(Information Warfare Monitor) Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. (UCAM) Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.) Also see {{Shadow Network}}.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2009-03-29 by Various from Wikipedia
2009-03-28 by Information Warfare Monitor from Infinitum Labs
2009-03 by Shishir Nagaraja from
Actor: GhostNet, Snooping Dragon
Names: GhostNet, Snooping Dragon
Country: China
Sponsor: State-sponsored, PLA Unit 61398
Motivation: Information theft and espionage
First-seen: 2009
Description: (Information Warfare Monitor) Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. (UCAM) Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.) Also see {{Shadow Network}}.
Observed-sectors: Embassies
Observed-sectors: Financial
Observed-sectors: Government
Observed-sectors: Media
Observed-sectors: NGOs
Observed-countries: Bangladesh
Observed-countries: Barbados
Observed-countries: Bhutan
Observed-countries: Brunei
Observed-countries: Philippines
Observed-countries: Cyprus
Observed-countries: Germany
Observed-countries: India
Observed-countries: Indonesia
Observed-countries: Iran
Observed-countries: Latvia
Observed-countries: Malta
Observed-countries: Pakistan
Observed-countries: Portugal
Observed-countries: Romania
Observed-countries: South Korea
Observed-countries: Taiwan
Observed-countries: Thailand
Observed-countries: ASEAN
Observed-countries: NATO
Observed-countries: SAARC (South Asian Association for Regional Cooperation), the Asian Development Bank and news organizations
Tools: Gh0stnet
Tools: Gh0st RAT
Tools: TOM-Skype
Counter-operations: 2010
Counter-operations: Taken down by the Shadowserver Foundation.
Information: http://www.nartv.org/mirror/ghostnet.pdf
Information: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf
Information: https://en.wikipedia.org/wiki/GhostNet
Last-card-change: 2021-05-21
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1569.002 SYSTEM SERVICES : SERVICE EXECUTION the net start and net stop commands can be used in net to execute or stop windows services. | T1136.001 CREATE ACCOUNT : LOCAL ACCOUNT the net user username \password commands in net can be used to create a local account. T1136.002 CREATE ACCOUNT : DOMAIN ACCOUNT the net user username \password \domain commands in net can be used to create a domain account. | T1070.005 INDICATOR REMOVAL : NETWORK SHARE CONNECTION REMOVAL the net use \system\share /delete command can be used in net to remove an established connection to a network share. | T1087.001 ACCOUNT DISCOVERY : LOCAL ACCOUNT commands under net user can be used in net to gather information about and manipulate user accounts. T1087.002 ACCOUNT DISCOVERY : DOMAIN ACCOUNT net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain. T1135 NETWORK SHARE DISCOVERY the net view \remotesystem and net share commands in net can be used to find shared drives and directories on remote and local systems respectively. T1201 PASSWORD POLICY DISCOVERY the net accounts and net accounts /domain commands with net can be used to obtain password policy information. T1069.001 PERMISSION GROUPS DISCOVERY : LOCAL GROUPS commands such as net group and net localgroup can be used in net to gather information about and manipulate groups. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS commands such as net group /domain can be used in net to gather information about and manipulate groups. T1018 REMOTE SYSTEM DISCOVERY commands such as net view can be used in net to gather information about available remote systems. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY commands such as net use and net session can be used in net to gather information about network connections from a particular host. T1007 SYSTEM SERVICE DISCOVERY the net start command can be used in net to find information about windows services. T1124 SYSTEM TIME DISCOVERY the net time command can be used in net to determine the local or remote system time. | T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES lateral movement can be done with net through net use commands to connect to the on remote systems. |