Threat Intelligence

GhostNet - Part II

Dimitar Kostadinov
April 29, 2013 by
Dimitar Kostadinov

Behind the GhostNet notion stands an entire international worldwide network of infected computers belonging to places having high political, economic, media, or emblematic importance. One result among many in the IWM investigation concludes that sensitive documents are being removed. Atypical for a conventional cybercrime operation, the size of the network is relatively small and most of the victims are of high-value. Taking this fact into account, one can determine with a great level of possibility that this is a case of pinpointed targeted cyber-intrusion with prolong lifetime, namely, cyber-exploitation.

I. Who was behind GhostNet? – evidence, allegations, denials

Up to now is unknown who was in control of the GhostNet. Since the exact exfiltrated data was never been recovered, the investigators were unable to make any deduction based on the question, to whom would this information have some value?

However, what can give away the hackers' intention, and perhaps even answer of who is behind the malevolent act, are the technical characteristics of a concrete attack, as well as the subject of interest and the identity of the target (Goetz & Rosenbach, 2009).

  1. Circumstantial Digital Traces (Part I)
  2. The 'identity of the target' logic
  3. Real-life implications

The 'identity of the target' logic

The logic leads to China, even the government itself, although this is based on circumstantial evidence and inconclusive digital traces. Taking into consideration the fact that the attack course is directed towards Tibetan and Taiwanese societies—long-time unresolved vexing policy issues— and the evidence presented by IWM researchers that the GhostNet attack are controlled from IP addresses traced back to Hainan Island, China (location of the Lingshui intelligence base and the Third Technical Department of the PLA), somehow such a deduction makes sense (Information Warfare, 2009).

In consistence with this theory, James A. Lewis, a former diplomat and expert in computer, security holds the opinion that: "The fact they targeted Tibetan activist is a strong indicator of official Chinese government involvement. A private Chinese hacker may go after economic data but not a political organization (Pelroth, 2012, par. 6)."

Real-life implications

Two incidents occurred corresponding to a certain extent with the information that Chinese officials might have obtained through cyber exploitation. First one is about a diplomat who was pressured by China almost immediately after he had been sent an email invitation to a visit with the Dalai Lama. Actually, this incident raised the initial suspicion that there is a "mole" in the computer system, which, in turn, led to the following massive exposure of GhostNet.

The second negative occurrence happened when a Tibetan woman working for Drelwa Dharamsala attempted to go back to Tibet and visit her family. She was held at the Chinese border where the local authorities arrested her. The woman was imprisoned and interrogated for 2 months. At some point, she was presented with very detailed transcripts of her Internet chat history over the last few years. Then, the Tibetan woman was released, but not before getting the warning that she and her colleagues are under constant monitoring and are not welcome in Tibet (Akkad, 2009).

This case is akin, although a mild version, to another arrest of Tibetan woman, Norzin Wangmo, in 2008, when she was consecutively tortured and sentenced to five years in prison. Not long before the detention, she used her computer and mobile phone to make contact with friends regarding protests in Tibet (International Campaign for Tibet, 2010).

While the first case is pretty much straightforward, the others may have different explanation. Owing to the fact that the Chinese version of Skype, TOM-Skype, was logging and storing text massages circulated among users, it is possible that the Chinese officials had laid a hand on these, and thus, obtained the same information.

Looking from another perspective, the Cambridge researcher deem that "the Chinese made the operational error of using surveillance product for a minor and tactical diplomatic purpose. By demonstrating that they had access to confidential data, they alerted the OHHDL to worry about the secret data too (Nagaraja & Anderson, 2009, p.7)."

Privatizing cyber-exploitation

One acceptable version is that GhostNet is the responsibility of a single individual or set of individuals for example, cybercrime syndicate. There is no reason why this cyber-exploitation would not be conducted purely out of profit motivation or misunderstood patriotism. However, as the case stands, the non-state actors would at least act with the tacit approval of the authorities, considering the enormous scale of such an operation and how strictly Chinese government monitors Internet traffic (Information Warfare, 2009).

It has been known since the late 90s that Chinese intelligence systematically conducts cyber-exploitation activities. In this regard, some IT security experts claim that the government has manufactured a large spider's web of secret channels among seemingly ordinary Chinese citizens (straw men). Basically, it is thought that: "Because China regulates its Internet so strictly—it controls access more than almost any other nation in the world—one can assume the government has at least tolerated hacker activity for a long time (Goetz & Rosenbach, 2009, par. 9)."

Other security experts even suggest that the Chinese authorities may employ people in hacking campaigns who are not in any way affiliated with the government. Joe Stewart, a security expert at Dell Secure Works, who assisted solving cyber-attacks security issues against Vietnamese government states:

"…there may be a marketplace for freelance work—that this is not a 9-to-5 work environment. It's a smart way to do business. If you are a country attacking a foreign government and you don't want it tied back, it would make sense to outsource the work to actors who can collect the data for you."

(Pelroth, 2012, par.18)

According to the Dalai Lama, regardless of the real person(s) behind the intrusion against Tibetan community, the information taken every time appears to end up in the hands of Chinese officials. He does not say directly that Chinese government is the silent aggressor, however, he points out that China knows of some Tibetan dealings well in advance, for instance, "before that particular person asks for an Indian visa, the Chinese already have protested… (Radio Free Asia, 2009, par. 38)"

In spite of all this secondary body of evidence, the experts strongly emphasize the stance that allegation against the Chinese government would be lacking conclusive proof. This is so because of the purely operational impediment of firmly establishing of whether or not the control servers are either hijacked or run remotely (Goetz & Rosenbach, 2009)

Thus, is not impossible that the computers physically existing in China are actually controlled by third party so that to cast the blame on innocent entity, logically the most probable perpetrator. In the same tone, a senior government consultant Graham Cluley states, "Just because Chinese computers are used in the scheme, does not mean that the Chinese authorities are behind the operation (Leyden, 2009, par.8)."

Chinese denials

China directly denies the allegations that it is behind the GhostNet campaign. Furthermore, the Chinese announce that there is "no evidence" supporting the claims in the reports. In conclusion, Beijing is of the opinion that the entire charade in nothing but a vile fabricated propaganda campaign against the country, which is commissioned by no other than the government of the Dalai Lama (McEntegart, 2009).

Chinese security and military analysts deny the reports about GhostNet, claiming that they are exaggerated and merely an attempt to put a stain on China, making it look like a global cyber-aggressor (Leyden, 2009).

The spokesman of the Chinese foreign ministry commented on the allegation against China being involved in cyber exploitation activities:

"China pays great attention to computer network security and resolutely opposes and fights any criminal activity harmful to computer networks, such as hacking. Some people outside China now are bent on fabricating lies about so-called Chinese computer spies. Their attempt to tarnish China with such lies is doomed to failure."

(Radio Free Asia, 2009, par. 47)

Coincidence or not, the South China Morning Post reported that just three days after GhostNet story hit the headlines, the Chinese Premier made an announcement that Taiwanese hackers managed to penetrate into a Chinese State Council computer and derive some benefits in the form of sensitive documents from this cyber-exploitation (Goetz & Rosenbach, 2009).

Cluley believes that China is not the only state engaged in cyber-exploitation: "We would be fools to believe that countries would consider the internet and spyware 'off-limits' as a tool for espionage. Countries are spying on each other all across the world for political, commercial and military advantage (Leyden, 2009, par.9)."

II. Legal aspects of GhostNet

This part of the contribution is mainly based on the analysis made by Anne Wortham, a law and IT security scholar, and the correlation between GhostNet as a prominent example of cyber exploitation and the current legal doctrine & jurisprudence. At the heart of her viewpoint is the conviction that the traditional form of espionage does not correspond with scale and consequences of the new form of spying, namely, cyber-exploitation.

The following reasons are enumerated in favor of cyber exploitations as more severe event than the conventional espionage:

Access to a much larger breadth of material

The more valuable the data that is obtained, the more dire would be the negative impact on the victim. With at least 1,295 affected computer systems in 103 countries, neither the breadth nor the enormity of the event is disputable. Moreover, we should take into account that approximately 30% of the victims are considered "high-value." Seen from the exploiters' perspective, such a great success would have been virtually impossible if not for the Internet and the IT technologies (Wortham, 2012).

Much easier and less expensive access

GhostNet is seen as exemplary cyber-exploitation—a clear demonstration how with low-cost malware can be enmeshed high value targets in the spider's web of the advance persistent threats (Wortham, 2012).

Unknown effects spread to unintended targets

The second and third tier knock-on effects are great concerns when it comes to application of cyber-attacks. Does the same issue exist in the realm of cyber-exploitation? Well, certainly not to such extent but it does. Cyber-exploitation as an act of subversion has a very specific feature—the ability to target particular objects only. In effect, this feature is directly driveable from the Law of War principle of distinction (Article 48 of the 1977 Additional Protocol I).

In the GhostNet case, "the research team investigating GhostNet stated that the fact that so many high value targets were identified in GhostNet was likely coincidental, "spread by contact between individuals who previously communicated through e-mail (Wortham, 2012, p. 659)." "

Attribution is nearly impossible

It has already been mentioned that China is the most obvious culprit because the reports traced the servers in control of GhostNet back to the mainland. Despite of that, owing to the nature of cyberspace a conclusion like this would be unfounded.

On the other hand, according to some scholars, the countries have the responsibility to prevent international threats originating from their territory. With respect to this point, a thorough investigation conducted by Chinese authorities may constitute an advisable action.

As Walton says, "China has a responsibility to investigate this (BBC News, 2009, par.5)." In fact, the group he is associated with regards the cyber-attacks as a whole as "major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly (BBC News, 2009, par.11)."

As a matter of fact, at some point during the GhostNet research done by the Canadians, the Chinese government has pledged a complete in-depth investigation, perhaps out of desire to dull the growing passions and raising suspicions against itself. Nart Villeneuve, a researcher helping Trend Micro, attests to this fact:

"We did not find any hard evidence that links these attacks to the Chinese government. We've actually had very healthy co-operation with the Chinese computer emergency response team, who are actively working to understand what we've uncovered and have indicated they will work to deal with this… It's been a very encouraging development." (Mick, 2010, par.4)

You can read more information about some aspects of the attribution problem here.

Long time to investigate, few conclusive answers

A direct consequence of the unsuccessful attribution is the existence of many dead ends and knotty curves that obfuscate the answers posed at the very beginning by the research operatives. Adding the longevity of the process, GhostNet took up about 10 months of the IWM researchers' time, one may even ask oneself whether investigating "ghost-stories" makes sense at all.

To conclude, Wortham establishes that cyber-exploitation de facto represents higher threat than traditional "James Bond" espionage (Wortham, 2012).


The contribution reflects the GhostNet as an act of cyber-exploitation, having as its purpose snooping on the Tibetan government-in-Exile and the Tibetan community as a whole. While the questions asked at the time the investigation have taken place still remain unanswered, there are always important conclusions that can be made based on this event. One of these is perhaps that the current situation, in terms of technology, politics, and international legislation, would grant the aggressors the opportunity to deny any involvement in misdeeds in the sphere of cyber security.

As to the Tibetan officials, most of them peace-loving monks, presumably they will still be target of cyber-attacks and surreptitious cyber-activities in future. The villains attempting to inflict damage to the Tibetan community would perhaps be facilitated by the fact that the religion and philosophy professed by these people is based on non-violence. The aggressors, however, must not forget the words of the Dalai Lama: "Non-violence means co-operation where it is possible, and résistance where it is not (Kundun
movie, Scorsese)."

Reference List

Akkad, O. el, (2009). Meet the Canadians who busted GhostNet. Retrieved on 13/04/2013 from

BBC News, (2009). Major cyber spy network uncovered. Retrieved on 13/04/2013 from

China Daily, (2009). Analysts dismiss 'cyber spy' claims. Retrieved on 13/04/2013 from

ICRC (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I). Retrieved on 13/04/2013 from

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Information Warfare Monitor, (2009). Tracking GhostNet: Investigating a Cyber Espionage Network. Retrieved on 08/03/2013 from

span>Goetz J. & Rosenbach M., (2009). Cyber Spies: 'Ghostnet' and the New World of Espionage. Retrieved on 13/04/2013 from

Leyden, J., (2009). China rubbishes cyber-espionage claims. Retrieved on 13/04/2013 from

McEntegart, J., (2009). China Denies Internet Espionage. Retrieved on 13/04/2013 from,7415.html

Mick, J., (2010). China Cyberspies Strike Indian Military,Tibetan Exiles, and Embassies in U.S. Retrieved on 13/04/2013 from

Nagaraja S. & Anderson R., (2009). The snooping dragon: social-malware surveillance of the Tibetan movement. Retrieved on 13/04/2013 from

Pelroth, N., (2012). Case Based in China Puts a Face on Persistent Hacking. Retrieved on 13/04/2013 from

Radio Free Asia, (2009). Cyber-Spy Probe Sought. Retrieved on 13/04/2013 from

Wortham, A. (2012). Should Cyber Exploitation Ever Constitute a Demonstration of Hostile Intent That May Violate UN Charter Provisions Prohibiting the Threat or Use of Force? Federal Communications Law Journal, 64(3), 644-650.

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.