Why One Of The Largest Cyber-Attacks Is Still A Mystery

Cyber espionage is a powerful tool in modern warfare. It can be used to spy on prominent individuals like political leaders, government officials, and business heads, spread disinformation, and even disrupt infrastructure. Nations also conduct espionage to prepare for cyber attacks or physical acts of war.

While many countries engage in some form of cyber warfare, the U.S. clearly states that China poses a significant threat. According to the CISA (Cybersecurity & Infrastructure Security Agency), the United States cyber defense agency, "China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks." The CISA even goes on to suggest that Chinese cyber attacks could disrupt the country's oil and gas pipelines, as well as rail systems.

While this is more of a broad warning, China is known for its sophisticated cyber operations. It's widely assumed that the Chinese government orchestrated the infamous GhostNet spy system that breached over 1,000 computers of military, political, economic, and diplomatic targets worldwide. For various political and legal reasons, though, China was never officially named as the culprit. As a result, the origins of GhostNet are still a mystery.

GhostNet was a massive cyber espionage network

GhostNet was uncovered when a group of security researchers at the Munk Center for International Studies at the University of Toronto were asked by the office of the Dalai Lama in India to examine their computers for signs of a breach. This led to an investigation that uncovered a massive cyber attack that had infected 1,295 computers in 103 countries worldwide over two years. In 2009, the Munk Center and analysts for the Information Warfare Monitor published a detailed report that shed light on a vast spying operation they dubbed "GhostNet."

GhostNet was spread using emails with attachments and web links that contained malware. Once downloaded on the victim's computer, the malware had the capacity to infect and completely control computers, allowing the attackers to search for and download files and even remotely control external devices like webcams and microphones.

Close to 30% of GhostNet's targets were high-profile, including foreign ministries of several countries in Southeast Asia, South Asia, and Europe. International organizations like ASEAN, SAARC, the Asian Development Bank, news organizations, and even a computer at NATO headquarters were compromised.

Who was behind the GhostNet attacks?

GhostNet researchers were able to identify and connect to the spy network's command servers. Several IP addresses used by the attackers to communicate with the infected computers were traced to Hainan Island in China. In total, the investigation uncovered four control servers, out of which three were located in China. The fourth server was located at a web-hosting company in the United States. In addition, out of six identified command servers, five were located in mainland China, and one was in Hong Kong.

While the researchers suggested that the evidence pointed to China as the most obvious orchestrator of the GhostNet attacks, their report did not explicitly blame the country. It cautioned that this could also be the work of a criminal organization or even another nation. They could not provide concrete proof that the Chinese government was involved. 

GhostNet's servers went offline a day after the report was released, and a spokesperson for the Chinese Consulate of New York denied any involvement in the operation, stating that the Chinese government explicitly forbids cybercrime. Since the attacks took place across several countries, they resulted in legal and political barriers preventing a more in-depth investigation. As a result, the perpetrators behind GhostNet have never been formally identified, over a decade after the operation was uncovered.