Archive for March 29th, 2009

What was Chinese GhostNet looking for in Venezuela’s servers?

March 29, 2009

Yesterday, the New York Times carried an article about a study done by a Canadian Research Center, the Munk Centre, on a cyber espionage network originating in China which they dubbed GhostNet. The study was carried out for ten months and started by looking at cyber spying into Tibetan institutions. You can find the report, which came out today, here. It’s really fascinating.

What the researchers did was not only to study the fact that computers were being penetrated, but their investigation led them to uncover four web based control centers for generating the spying that were unsecured.  These controls centers were used by GhostNet to attack and collect the information from the servers.The investigators even learned how to use these controls.

The researchers came up with evidence that at least 1,295 computers in 103 countries had been compromised, most of them in Asia and 30% of them in what they classified as “high value” including ministries of foreign affairs in many countries, as well as Embassies and other Governmental institutions.

GhostNet could take full control of computers, look for files and could even operate devices attached to the servers.

What was really intriguing, and at least two of the readers of this blog sent me emails noting it, was that when you looked at the graph accompanying the New York Times article, an inordinate number of attacked computers were in Venezuela:


Note how the largest density of computers is based in Asia, there are some in the US and Europe, but, for example, the number of affected computers in Venezuela is comparable to that of Europe, which certainly seems large.

In page 42 of the report, you can see that 8 CANTV computers were infected. Since half the traffic and most of the Government traffic goes through CANTV servers it is difficult to know what precisely was attacked.

The report stops short of saying that the Chinese Government is behind GhostNet, but given the insistent attacks on Tibetan computers and the high value both from a political and an economic stand point of some of the servers invaded, suggests that the Chinese Government is behind the spying. The report does say that this could have been a random attack of which a good fraction happened to be on sensitive servers, but this seems to be more of a political statement than anything.

But in either case, the number of Venezuelan computers seems inordinate both geographically and in the number attacked, given the relative importance of Venezuela in Chinese political, economic and military strategy.

Which leads us to ask: What was GhostNet looking for in Venezuela’s computers? Were they looking for oil information, given China’s interest in the country’s oil, or were they more interested in military or political matters?

If this attack had been based in the US, by tomorrow we would have the Dictator and his cohorts screaming bloody murder about the CIA, the empire and the devil. But given that it was their Chinese buddy-buddies, I will bet that when the Venezuelan Government learns about it, there will be little noise about it and to hell with the country’s sovereignty if it helps preserve a strategic relationship alive and in good terms.

(Thanks P and J for the heads up!)