Classified documents were stolen from high levels of the Indian government by hackers over the course of several months, according to a report released on Monday night by researchers from the University of Toronto.
The researchers, from the Citizen Lab at the Munk Centre for International Studies, traced the botnet (a network of compromised computers) used in the attacks to hackers based in China, but say there isn’t any evidence linking the activity to the Chinese government. Their report reveals how the hackers made sophisticated use of social media sites to control their botnet, making it much harder to trace and shut down.
The compromised documents included confidential assessments of India’s international relations with West Africa and the Middle East, visa applications, and personal information concerning a member of the Directorate General of Military Intelligence. The attackers also broke into systems belonging to academics, journalists, and the offices of the Dalai Lama–they were able to obtain a year’s worth of the Dalai Lama’s e-mail, and academic reports on several Indian missile systems.
Many of the techniques used by the attackers have been employed by other spy networks, including GhostNet, which was revealed by the same researchers last year, and the recent attacks on Google. As before, the attackers stole data by sending malware targeted to specific individuals within an organization. The malware then connected compromised computers to a botnet commanded by the attackers that issued instructions and funneled the stolen data to servers where attackers could access it. “Antivirus systems are not terribly effective against these targeted attacks,” says Greg Walton, a SecDev Fellow at the Citizen Lab who researched the attacks.
However, this time attackers also used cloud-based websites to make it harder to shut down their botnet’s command-and-control infrastructure. Ron Deibert, director of the Citizen Lab, said in a press conference that the way that attackers use social media sites to shield their malicious activity reveals the “dark, hidden core” of cloud services.
After a computer was infected with malware, it would check in with the botnet for orders. Usually that would mean contacting a server controlled by the attackers. But in this case, infected computers were programmed to access social sites including Twitter, Baidu blogs, and Google Groups, where they were directed to the URL of a control server. Using the social sites allowed attackers to move their operations whenever part of their infrastructure was shut down, explained Nart Villeneuve, who is a senior SecDev research fellow at Citizen Lab, at the press conference. It also kept network administrators from becoming suspicious.