by Chuck Miller, SC Magazine
A cyberespionage network, known as GhostNet, possibly operating out of China, is making use of malicious websites and phishing emails to take control of hundreds of sensitive government machines across 103 countries, researchers revealed this weekend.
A pair of Canadian researchers at the Munk Center for International Studies at the University of Toronto said GhostNet struck "high-value targets," such as foreign embassies and ministries, and even a NATO network. So far, some 1,300 computers have been infected by servers that trace back to China. The researchers, Ron Deibert and Rafal Rohozinski, released their 53-page report Sunday after 10 months of investigation.
"The attacker(s) are able to exploit several infection vectors," the researchers wrote. "First, they create web pages that contain drive-by exploit code that infects the computers of those who visit the page. Second, the attacker(s) have also shown that they engage in spear phishing in which contextually relevant emails are sent to targets with PDF and DOC attachments."
In the spear-phishing attacks, when the attachments are downloaded, they create backdoors that "cause the infected computer to connect to a control server and await further instructions," the researchers wrote. The compromised machines then can be directed to download and install a remote administration trojan.
"Some of the things they did indicate that they were very sophisticated," Phil Neray told SCMagazineUS.com. "The machines were told to send the data stolen using a Tor network in an encrypted form. Also, the way the trojans communicated with the command servers made use of a complex control program that enabled them to completely control users' PCs [including erasing all logs]."
The GhostNet operation is still operating and continues to hit more than a dozen additional computers per week, according to the University of Toronto researchers.
Click here to read this article
No comments:
Post a Comment