Report: India targeted by spy network

Targeted attacks, social networks, and malicious PDFs found in spy network that researchers say has links to China.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Researchers have uncovered a spy network that stole classified and other sensitive documents from the Indian government, the Dalai Lama's office, the United Nations, and compromised computers elsewhere, according to a report released on Tuesday.

The operation, dubbed "Shadow Network," is detailed in a report that also cites evidence it says links the Shadow network to two people living in Chengdu, China, and the underground hacking community in that country.

The report is based on research from volunteers at the U.S.-based Shadow Server Foundation and Information Warfare Monitor, which includes researchers from the Citizen Lab at the University of Toronto's Munk School of Global Affairs and the SecDev Group, an Ottawa-based consultancy.

The researchers had uncovered another spy network, dubbed Ghost Net, last year that targeted the Dalia Lama as well as government agencies and nongovernmental organizations in other countries. That investigation led to the Shadow Network report.

This screenshot shows a sensitive document being uploaded to a command and control server researchers monitored for the Shadow Network report. Shadows in the Cloud: Investigating Cyber Espionage 2.0

Cyber-espionage has been going on for years, but interest has increased with the news that Google and more than 30 other U.S. companies were targeted in computer attacks last year and Gmail users who were human rights activists were also targeted by spies.

For the Shadow Network report, the researchers spent eight months spying on the spies, grabbing copies of data that was stolen from compromised computers from the spy network's command and control servers, and analyzing the malware.

The data stolen from the compromised agencies includes about 1,500 letters sent from the Dalai Lama's office between January and November 2009, reports on missile systems in India, and documents related to NATO force movements in Afghanistan.

"We have no evidence in this report of the involvement of the People's Republic of China (PRC) or any other government in the Shadow Network. But an important question to be entertained is whether the PRC will take action to shut the Shadow Network down," the report says. "Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence."

Officials in India told The New York Times that they were looking into the report. Officials in Beijing denied any involvement in attacks detailed in the report, according to the newspaper and the state-run Xinhua news agency.

In the targeted attacks, individuals at the agencies affected received e-mails that led to malware and most of the malware samples collected by the researchers were PDFs that exploited holes in Adobe Acrobat and Reader, the report said. Accounts on Twitter, Yahoo Mail, Google Groups, Blogspot and other social-networking sites were used to update compromised computers and to host malware, according to the report.

"The people behind the Shadow attacks used a variety of exploits and file types to compromise their victims. We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003. The themes of their attacks appear to involve topics that would likely be of interest to the Indian and Tibetan communities," the researchers wrote.

"We were able to obtain dozens of exploit files that were used by the attackers when targeting their victims," the report said. "The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. The PDF files, on the other hand, took advantage of much more recent exploits at the time of their use. We observed them using PDF files that exploited CVEs 2009-0927, 2009-2990, and 2009-4324 within a few weeks or months of the vulnerability being first patched."

In addition, the exploits used in the attacks were not generated from freely available tools or publicly posted code, but appeared to have access to kits that allow the attackers to create exploit files on the fly that install the malware, the researchers found.