By now, those who toil in the information security industry must be thinking, “another day in cyberspace, another China-related hacking incident.”
The latest case, revealed by researchers in the U.S. and Canada, was announced late Monday. Eight months of investigation have dragged a Web spy ring known as “Shadow” into the sunlight, but not before emails and personal information were stolen from the private and public sector in India — including from its Defense Ministry — along with the offices of the Dalai Lama, the United Nations and the U.S. Embassy in Pakistan.
The researchers, some of whom had worked last year on uncovering the China-based Ghostnet hackers who spied on Tibetan activists, also found that a botnet of infected computers was being manipulated via social media like Facebook, Twitter, Google Groups, Baidu blogs, blog.com and Yahoo mail. The team was able to track the roots of the Shadow network back to Chengdu in the Sichuan province of China, and from there to underground Chinese hackers.
“We have no evidence in this report of the involvement of the People’s Republic of China or any other governent in the Shadow network,” say the report’s authors. “But an important question to be entertained is whether the PRC will take action to shut the Shadow network down. Doing so will help to address long-standing concerns that malware systems are actively cultivated, or at the very least tolerated, by governments like the PRC who stand to benefit from their exploits through the black and grey markets for information and data.”
Chinese officials have denied to other media that there was any government involvement in Shadow. However, after recent heavily publicized incidents involving hacks of Google and other companies, and reports from foreign journalists based in China of interference with their Yahoo mail accounts, the revelations are bound to throw a new, harsh spotlight on the Chinese government’s relationship with its private hackers; possible responses from other governments that are current or potential cyberespionage targets; and the way uber-popular social media networks can be hijacked for nefarious purposes.
China’s Deal With the Devil
Barbara Endicott-Povovsky, director of the Center for Information Assurance and Cybersecurity at the University of Washington, got a firsthand look at the obstacles facing China when she attended a major international conference in Beijing just before the 2008 Summer Olympics. She saw young people with little experience managing the conference’s internal network.
In the interest of speeding up responses, “what they did was disable all the security functions on the laptops being used by the conference, and then allowed people to use these laptops until they were totally kluged up with spyware and malware,” Endicott-Povovsky recalled for TechNewsWorld. “After 15-20 minutes, these computers were unusable.”
The situation in China became even clearer when the chief technology officer for China’s Computer Emergency Response Team came to Seattle and UW to learn more about managing company networks efficiently so they could comply with security practices. Endicott-Pavovsky did not have political or ideological discussions with her visiting colleague, but what she did learn was that botnets — and those who herd them in China — were his top problem.
“These botnets are a double-edged sword” with respect to their potential as sources of stolen information for government officials, noted Endicott-Pavovsky. “It’s not totally easy to control what hackers do, and the groups that are in China are somewhat rogue. That was my impression in talking with this gentleman. He was doing research on how [botnets] form and what they are. His second problem in his role as CTO was management. There is a kind of Wild West quality about China. They don’t have the rule of law, don’t have a history of compliance. People are cutting corners everywhere.”
The Western Response
The list of stolen and compromised documents and infected computers — and other countries affected by the Shadow network — show the collateral damage that can pile up when weaknesses are found in a particular country’s infrastructure.
Indian Embassy computers in Afghanistan, Pakistan, Russia, Dubai and Nigeria were all found to be infected. Documents with details on Indian missile systems were taken. NATO information on its forces fighting insurgents in Afghanistan were intercepted. IP addresses for private and academic-based computers in several countries — including the U.S. and Canada — were found within the botnet.
How should the West respond?
It’s difficult to throw cyberespionage accusations around when other countries are also engaging in it, Jennifer Richmond, director of China analysts for Stratfor, told TechNewsWorld. “China has been very aggressive lately, and their targets have been high profile, making international headlines, but they are one of many players.”
Still, the Obama administration has made Internet freedom a major foreign policy cause.
“Of course, given China’s Great Firewall and the administration’s efforts to pressure China on a number of issues economically, they can also use this political leverage to keep the heat on China and move them in other areas, such as currency appreciation,” Richmond pointed out.
Some of the recent incidents getting headlines have had some odd political consequences.
“The idea of Google being placed in a position to have to negotiate with a country, almost as if they are representing the U.S., is kind of unprecedented,” Endicott-Povovsky said. “I believe it’s the nature of the technology we’ve embraced that we find ourselves in this position.”
Social Networks’ Role in Security
Computer users around the world have embraced massive social networks like Facebook and Twitter. For the most part, critics of these networks have focused on privacy issues: How will my personal information be used and stored? What will be sold to third parties?
With the revelations of social networks’ role in helping to manage the Shadow botnet, those questions should also involve security measures, said Paul Ferguson, a security researcher at Trend Micro.
“This is not the first time we’ve seen this happen,” Ferguson told TechNewsWorld. “We’ve seen hackers using things like Google Groups and Yahoo Groups and the open-types of forums.”
Because users volunteer personal information on these platforms, the results can seem like easy pickings for hackers. However, the life expectancy of botnets in social networks isn’t a lengthy one, argued Ferguson. As soon as it’s discovered, of course, it’s going to be removed.
“The more professional criminals — the money-driven criminals on the Web — are not doing that kind of thing,” said Ferguson. “It’s a quick way of getting what you want within a short period of time and if you’re targeting a specific group.”
The problems with social networks lie in their design, he noted. “All the major social networks are relatively insecure. There are countless bugs in all of them — and more importantly, the underlying infrastructure is frail and supported in insecure ways, as was shown in the Google/China situation.”