Massive Chinese Espionage Network

The story broke in The New York Times yesterday:

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.


Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

The Chinese government denies involvement. It's probably true; these networks tend to be run by amateur hackers with the tacit approval of the government, not the government itself. I wrote this on the topic last year.

It's only circumstantial evidence that the hackers are Chinese:

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

And here's the report, from the University of Toronto.

Good commentary by James Fallows:

My guess is that the "convenient instruments" hypothesis will eventually prove to be true (versus the "centrally controlled plot" scenario), if the "truth" of the case is ever fully determined. For reasons the Toronto report lays out, the episode looks more like the effort of groups of clever young hackers than a concentrated project of the People Liberation Army cyberwar division. But no one knows for certain, and further information about the case is definitely worth following.

An excellent article on, and another on ArsTechnica.

There's another paper, released at the same time on the same topic, from Cambridge University. It makes more pointed claims about the attackers and their origins, claims I'm not sure can be supported from the evidence.

In this note we described how agents of the Chinese government compromised the computing infrastructure of the Office of His His Holiness the Dalai Lama.

EDITED TO ADD (3/30): More information on the tools the hackers used.

EDITED TO ADD (3/30): An interview with the University of Toronto researchers.

EDITED TO ADD (4/1): The Chinese government denies involvement.

EDITD TO ADD (4/1): My essay from last year on Chinese hacking.

Posted on March 30, 2009 at 12:43 PM • 24 Comments


ChrisMarch 30, 2009 1:15 PM

I fail to see how the Chinese get to have it both ways here. They can't have one of the most invasive Internet policing apparatus, and then claim no knowledge of what’s going on. Tacit approval indeed.

Jeff PettorinoMarch 30, 2009 1:21 PM

Well, it makes for a good canned response on the part Chinese Gov't. "We have no knowledge of this, cyber-crime is forbidden, yada yada." With approximately 1/4 of the world population living in the PRC, even having that massive Internet policing apparatus (I like that term...good one!) doesn't ensure they can see everything. But I agree, someone somewhere in that government apparatus has a clue about this, even if it is disavowed.

Randy ZagarMarch 30, 2009 1:56 PM

Someone in the Chinese Gov't clearly has knowledge of the operation, as they used the information to interfere with the Dalai Lama's appointments with foreign dignitaries.

JonMarch 30, 2009 1:59 PM

Yes, it seems that if the Chinese govt. weren't behind this, they'd be all over it trying to find out who is. Yet I don't hear about that.
Reminds me of OJ promising to find the "real" murder after his acquittal ;-)

Carlo GrazianiMarch 30, 2009 2:07 PM

There's one subtle aspect of the story that says "Chinese Government" to me: it's the fact that despite the sophistication of the intrusion vectors and controls, the actual control panel had totally inept security. The Toronto people found that the web interface to the attack system wasn't even password-protected. It relied on its obscurity for defense against unauthorized use.

This is totally unexpected for a small band of smelly, free-lancing hackers, who would naturally be taught good defensive practice by their attack activities.

My interpretation of this apparent paradox is that this is a largish project, with quite a bit of personnel, in different roles. The whiz-kids who write the attack software are different from the sysadmins who run the servers, and are also different from the "management" that decides what gets attacked.

In this picture, "management" demanded easy access to the system, so that they could attack targets easily and quickly, as soon as they are defined. They couldn't be bothered with SSL cerificates or passwords, presumably because there are several "managers", some of whom are not terribly computer-savvy (sound familiar?). Rather than attempt to educate --- and risk pissing off --- a bunch of powerful gerontocrats about proper Internet security practices, the sysadmins judged it less risky to just let them have unprotected access to the web interface, presuming that nobody would ever track the server. If any of the whiz-kids complained, they were ignored.

I expect (well, I hope) that the NSA does these things somewhat less disfunctionally.

SamhMarch 30, 2009 2:32 PM

@Jeff Pettorino

Not to split hairs, but the Chinese population is estimated at 1 / 5 of the total world population.

Sorry, I'm in Monday morning pedant mode.

AnonymousMarch 30, 2009 2:55 PM

And how are we certain that these servers in China aren't leased by folks with a paper trail leading back to the US?

We outsource everything else to China anyhow, why not espionage?

RoxanneMarch 30, 2009 3:35 PM

I liked the final note in the NYTimes article: 'Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.”'

Which is to say, any foreign power is going to have trouble arresting the perpetrators, since they're deep inside the host country's borders, and the host country doesn't want them bothered, let alone arrested. It's the ultimate in long-distance warfare.

Clive RobinsonMarch 30, 2009 4:22 PM

One thing people need to remember is that in China they do thinds way differently to the way we do in the west.

One thing is that their society is still very much based on an agrarian peasent populace kow-towing to feudal overlords in fiefdoms with a court of "robber barons" in turn taxing the overlords. The only thing Comunisum changed was those on top.

Such systems run on patronage and you rise by taking risk, and you stay on top by being both ruthless and conservative.

This means that things get done with a high degree of deniability and unofficialy.

China was untill very recently not realy in contact with the rest of the world. However the West's insatiable need for cheep mass produced goods has ment that there is a lot of money to be made in such a feudal society. And as has been seen even now the price of success is wealth power and status, the price of failure even for Generals and above is a bullet in the spine to show "official disproval" (see various news reports about adultarated milk etc).

So these "patriotic hackers" are either on the "make" or being organised by a person on the "make". However as has been observed by others they don't "officialy exist", and the only time they will is for their trial and execution.

Such is the way of life in a feudal society with independent fiefdoms.

AguirreMarch 30, 2009 10:05 PM

There appears to be a lot of "convenient" evidence left behind. It may well be a diversion away from more professional operations.

3oKDkD28March 30, 2009 11:31 PM

If I want a reliable service that doesn't care what I do and won't kick me off, I either go to some American libertarian host who waves a flag and a constitution in my face, or I go to Hong Kong. Everyone seems pretty light on details here, all they have is Chinese ISPs and Chinese logins. The attack vector was in english.

It'd be convenient if it was the Chinese govt, heck it'd make a lot of sense, but I just read the Cambridge report and it was just fawning over the Dali Llama and was particularly light on the chinese details other than ISPs and IPs. Getting a chinese IP is not difficult.

yupperMarch 31, 2009 12:26 AM

Um,, you guys ever hang out on any of the hacker forums like chasenet Ryan opencs, etc? they talk about how to gain and manage server farms for drop points all the time. this isn't secret stuff. itspretty out in the open.

They talk about using Chinese servers expressly because they know that a) they are all run locally and b) no one will pursue into China.

This "its the PLA" stuff is crap that makes us all look stupid and paranoid. Did you even read how they grabbed the Make tool? That is not PLA, it is scritpkiddee.

I was expecting more from the readers on this site.

SitaramMarch 31, 2009 5:35 AM

Not sure if China is really behind it or not, but their protestations of innocence and "it's illegal in China" sound the same as Pakistan claiming they don't arm and train terrorists, never have, never will.

Disclosure: I'm an Indian :-)

bobMarch 31, 2009 6:45 AM

@Carlo Graziani: very good point. Similar to my primary response to the tin-hat crowd who think the US did 9/11 themselves - there is no way the government could be that competent.

@Anonymous at March 30, 2009 2:55 PM: Because outsourcing government functions would not be compatible with the favorite pastime of all government managers: empire building.

RonKMarch 31, 2009 8:11 AM

@ Zaphod

Although I admit there's a bigger chance that Bruce would comment on that article than on the Phorm fiasco, it seems pretty clear that he is pretty careful in the CYA department with respect to BT.

Really, if he wants to post about it, he will. I don't think you should pressure him for a response on anything connected with BT.

Bryan FeirMarch 31, 2009 2:11 PM

Well, as a number of other people have indicated, we don't have any proof that the Chinese government is directly involved, and in all likelihood they aren't. Directly, at least. Though the fact that one diplomat who had just arranged a meeting with the Dalai Lama got a politely threatening phone call suggesting she not attend the meeting does suggest that somebody in the government knows it exists.

Certainly they're unlikely to be shedding any tears about this.

Or course, passive encouragement has a long history in politics. A sufficiently powerful person makes it known that they would be happy if something got done, without adding any details, and some people interested in making the powerful person happy go and do what they believe he wants done. The main advantage for this at the top is that they can disclaim any connection to the events if the people get caught, and punish them as an example to others. (The lesson being, don't get caught.)

To use the classic English example: Will no one rid me of this troublesome priest?

So I have no doubt that the Chinese government didn't set this up. Which doesn't mean they won't use it.

Oh, and another follow-up, with the Chinese government claiming that the initial report is all lies designed to hurt their image:

RonnieMarch 31, 2009 11:11 PM

An interview with Ron Deibert on CBC
Ron Deibert was one of the people who helped uncover Ghostnet. He is the head of the Citizen Lab at the Munk Centre for International Studies at the University of Toronto. The Citizen Lab worked with SecDev Group, an Ottawa-based think tank to uncover Ghostnet.

eduardoApril 24, 2009 8:57 AM

Why are they so foolish not to use some good old deceptive tactics. Why don't they just set up nice juicy open computers filled with tons of false information that hackers can then pass on that becomes unreliable making them unreliable and wasting tons of time and resources. Put a couple hundred TB's of data for them to read through all for nothing haha.

Tony ColidaFebruary 17, 2011 5:28 PM

I have proof that not only Chineese but the Japanese are committed espionage but companies such as Panasonic and Sony are also involved in the espionage because they stolen my technology designs in mobile cellular telephones as well and are denying the same. They are very shallow people are not original creatures, all they do is copy and steal ideas. I beleive the U.S. and Canadian Governments should halt all import from China and Japan because Americans and Canadian are paying the price by giving the Chinese and Japanese jobs in their Country and us we are suffering with no jobs. Moreover, all the imports are copied and infringe the rights of U.S. and Canadian inventors or patents....Let them sell their counterfeit and illegal products in their country to their own people they have a 2 billion population market and leave U.S to legitament products not copied... Please see lawsuit Tony Colida vs. Panasonic and Sony on the internet....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.