Chinese cyberspy network pervasive

Researchers who were asked to look at spyware covertly installed on computers in the Dalai Lama’s office stumbled across a Chinese cyber-espionage network that had infiltrated and taken over nearly 1,300 computers in embassies, government offices and other sensitive locations in more than 100 countries across the world.

According to researcher Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory, the cyberspy ring used sophisticated social and computer-engineering techniques to trick people in the office of Tibet’s spiritual leader into downloading malicious software.

The software was attached to e-mails that purported to come from colleagues or contacts in the Tibetan movement. The software stole passwords and other information, which in turn gave the hackers access to the office’s e-mail system and documents stored on computers there.

“The intelligent and highly coordinated use of social engineering and [malicious software] techniques is extraordinarily effective,” Mr. Anderson told The Washington Times, warning that the techniques involved could easily be used by cybercriminals to victimize major companies.

“It is only a matter of time before we see [these techniques] used by cybercriminals,” he said. “The existing accounting systems of Fortune 500 companies are designed to withstand one crooked person … or one compromised computer at a time,” he added, noting that the techniques employed against the Dalai Lama’s office enable hackers to compromise entire departments’ computer networks.

After analyzing the software, Mr. Anderson and his colleagues turned their data over to researchers at the Munk Center for International Studies at the University of Toronto, who publish the Information Warfare Monitor, an online journal. On Sunday, in coordination with the New York Times, the monitor published its findings.

The Toronto team tracked the data that the compromised computers in the Dalai Lama’s office were sending back to command-and-control servers in China, and stumbled across unencrypted data identifying as compromised nearly 1,300 computers in 103 countries all over the world - 113 of the computers being in the U.S.

The list of affected offices includes media organizations, dozens of embassies, ministries of foreign affairs and other government departments, mainly in South and Southeast Asia.

“There is no doubt that this is a Chinese state actor at work,” Mr. Anderson said. “There is a lot of concurrence between what we found on the ground and what is known about Chinese information-warfare capabilities and doctrine … . The targets are a very good fit with Chinese strategic intelligence priorities.”

The Toronto researchers declined to be so definite about who was behind the attacks.

“We must be cautious to rush to judgment, in spite of circumstantial and other evidence, as alternative explanations are certainly possible, and charges against a government of this nature are gravely serious,” reads their report.

Former senior U.S. cybersecurity official Greg Garcia was similarly cautious, telling the Times that “attribution is a hall of mirrors.”

“There are a whole range of complex technical and other questions that have to be resolved … before you start pointing fingers,” said Mr. Garcia, who was assistant secretary for cybersecurity and communications at the Department of Homeland Security from October 2006 to last December.

He said it was the prevalence of such threats “from all over the world” that led the Bush administration to launch the Comprehensive National Cyber Initiative last year. “Congress and the Obama administration need to use that momentum and accelerate funding and implementation,” he said. “This is a race being run on Internet time.”