Lungren: Tibet Provides a Cautionary Tale
A threat is a communicated intent to inflict harm or loss on another. Unlike the many physical threats that mankind has engineered over the centuries to project individual, tribal or national dominance, the cyberthreat relies on a new medium — cyberspace.
Cyberspace is the interdependent network of information technology infrastructures, including telecommunications networks, computer systems and the Internet. The cyberthreat is not a threat to individuals but to their digital surroundings — which, if destroyed, could have catastrophic consequences. Digital networks in the United States now underlie our power grid, military infrastructure, banking, telecommunications and transportation systems. While this sophisticated digital infrastructure makes our economy and military the strongest in the world, it also makes us uniquely vulnerable to attack through cyberspace.
The former director of national intelligence, Dennis Blair, testified to Congress in February that “malicious cyber-activity is growing at an unprecedented rate” and that our country’s efforts to defend against cyber-attacks “are not strong enough.” Shortly after this assessment, Blair’s predecessor as intelligence chief, Mike McConnell, wrote, “The United States is fighting a cyber war today and we are losing.” Earlier this year, FBI Director Robert Mueller also warned of the growing cyberthreat: “They seek our technology, our intelligence, our intellectual property, even our military weapons and strategies.”
This worldwide cybernetwork provides a pipeline for continuous attack by malicious actors or nation-states intending to steal sensitive personal, financial and corporate data and even state secrets. In order to defend against this growing cyberthreat, we need to better understand its dimensions, risks and consequences. The following case study of alleged cyber-espionage against the Tibetan community, which was uncovered by the Information Warfare Monitor and its investigators in 2008 and 2009, describes the gravity of the cyberthreat.
This case study led all the way to the private office of the Dalai Lama and the Tibetan government-in-exile, and it is a revealing exposé of the inner workings of a cyber-attack. After representatives of the Dalai Lama inquired about the potential threat to their computer security, network monitoring software was installed by the IWM to collect forensic technical data. This initial analysis confirmed the existence of malware — malicious software — and the transfer of information between infected computers and a number of control servers. These control servers were identified and geolocated on the island of Hainan in the People’s Republic of China.
The Office of His Holiness the Dalai Lama provides secretarial assistance and is responsible for all diplomatic, governmental and personal correspondence. It is the hub of the Tibetan movement and continuously transmits and receives extremely sensitive data over its computer network. The infected computer in the Dalai Lama’s office was compromised with malware that was actively communicating with control servers on an IP address assigned to Hainan-TELECOM in China. This investigation uncovered several documents being exfiltrated from the computer network and uploaded to these control servers, including documents containing thousands of e-mail addresses and one detailing the Dalai Lama’s Sino-Tibetan negotiating position.
The Tibetan government-in-exile was also compromised by malware that sent communications to and received communications from control servers. The follow-up investigation led to the discovery of nonsecure, Web-based interfaces to four control servers, which allow attackers to send instructions and receive data from compromised computers. This investigation uncovered the existence of a malware-based cyber-espionage network called GhostNet with an operational reach well beyond Tibetan targets. It is estimated that GhostNet controls at least 1,295 infected computers in 103 countries with many focused on high-value diplomatic, political, economic and military targets.
This GhostNet system directs infected computers to download a Trojan horse known as ghOst RAT that allows attackers to gain complete, real-time computer control. Once compromised, the files located on infected computers were mined for contact information and used to spread malware through e-mail and document attachments that appear to come from legitimate sources. GhostNet computers can also search and download specific files, as well as secretly operate attached devices, including microphones and webcameras. GhOst RAT is also being spread through commercial Internet access accounts located on the island of Hainan.
The discovery of GhostNet is a gripping reminder of the serious cyberthreat that we face in our digital world. It demonstrates the ease of introduction and the reach of computer-based malware and how it can be used to build an extensive low-cost intelligence capability. It also demonstrates the potential cyberthreat to U.S. critical infrastructure (power grid, dams, telecommunications and transportation), which often operates on digital control systems. The cyberthreat is real, and we must bring greater urgency to securing our critical infrastructure from this growing cyber-exploitation.
Rep. Dan Lungren (R-Calif.) is the ranking member on the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.