April 6, 2010
TORONTO, ON – The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce today the release of Shadows in the Cloud: An investigation into cyber espionage 2.0.
The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.
Members of the research team are holding a news conference at 11 a.m. on Tuesday, April 6, to discuss their latest findings and to answer questions from the media. The news conference will be held at the Campbell Conference Facility, Munk Centre for International Studies, 1 Devonshire Place, Toronto, (416-946-8900). The event will also be webcast live at: http://hosting.epresence.tv/MUNK/1/live/148.aspx
A pdf of the full report can be found at: http://shadows-in-the-cloud.net/
NOTE: Reporters unable to attend the news conference may e-mail questions during the event to firstname.lastname@example.org. The questions will be relayed to the panel for response.
The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltrated by the attackers.
The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.
Summary of main findings:
About the Researcher Collaboration:
This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. The Information Warfare Monitor (infowar-monitor.net) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, and the SecDev Group, an operational consultancy based in Ottawa specializing in evidence-based research in countries and regions under threat of insecurity and violence. The Shadowserver Foundation (shadowserver.org) was established in 2004 and is comprised of volunteer security professionals that investigate and monitor malware, botnets, and malicious attacks. Both the Information Warfare Monitor and the Shadowserver Foundation aim to inform the field of cyber security through accurate, evidence-based assessments and investigations
Principal Investigators’ Bio and Comments:
Steven Adair is a security researcher with the Shadowserver Foundation. He frequently analyzes malware, tracks botnets, and deals with cyber attacks of all kinds with a special emphasis on those linked to cyber espionage.
“This report is a fascinating look at the activities of individuals involved in cyber espionage. It is unfortunately just a small piece of a very big pie. This is a problem that goes well beyond those detailed in this report and affects organizations and missions of all sizes all over the globe.”
Ron Deibert is Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon Inc., and a principal with the SecDev Group.
“It is often said that dark clouds have silver linings. What the Shadow report shows is that the social media clouds of cyberspace we rely upon today have a dark, hidden core. There is a vast, subterranean ecosystem to cyberspace within which criminal and espionage networks thrive. The Shadow network we uncovered was able to reach into the upper echelon of the Indian national security establishment, as well as many other institutions, and extract sensitive information from unwitting victims. Networks such as these thrive because of a vacuum at the global level. Governments are engaged in a competitive arms race in cyberspace, which prevents cooperation on global cyber security. For its part, the Canadian government has neither a domestic cyber security strategy nor a foreign policy for cyberspace. The Shadow report should offer a wakeup call that rectifies this situation, or we may find that we are the next victim of the Shadows and GhostNets of cyberspace.”
Rafal Rohozinski is CEO of the SecDev Group and Psiphon Inc. He is a co-founder and principal investigator of the OpenNet Initiative and Information Warfare Monitor, and a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto.
“Cyber espionage has gone industrial. We are witnessing cloud-based techniques and tradecraft from cybercrime being repurposed to target government systems and computers belonging to officials entrusted with state or commercial secrets. Whether the attackers are working for state agencies, or freelancing and selling stolen data or tradecraft on the global graymarket – this report is a clear wake-up call that the threat of advanced persistent threats is very real and requires measured international action. First and foremost, we need an agreement on the norms that should govern cyberspace similar to the treaties we presently have for outer space, the sea or other domains where we have international agreements. We must take care to preserve the openness of the global commons without precipitating an overreaction that could diminish or even roll back the very real gains in knowledge, empowerment, and to democratization that cyberspace has catalyzed over the last 20 years. We must balance the need to create policies and practices appropriate to information security in a global networked age, while preventing unnecessary overreaction to what we fear as the dark side of the net.”
Nart Villeneuve is the Chief Security Officer at the SecDev Group, Director of Operations of Psiphon Inc. and a senior SecDev research fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto where he focuses on electronic surveillance, targeted malware and politically motivated digital attacks.
“There is no direct evidence linking these attacks to the Chinese government. We look forward to working with China CERT to shut down this malware network.”
Greg Walton conducted and coordinated the primary field-based research for the Shadow investigation in His Holiness The Dalai Lama’s Office and the Tibetan Government-in-Exile in Dharamsala, India. Greg is a SecDev Group associate and editor of the Information Warfare Monitor website. He is the SecDev Fellow at the Citizen Lab at the Munk School of Global Affairs, University of Toronto.
For more information, please contact:
University of Toronto media relations