NEWS FROM THE LAB - Wednesday, April 7, 2010

Shadows in the Cloud Posted by Mikko @ 14:23 GMT

You might remember the Ghostnet white paper that was released a year ago? We blogged about it extensively.

The same researchers, with the help of Shadowserver Foundation, has now published a new whitepaper, called Shadows In The Cloud: Investigating Cyber Espionage 2.0 (link to a PDF).

This investigation into targeted attacks (� la "Operation Aurora") is very extensive and well worth a read. It includes technical analysis of the espionage methods as well as overview of the operation methods of the attackers.

Shadows in the Cloud

The report even goes on to name likely targets.

Shadows in the Cloud

To quote the beginning of the paper:

Main Findings

Complex cyber espionage network
Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents
Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked �SECRET�, six as �RESTRICTED�, and five as �CONFIDENTIAL�. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama�s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Evidence of collateral compromise
A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process. In a context like Afghanistan, this finding points to the complex nature of the information security challenge where risks to individuals (or operational security) can occur as a result of a data compromise on secure systems operated by trusted partners.

Command-and-control infrastructure that leverages cloud-based social media services
Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo Mail. This top layer directed compromised computers to accounts on free web hosting services, and as the free hosting servers were disabled, to a stable core of command and control servers located in the People's Republic of China.

Links to Chinese hacking community
Evidence of links between the Shadow network and two individuals living in Chengdu to the underground hacking community in the People's Republic of China.

Shadows in the Cloud