American, Canadian, and European firms that used to brag about connecting individuals and wiring the world are now turning those wires into secret weapons of war and repression. Suddenly, policy-makers are being given tools they never before imagined: advanced deep packet inspection, content filtering, social network mining, cellphone tracking, and computer network exploitation and attack capabilities.
This is not the way it was supposed to be.
As the imperatives to regulate, secure, and control cyberspace grow, we risk degrading (even destroying) what made cyberspace unique in the first place. In the face of urgent issues and real threats, policy-makers may be tempted to lower the bar for what is seen as acceptable practice or, worse, throw the baby out with the bath water. Before extreme solutions are adopted we must address the core value that underpins cyberspace itself: ensuring that it remains secure, but also open and dynamic, a communications system for citizens the world over.
1.
Chasing Shadows
“I’m in.”
“What do you mean, you’re in?”
“I’ve got full access to the control panel. There’s a list of computers here that looks pretty serious. It’s much more than just the Dalai Lama’s office.”
It started as an experiment, another wild hunch. We had been working with computer hackers and field researchers the world over for years, picking up the digital trails left by state officials and a slew of bad guys. But this was different. It was January 2009, and Nart Villeneuve, the then thirty-four-year-old lead technical researcher at the Citizen Lab, had made an extraordinary breakthrough. “I’m in,” he whispered into the phone from his workstation, and when I asked how, he said, “I just Googled it.”
So began the story of GhostNet. Villeneuve’s finding – twenty-two characters typed into Google – turned out to be our Rosetta Stone, our key to eventually uncovering an espionage network affecting more than 100 countries and targeting ministries of foreign affairs, embassies, and other state agencies, international organizations, businesses, and global media outlets. My world would never be the same.
The GhostNet investigation had begun months earlier, when Greg Walton, one of our field researchers, learned of persistent concerns about computers being hacked into at the Dalai Lama’s headquarters. Walton knew northern India well, had lived in the small town of Dharamsala, where the Tibetan Government-in-Exile, Tibetan NGOS, and the Office of His Holiness the Dalai Lama are located. The Tibetan community in exile had long suspected that their computers were being monitored by the Chinese government. While attempting to cross the border into China, people doing advocacy work on behalf of Tibet were detained, interrogated, and presented with transcripts of their private chat and email messages. Although it is possible – in fact, likely – that the Chinese government pressured companies to modify their products to provide them with backdoor access or to simply turn over user data upon request, it is also possible that the Tibetans had their computers compromised at source. Foreign government officials planning to visit the Dalai Lama, or to meet with him privately when he travelled to their countries, had been told by China to stand down, not to meet him. But the issue now was: how did Chinese authorities know in advance that this or that meeting between the Dalai Lama and foreign sympathizers was to take place?
When presented with the idea of the Citizen Lab checking into this matter, Tibetan officials agreed to turn over their machines for inspection. It was a serious decision, as we would be given unrestricted access to computers at the Office of His Holiness the Dalai Lama, the Tibetan Government-in-Exile, and Tibetan NGOS in Dharamsala, New York, Brussels, and London. Although the Dalai Lama himself liked to point out publicly that they “had no secrets,” his office and those of other Tibetan organizations handled sensitive communications, including private correspondence and information about travel schedules. They took a risk working with us, one that paid off in the end.
• • •
Cyber espionage is a dark art, widely speculated about but rarely examined in the light of day. There have been cases of state cyber spying reported on in the media, but too often key pieces of evidence were either missing or, more likely, locked down in the secret chambers of the world’s leading intelligence agencies. “Titan Rain,” a huge compromise of American military and intelligence agencies and companies, was an exception between 2003 and 2006, and suspicions ran high that it was orchestrated by China-based hackers doing dirty work for their government. The Chinese government was almost certainly connected in some manner to what we unearthed too, and once the cat was out of the bag there would be international diplomatic furor.
While the Citizen Lab had been analyzing and exposing strange goings-on in cyberspace for years, the GhostNet investigation was unprecedented, the scope of the pilfering extraordinary. Computers based in the Dalai Lama’s headquarters and Tibetan organizations were compromised, but so too were those in foreign government agencies, and in international organizations, companies, and media outlets the world over. Included among the victims were the ministries of foreign affairs in Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados, and Bhutan, and the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and Pakistan. Computers at the UN and ASEAN, and an unclassified computer located at NATO headquarters, were also attacked, as was the prime minister’s office in Laos. One remarkable breach was of the mail server at the Associated Press office in Hong Kong, giving the GhostNet attackers access to emails sent to and from AP in Hong Kong containing information about stories before they were published.
For months we had a bird’s-eye view of the attackers’ command-and-control network, could see everything they were doing. They had made the mistake of not password-protecting all of their computer directories, assuming that no one would be able to access them if they were not linked to publicly. But Villeneuve spotted that string of twenty-two characters used repeatedly in the networking traffic collected from Tibetan organizations’ computers, and on a hunch he copied then Googled it. Two results came up for obscure websites based in China, and he was then able to map almost all of the command-and-control infrastructure of the attackers, allowing us to see inside their operations without their knowledge. For weeks we watched transfixed, while an ever-expanding list of victims had their computers tapped, as cyber espionage on a massive scale unfolded in real time. We were able to isolate an individual at the Indian embassy in Washington, D.C., whose computer had been compromised by correlating data from the attacker’s web interface with open-source information via Google, and this led us to his bio and contact information website. We thought about calling him with a warning – unplug your computer now! – but decided against doing so because we were concerned about tipping off the attackers. Better to analyze all of the data first, we thought. We were inside an international spy operation, the attackers and their hundreds of victims had no idea, and yet we were also, in our own way, engaging in a kind of cyber espionage.
We set up a sting operation by infecting an isolated computer at the Citizen Lab, our “honeypot,” with the same trojan horse – a program in which malicious code is contained inside apparently harmless data – used by the attackers. Then we waited. A few days later our honeypot lit up. A visitor was poking around. He came and went quickly, but stayed just long enough for us to see that he was connecting from a digital subscriber line (DSL) through an IP address on Hainan Island, the same location as one of the command servers, which happened to be a government of Hainan computer. Hainan Island is home to the Lingshui signals intelligence facility and the Third Technical Department of the Government of China’s People’s Liberation Army (PLA). Established in the 1960s, and upgraded substantially in the 1990s, the signals intelligence facility is staffed by thousands of analysts, and its primary mission is to monitor U.S. naval activity in the South China Sea. (It’s a big island, to be sure, but that a signals intelligence facility of some renown happens to
be located there is intriguing.)
The tool used to hack into government agencies, media outlets, and others, was a trojan called Ghost RAT that gave the attackers the ability to remove any file from the computers under their control. (RAT stands for “remote access trojan.”) We had seen this through Greg Walton’s monitoring of the network traffic of Tibetan organizations – connections were then made to China-based IP addresses, hidden from view, and sensitive documents were plucked right out from under the noses of unwitting computer users. Ghost RAT also gave the attackers the ability to record every keystroke entered into the infected computers, capture all passwords and encrypted communications, and turn on audio and video capture devices. Effectively, it could turn the machines under their control into wiretaps.
Remarkably, most of the GhostNet spying capabilities are freely available through an open-source network intrusion tool, the same Ghost RAT that anyone, to this day, can download from the Internet. With widely available and easy-to-access tools like Ghost RAT we have entered the age of do-it-yourself cyber espionage.
• • •
“Who done it?” The obvious answer was China. The geographic locations of most victims formed a crescent moon around China’s southern flank and read like a who’s who of its most important strategic adversaries: Tibetans, Russians, Iranians, Vietnamese, and so on. We had something of a smoking gun with the Hainan Island sting, but we needed to be sure, needed to articulate precisely how these types of attacks could be launched by just about anyone, and, perhaps most importantly, by people who might have an interest in making it look as if the Chinese government was responsible. Having gained access to the attackers’ command-and-control interfaces would have allowed us, for instance, to infiltrate the same organizations, and no one would have been the wiser. We had a list of the compromised computers and knew where the vulnerabilities lay. It would have been easy for us to commandeer those computers, and there were many agencies that would pay for access to, say, the Iranian foreign affairs ministry or the Indian embassy in Washington. (Later, I would meet computer security engineers who had monetized that type of access and knowledge, selling information about specific target vulnerabilities to, presumably, law enforcement and intelligence agencies for a king’s ransom.) Although the attacks emanated from China’s Internet space they could have originated from a garage in New Jersey. In fact, one of the command servers was in the United States. In short, GhostNet could have been orchestrated and controlled by anyone, anywhere.
Cyber security has long been highly politicized and dozens of government agencies and transnational corporations have their irons in the fire, and are salivating at ever-increasing defence budgets for Internet surveillance. There is considerable vested self-interest in inflating the threat, and during our GhostNet probe (and ever since) our efforts have been to ensure accuracy and to establish a standard. Universities have a special role to play as stewards of evidence-based, impartial research on cyber security, and we needed to ensure that the GhostNet report weighed all of the available evidence as impartially as possible.
In the end, Tracking GhostNet: Investigating a Cyber Espionage Network, chronicled a landmark case in cyber espionage. The scope and importance of the victims, sophistication of the attack (given the negligible resources used to pull it off), detailed exposure of what was going on beneath the surface and, finally, the shock of such widespread infiltration made it so. We are used to our computers being windows onto the world. With GhostNet, we argued that “it is time to get used to them looking back at us.”
• • •
“It’ll be on the front page,” John Markoff of the New York Times told me hours before the GhostNet story appeared, and he was right. It was above the fold on Sunday, March 29, 2009, and soon thereafter became one of the top news stories in the world. The University of Toronto’s media relations office was overwhelmed. There were satellite trucks parked outside of the Munk School of Global Affairs, where we are based, cameras everywhere, and I experienced my first media scrum. Later, I had to switch off my mobile phone because it never stopped ringing, and eventually I had to change my number altogether. While I was at the Citizen Lab, my home phone was barraged with calls; our children fielding messages in the early mornings from reporters in Europe and Asia just as confused as they were. There were surreal moments watching the Dalai Lama on television being asked to comment on our report, and Chinese government officials dismissing us as liars. Liu Weimin, the spokesman for the Chinese embassy in London, said the report was part of the Dalai Lama’s “media and propaganda campaign,” while foreign ministry spokesman Qin Gang said that we were haunted by a “Cold War ghost” and suffered from a “virus called the China threat.”
“We have no secrets to hide,” the Dalai Lama told CNN. “They should spy more, then they would know what we are doing.” He soon got his wish. A few months later, our group (working this time with the U.S.-based volunteer computer security group, the Shadowserver Foundation) revisited the GhostNet campaign and returned to the Dalai Lama’s headquarters to re-examine their computers. We found that they were thoroughly compromised, again, this time by a different China-based espionage campaign. We dubbed it the Shadow Network, “Shadows” for short. Although Shadows was largely restricted to India-related victims, this time we were able to recover copies of data stolen by the attackers as they were being removed from victims’ computers. They had exfiltrated documents marked “Secret” from the Indian national security agency, private business information from Indian defence and intelligence contractors, and a year’s worth of the Office of His Holiness the Dalai Lama’s official and private correspondence with citizens, world leaders, and religious figures.
The GhostNet and Shadows probes (Shadows was also covered extensively in the media) exposed us to a subterranean world of political intrigue, but our findings were not entirely unexpected. We had been gathering evidence for nearly a decade, lifting the lid on the Internet and tracking a contest for the future of cyberspace that was becoming more intense with each passing year. The signposts were clear: cyberspace was changing fast, and not necessarily for the better.
2.
Filters and Chokepoints
“I have no idea what the Internet is!”
—Hayastan Shakarian, aged seventy-five
On March 28, 2011, the Internet went down in Georgia. For nearly twelve hours citizens had no access to Twitter, Facebook, their favourite YouTube videos, or their primary sources of news and online information. They could not access their online bank accounts or send emails. An information darkness had descended on the Eurasian country. The culprit? A nasty computer virus? Another Russian invasion? The latter would not be out of the question. Three years earlier, Georgia’s Internet was brought to a halt as Russian ground troops invaded the territorial enclave of South Ossetia, the country’s most contested region. Acting in support of the Motherland, scores of patriotic Russian hackers bombarded the Georgian Internet with a massive DDOS attack. It overwhelmed Georgian computers, including the government’s websites and the country’s banking and 911 systems.
As it turned out, the reason the Georgian Internet went dark this time around had to do with a seventy-five-year-old woman named Hayastan Shakarian, a “poor old woman” who had “no idea what the Internet is.” She had been scavenging for firewood and old copper and accidentally cut a fibre-optic cable running parallel to a railway line, severing a key Internet connection. The effect was not limited to Georgia: because of how routing was configured in the region, Ms. Shakarian’s inadvertent action also shut down the Internet in neighbouring countries. Ninety percent of Armenia’s private and business Internet users were cut off, as were many in Azerbaijan.
• • •
What is cyberspace? Ask most people this question and they simply shrug: for them it remains a mysterious and technological unknown that “just works.” The term cyberspace was coined in the early 1980s by science fiction writer William Gibson, who defined it as a “co
nsensual hallucination,” and that, indeed, is how it often seems. When we log onto Twitter or Facebook through our laptops or mobile phones, we enter into what feels like an ethereal world divorced from physical reality. Our thoughts about cyberspace – if indeed these can be characterized as thoughts at all –generally begin and end with the screen in front of us. We send an email and within seconds it magically appears on a friend’s BlackBerry or laptop. We text a message and it is instantly received by a colleague on the other side of the world. We start up a video on YouTube and seconds later it is streaming in high definition. We take this for granted, don’t even really think about it.
But what happens in those nanoseconds as the transmission of movies or emails or Internet searches are completed? Information travels at the speed of light, and the processing power of computers is astonishingly fast. It is almost impossible to grasp that the moment a text message is sent thousands of kilometres away the information is transmitted through a complex physical infrastructure spanning multiple political jurisdictions, thousands of private companies and public entities, and numerous media of communication, from wireless radio to fibre-optic cables, like the one Hayastan Shakarian accidentally severed in Georgia.
What if it were possible to overcome the laws of space and time and follow that email, text, or tweet? What would we see? Where does the data go? Who has access to it? What happens beneath the surface of cyberspace that we don’t see? Although cyberspace may seem like virtual reality, it’s not. Every device we use to connect to the Internet, every cable, machine, application, and point along the fibre-optic and wireless spectrum through which data passes is a possible filter or “chokepoint,” a grey area that can be monitored and that can constrain what we can communicate, that can surveil and choke off the free flow of communication and information.
Black Code: Inside the Battle for Cyberspace Page 3