from view, and sensitive documents were plucked right out from under the noses of unwitting computer users. Ghost RAT also gave the attackers the ability to record every keystroke entered into the infected computers, capture all passwords and encrypted communications, and turn on audio and video capture devices. Effectively, it could turn the machines under their control into wiretaps.

Remarkably, most of the GhostNet spying capabilities are freely available through an open-source network intrusion tool, the same Ghost RAT that anyone, to this day, can download from the Internet. With widely available and easy-to-access tools like Ghost RAT we have entered the age of do-it-yourself cyber espionage.

•  •  •

“
Who done it?”
The obvious answer was China. The geographic locations of most victims formed a crescent moon around China’s southern flank and read like a who’s who of its most important strategic adversaries: Tibetans, Russians, Iranians, Vietnamese, and so on. We had something of a smoking gun with
the Hainan Island sting, but we needed to be sure, needed to articulate precisely how these types of attacks could be launched by just about anyone, and, perhaps most importantly, by people who might have an interest in making it
look as if
the Chinese government was responsible. Having gained access to the attackers’ command-and-control interfaces would have allowed us, for instance, to infiltrate the same organizations, and no one would have been the wiser. We had a list of the compromised computers and knew where the vulnerabilities lay. It would have been easy for us to commandeer those computers, and there were many agencies that would pay for access to, say, the Iranian foreign affairs ministry or the Indian embassy in Washington. (Later, I would meet computer security engineers who had monetized that type of access and knowledge, selling information about specific target vulnerabilities to, presumably, law enforcement and intelligence agencies for a king’s ransom.) Although the attacks emanated from China’s Internet space they could have originated from a garage in New Jersey. In fact, one of the command servers was in the United States. In short, GhostNet could have been orchestrated and controlled by anyone, anywhere.

Cyber security has long been highly politicized and dozens of government agencies and transnational corporations have their irons in the fire, and are salivating at ever-increasing defence budgets for Internet surveillance. There is considerable vested self-interest in inflating the threat, and during our GhostNet probe (and ever since) our efforts have been to ensure accuracy and to establish a standard. Universities have a special role to play as stewards of evidence-based, impartial research on cyber security, and we needed to ensure that the GhostNet report weighed all of the available evidence as impartially as possible.

In the end,
Tracking GhostNet: Investigating a Cyber Espionage Network
, chronicled a landmark case in cyber espionage. The scope
and importance of the victims, sophistication of the attack (given the negligible resources used to pull it off), detailed exposure of what was going on beneath the surface and, finally, the shock of such widespread infiltration made it so. We are used to our computers being windows onto the world. With GhostNet, we argued that “it is time to get used to them looking back at us.”

•  •  •

“It’ll be on the front page,”
John Markoff of the
New York Times
told me hours before the GhostNet story appeared, and he was right. It was above the fold on Sunday, March 29, 2009, and soon thereafter became one of the top news stories in the world. The University of Toronto’s media relations office was overwhelmed. There were satellite trucks parked outside of the Munk School of Global Affairs, where we are based, cameras everywhere, and I experienced my first media scrum. Later, I had to switch off my mobile phone because it never stopped ringing, and eventually I had to change my number altogether. While I was at the Citizen Lab, my home phone was barraged with calls; our children fielding messages in the early mornings from reporters in Europe and Asia just as confused as they were. There were surreal moments watching the Dalai Lama on television being asked to comment on our report, and Chinese government officials dismissing us as liars. Liu Weimin, the spokesman for the Chinese embassy in London, said the report was part of the Dalai Lama’s “media and propaganda campaign,” while foreign ministry spokesman Qin Gang said that we were haunted by a “Cold War ghost” and suffered from a “virus called the China threat.”

“We have no secrets to hide,” the Dalai Lama told CNN. “They should spy more, then they would know what we are doing.” He soon got his wish. A few months later, our group (working this
time with the U.S.-based volunteer computer security group, the Shadowserver Foundation) revisited the GhostNet campaign and returned to the Dalai Lama’s headquarters to re-examine their computers. We found that they were thoroughly compromised, again, this time by a different China-based espionage campaign. We dubbed it the Shadow Network, “Shadows” for short. Although Shadows was largely restricted to India-related victims, this time we were able to recover copies of data stolen by the attackers as they were being removed from victims’ computers. They had exfiltrated documents marked “Secret” from the Indian national security agency, private business information from Indian defence and intelligence contractors, and a year’s worth of the Office of His Holiness the Dalai Lama’s official and private correspondence with citizens, world leaders, and religious figures.

The GhostNet and Shadows probes (Shadows was also covered extensively in the media) exposed us to a subterranean world of political intrigue, but our findings were not entirely unexpected. We had been gathering evidence for nearly a decade, lifting the lid on the Internet and tracking a contest for the future of cyberspace that was becoming more intense with each passing year. The signposts were clear: cyberspace was changing fast, and not necessarily for the better.

On March 28, 2011
, the Internet went down in Georgia. For nearly twelve hours citizens had no access to Twitter, Facebook, their favourite YouTube videos, or their primary sources of news and online information. They could not access their online bank accounts or send emails. An information darkness had descended on the Eurasian country. The culprit? A nasty computer virus? Another Russian invasion? The latter would not be out of the question. Three years earlier, Georgia’s Internet was brought to a halt as Russian ground troops invaded the territorial enclave of South Ossetia, the country’s most contested region. Acting in support of the Motherland, scores of patriotic Russian hackers bombarded the Georgian Internet with a massive DDOS attack. It overwhelmed Georgian computers, including the government’s websites and the country’s banking and 911 systems.

As it turned out, the reason the Georgian Internet went dark this time around had to do with a seventy-five-year-old woman named Hayastan Shakarian, a “poor old woman” who had “no idea what the Internet is.” She had been scavenging for firewood and old copper and accidentally cut a fibre-optic cable running parallel to a railway line, severing a key Internet connection. The effect was not limited to Georgia: because of how routing was
configured in the region, Ms. Shakarian’s inadvertent action also shut down the Internet in neighbouring countries. Ninety percent of Armenia’s private and business Internet users were cut off, as were many in Azerbaijan.

•  •  •

What is cyberspace?
Ask most people this question and they simply shrug: for them it remains a mysterious and technological unknown that “just works.” The term
cyberspace
was coined in the early 1980s by science fiction writer William Gibson, who defined it as a “consensual hallucination,” and that, indeed, is how it often seems. When we log onto Twitter or Facebook through our laptops or mobile phones, we enter into what feels like an ethereal world divorced from physical reality. Our thoughts about cyberspace – if indeed these can be characterized as thoughts at all –generally begin and end with the screen in front of us. We send an email and within seconds it magically appears on a friend’s BlackBerry or laptop. We text a message and it is instantly received by a colleague on the other side of the world. We start up a video on YouTube and seconds later it is streaming in high definition. We take this for granted, don’t even really think about it.

But what happens in those nanoseconds as the transmission of movies or emails or Internet searches are completed? Information travels at the speed of light, and the processing power of computers is astonishingly fast. It is almost impossible to grasp that the moment a text message is sent thousands of kilometres away the information is transmitted through a complex physical infrastructure spanning multiple political jurisdictions, thousands of private companies and public entities, and numerous media of communication, from wireless radio to fibre-optic cables, like the one Hayastan Shakarian accidentally severed in Georgia.

What if it were possible to overcome the laws of space and time and follow that email, text, or tweet? What would we see? Where does the data go? Who has access to it? What happens beneath the surface of cyberspace that we don’t see? Although cyberspace may seem like virtual reality, it’s not.
Every device we use to connect to the Internet, every cable, machine, application, and point along the fibre-optic and wireless spectrum through which data passes is a possible filter or “chokepoint,” a grey area that can be monitored and that can constrain what we can communicate, that can surveil and choke off the free flow of communication and information.

•  •  •

Those constraints begin
the moment we interact with the Internet, starting with the instructions that make it all work. There are millions of software programs whose instructions shape and define the realm of the possible in cyberspace, and millions more are generated every year. Software, and its codes and commands, route traffic, run programs for us, let us into the virtual worlds we inhabit. One of the unique (and disconcerting for many) features of cyberspace is that anyone can produce software that can be distributed across the Internet as a whole. Some of the most ingenious pieces of code have been written by individuals for no other reason than to get their invention “out there,” to boast and take advantage of a “free” distribution network.

Not all such code is benign. Countless thousands of ever-evolving malignant programs circulate through cyberspace as viruses, trojan horses, and worms. The implications of such “malware” range from minor inconveniences to threats to privacy to debilitating attacks on national security, and some researchers believe that there is now more malware than legitimate software applications, most of it emerging too quickly for computer security
professionals to track. Malware ghettos inhabit vast and loosely connected ecosystems of insecure and outdated software programs, some of them lying dormant for years before being discovered. The progenitors prowl silently through social networking platforms, hijacking innocent people’s Twitter or Facebook accounts to send phony requests to visit advertising sites or to do something more dastardly. Many of our computers may be infected by malware without our knowing it. What’s worse, we pass these infections unwittingly along to friends and colleagues when we exchange information, visit malicious websites and blogs, or download documents from the Internet.