Chinese analysts have dismissed claims that nearly 1,300 computers in more than 100 countries have been attacked as part of a cyber-espionage network.
Reports began to circulate on Sunday of computers being infected with software that allows attackers to gain complete control of them. One report was issued by the University of Toronto's Munk Center for International Studies in conjunction with the Canada-based think tank ‘The SecDev Group', the second came from the University of Cambridge Computer Laboratory.
Researchers dubbed the cyber-espionage network ‘GhostNet', as the Canadian report claimed that the network can not only search a computer, but also see and hear the people using it. Both reports found links to computers in China, but the researchers did not conclude who they thought was behind the malware.
The Canadian report claimed: “GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras.”
Meanwhile the Cambridge report claimed that attacks against the Office of the Dalai Lama were launched by ‘agents of the Chinese government'. Authors Shishir Nagaraja and Ross Anderson said: “The attackers took the trouble to write emails that appeared to come from fellow Tibetans and indeed from co-workers”. Once the attackers gained an initial foothold, "they also stole mail in transit and replaced the attachments with toxic ones.”
According to a report in The Independent, the network included compromised computers from the ministries of foreign affairs of Iran, Bangladesh, Latvia and Indonesia, and embassies including India, South Korea, Indonesia, Germany and Pakistan.
Computers in the offices of the Dalai Lama in India, NATO, The Associated Press in Britain and Deloitte and Touche in New York were also found to be compromised.
Song Xiaojun, a Beijing-based strategy and military analyst, told China Daily, a state-run newspaper: “This is purely another political issue that the West is trying to exaggerate."
Meanwhile Zhu Feng, a professor with the school of international studies at Peking University, added: “Cyber security has been a global issue, but this time those who see China as an emerging threat again have picked the subject as a new weapon.”
Rick Howard, director of security intelligence at iDefense, said: “It is impossible to know if this was an official attack from China. Although the threat is now publicly acknowledged, the GhostNet underscores a pattern iDefense frequently observes.
“Nearly all iDefense customers have reported attacks which arrive as .doc, .pdf or similar file format exploits which drop simple Remote Admin Tools such as Graybird, gh0st, or Bifrost. There is a nearly endless supply of Remote Admin Tools which are used in these attacks, most of which offer complete control over the victim system. The GhostNet connected back to ISPs in China, but similar targeted and semi-targeted attacks have connected to ISPs throughout the world.”
Graham Cluley, senior technology consultant at Sophos, said: “Although the research paper examining GhostNet makes interesting reading, there's one thing missing. There's no smoking gun. At no point does it gather enough evidence to prove, conclusively, that the Chinese government or the People's Liberation Army are behind the attacks. Just because Chinese computers are used in the scheme, does not mean that the Chinese authorities are behind the operation.
“I'm sure China is using the net to spy on governments and businesses overseas for commercial, diplomatic and possibly military advantage. But then I'm sure that the United States, Israel, the United Kingdom and others are doing it too. But let's not make the mistake of thinking that an investigation like this necessarily proves a country's involvement.”