Threat Intelligence

Shadow Network

Dimitar Kostadinov
December 9, 2013 by
Dimitar Kostadinov

Part I

I. Introduction

Similarly to the real real-life situation where a GhostNet report is followed by the one on the Shadow network, these articles come as a logical continuation of the events described in the former case (GhostNet part I & GhostNet part II).

The "Shadow network" again covers the subject in two parts:

In Part I, the reader can learn more about the correlation between GhostNet and Shadow network, methodology, victims, and targets related to the second case of cyber-exploitation.

Part II is going to provides an insight into aspects of the Shadow network, such as the complete technical investigation, attribution thoughts, and notion of the importance of this event.

II. GhostNet & and Shadow network Network

The GhostNet investigation began after raising suspicions were raised that the IT security of several Tibetan organizations had been compromised. The findings, howevermoreover, demanded a follow-up exploration work in connection toof additional unstudied traces discovered during the fore-mentioned initial investigation. As a result, the existence of the Shadow network existence was made public (Information Warfare Monitor, 2010).

The same research group from Canada responsible for the GhostNet report worked this time with the American Shadowserver Foundation. The joint efforts of these research teams produced the Shadows in the Cloud report.

What follows next is a part in which the differences—and one significant point of convergence (an OOHDL intrusion)—between both cyber-exploitation cases are enumerated:


Recovery of compromised documents

While working on the GhostNet case, the researchers testified that they had witnessed the exfiltration process of sensitive documents from the machines to which they had direct access. Despite this curious first-hand experience, the investigators could not identify the documents exfiltrated from these computers— – a fact which would inevitably impede revealing discovering the identity of the attackers based on inferred intentionality or presumptive responsibility.

On the contrary, in the Shadow case, the team was able to recover a significant partition portion of the exfiltrated data, again highly sensitive documents, from a drop zone connected to a constantly monitored malware network (Information Warfare Monitor, 2010). As assessed, even though not unprecedented, such access may provide some invaluable information about the type of the data extracted from the compromised computers as well as the potential intentions of the attacker(s) and even his (their) nationality. Nevertheless, it should be noted that any such information would hardly provide conclusive proof.

Attack origin location

During the GhostNet investigation, the team behind the report established that the bulk of command and control servers sustaining the process of cyber-exploitation is located on the Hainan Island, PRC. On the other hand, according to the Shadow network report, the malicious activities appear to be springing mainly from the Sichuan province in China, more specifically Chengdu (Information Warfare Monitor, 2010).

Strictly speaking, although the digital evidence leads to those locations, it cannot be held as an ultimate indicator of the nationality or identity of the perpetrator (Zetter, 2010). In this regard, a security researcher with the Shadowserver Foundation finds: "While we don't know exactly who's behind it, we know (only) they selected their targets with great care" (Markoff & Barboza, 2010a, par.14)."

Objects of cyber-exploitation

Speaking of selecting targets, one thing that both cyber cyber-intrusions have in common, however, is aiming to strike a blow against the premises, the computer systems accordingly, of the Tibetan government-in-Exileexile, even the private office of Dalai Lama (OHHDL). In fact, the Shadows in the Cloud report asserts that the staggering number of 1,500 letters had been obtained by the intruders (Zetter, 2010).

One major difference between these two cyber-exploitation operations is the targeted objects. In GhostNet, these are primarily in the Tibetan community, whereas the Shadow network casts its dark cloud over numerous of targets— also again the office of the Dalai Lama, the Indian government, the United Nations, the Pakistan Embassy, and other victims which who will be discussed in length further later (Zetter, 2010).

A matter of sophistication

The principal of the SecDev Group and co-author of the Shadow report, Rafal Rohozinski, estimates that this kind of data collection, in terms of enormity, pervasiveness, and far-reaching effects, constitutes a new era in Internet spying. In the past, like a decade ago, cyber cyber-criminals were looking for a quick payday—for instance, by demanding a ransom for blocked websites. This is not the case, however, with the Shadow network. Its revelation exposes much bigger game: the viable opportunity for non-state actors to retrieve a huge quantity of sensitive information in order to sell it to other states willing to pay the price. With relation to this point, Rohozinski prognosticates, "it's like the world of art theft, where you steal things that have a very high value, so long as you can find a buyer"
(Robertson, 2010, par.12)."

The following key passage also provides a pertinent comparison and at the same time yields an insight into the capabilities available to the criminal minds behind these two events:

The trojan Trojan client in the Shadow network appears to have greater communication capabilities. In addition to communicating with the trojanTrojan servers running on the Control control Serversservers, the Shadow trojan Trojan client could also receive commands directly through email and through certain social media. (Kak, 2012, p.26)

Consequently, experts say that the second spy ring is far more sophisticated and difficult to detect than the GhostNet intrusion (Zetter, 2010). The security researcher Steven Adair adds that "this (meaning the Shadow network) would definitely rank in the sophisticated range (Markoff & Barboza, 2010a, par.14)."

III. Methodology

The investigators who prepared the Shadows in the Cloud report employ a methodology whose core rests at the linkage intersection of field investigation, technical probing and interrogation techniques, data analysis and visualization, and contextual (geopolitical) research. The team firmly believe that one of these components alone cannot provide the comprehensive results which this type of investigation requires. Instead, the maximum gains from the findings should be retrieved by combining all of the methods described above (see the scheme further below).

A great deal of insight can be derived from the field-based research. This technique may prove fruitful when it has to be is used to analysed analyze the post post-infiltration attackers' capabilities, and at the same time to account for shifts of the command and control locations— – the exploiters often choose to "migrate compromised hosts to new command and control servers and/or command compromised computers to install new malware that is not publicly disseminated through spear phishing and other targeted malware attacks (Information Warfare Monitor, 2010, p. 8)."

Leads stumbled upon during the in-field process are followed by a phase of technical evaluation. AdditionallyIn addition, the technical investigation and data analysis of malware and exploits is are critical in establishing the capabilities and targets involved. Furthermore, by discovering and enumerating the malicious command and control servers, one can disclose secondary information that can be utilized to determine the exact data targeted as well as the probable culprit.

Finally, with the help of contextual research (geopolitical assessment), one may set ajaropen the door to the divine knowledge, giving a great deal of information about: the nature of the exploitation, the techniques used to break- in, the timing, and ultimately the motives and identity of the attackers.

The research team proudly presents these techniques as a package called a fusion methodology, an all-embracing crucible for forging the steel blade that will disperse the shadows and chase away the clouds. More about this methodology directly from the Shadows in the Cloud:

This approach combines quantitative, qualitative and technical data, and draws on multidisciplinary analysis techniques to derive results…employ techniques that include interviews, long term in situ interaction with our partners, and technical data collection involving system monitoring network reconnaissance, and interrogation…technical investigations and the resulting data and analysis outputs are shared with our in-field teams and partners…we then interpret results from these investigations through a variety of theoretical lenses drawing from disciplines of political science, international relations, sociology, risk analysis, and criminology (among others). (Information Warfare Monitor, 2010, p. 3).




With the desire to unravel further the application of fusion methodology, it is worth noting that it may bear promising results as a digital investigation tool. An actual mapping of the digital investigation activities into the data fusion domain through the so so-called grouping process can produce more quality data for analysis. This can be discerned from the examples given above and those existing in other parts of this contribution.

Together with the decision mining rules, data fusion can lead to the improvement of the classification accuracy, as well as enabling graphical representation in computer forensics. Provided Given the great mixture between the data transformation, data cleaning, and data reduction features immanent to this methodology at various fusion levels, it will not come as a surprise that the final result can narrow down the unknowns and improve the efficiency of digital investigations (Satpathy, Pradhan & Ray, 2012).

As a final argument in favour of the data fusion: "the documentation capabilities incorporated into it can help the investigating agencies to generate the report describing the nature of the case…, which can be used an expert testimony in the court of law" (Satpathy, Pradhan & Ray, 2012, p.18)."

IV. Victims

Initial Compromisecompromise

Typically, the victim receives an email oftentimes appearing as if it is was sent by an acquaintance. Not uncommon is the situation when the attack arises from someone who is has already fallen victim, an occurrence a.k.a. the man-in-the-mailbox attack and discussed also in "The cyber exploitation life cycle" (Markoff & Barboza, 2010b).

Furthermore, there is a text—specific or generic—and it is accompanied by a malicious attachment, a Microsoft Office document/ PDF, or a link to a corrupt web address. The topics used by the exploiters in Shadow network are such that would likely stir interest among individuals from Indian and Tibetan communities.

Once the victim clicks on the attachment, the file would will probably open in a normal way. However, if there are not any cyber cyber-security mitigations in place, the computer will likely be compromised (F-Secure, 2010).

Drawing up a victims' profiles

The research team managed to obtain information about the victims from 5 five sources:

  1. A command and control server which that contains a list with details on compromised computers;
  2. Text files contained on three command and control servers;
  3. Intelligence from email accounts assisting the command and control process;
  4. Exfiltrated documents acquired from one command and control server;
  5. DNS sinkhole investigation;.

The victims are divided into two main groups:

A) Victims identified solely by technical information, IP addresses mostly;

B) Victims for whom is recovered exfiltrated files are recovered, although not having IP addresses (Information Warfare Monitor, 2010).

Method of identification

IP address identification is the primary such approach, . which It consists of three basic steps:

  1. Regional Internet Registries (RiRRIR) gives country and network location to which the IP address is assigned.
  2. Reverse Domain Name System (DNS) processing—a domain name is obtained via processing of IP address. It provides additional information about the entity which holds given IP address.
  3. WHOIS— checking with a public database for registrations of domain names.

In both GhostNet and the Shadow network, the researchers decided to register several expiring domains linked directly to malicious cyber-exploitation activities against the private office of Dalai Lama in order to collect more information about the malware command and control infrastructure, methods of communication, and victim computer systems (Information Warfare Monitor, 2010).

Been caught stealing from OHHDL

During the period when the investigating team recorded the network traffic in the field, they witnessed how the unknown attackers removed two important documents from OHHDL. The action was performed in multiple phases: first, the data was split into 100kb chunks if necessary; second, it was compressed with CAB; third, the data was encoded with base64; finally, the so prepared files were uploaded to a command and control server (Information Warfare Monitor, 2010).

Created as an archive for the Dalai Lama's office in 2009, the documents contain over 1,500 letters of correspondence. Most of them were perfunctory and generic, but a small part could be regarded as sensitive.

Therefore, "been caught stealing" is neither just a song by Jane's Addiction, nor any more a trademark of shoplifters and pickpockets only. Now it is something we could witness in cyber cyber-space and perhaps even use as evidence in court.

Victim analysis on the basis of recovered documents

There were 44 compromised computers in total from which data had been recovered. While the reconstruction from the network traffic was feasible with the documents recovered from the OHHDL, the remainder was were obtained from an accessible directory on the command and control server (Information Warfare Monitor, 2010).

The result from this part of investigation determines that, either by geographic location or country of origin, attribute the majority of the compromised machines is are located in India.

V. Targets

Significant the way it is, sSome of the recovered documents contain sensitive information that can be classified under the tags "Secret,", "Restricted,", and "Confidential.".

Part A portion of these documents holds secret information concerning about evaluations of India's security capabilities in the state of Assam, Nagaland, Manipur, and Tripura, and also such concerning Maoists and Naxalites. Moreover, among these recovered documents, there are some which that bear a relation to India's international dealings.

Since the Shadow network appears to be a cyber-exploitation from aof considerable international significance, Rohozinski deemssays, "that is an operation security issue for both NATO and the International Security Assistance Force" (Markoff & Barboza, 2010a, par.22)." Presumably, it is true, given the fact that the NATO civilian contingent travelling to Afghanistan usually enters first India from where the local authorities issue visas. As the Shadow report testifies, some of these computers used to collect and process information needed for issuing Indian visas were compromised in Kabul and Kandahar, Afghanistan (Markoff & Barboza, 2010a).

National Security security and Defencedefense

The investigation shows that some of the exfiltrated files contain information about military projects:

Shakti— an artillery combat and control system, recently introduced given theat that particular time

Iron Dome—new mobile missile defence system

Pechora Missile System—an anti-aircraft missile system

The information concerning these military projects is not classified, nevertheless the topics are of delicate nature, as far as the regional political situation is concerned (The Economic Times, 2010).

Academics/Journalists journalists focused on the PRC

Interestingly, the Shadow network cyber-exploitation is also directed against institutions and individuals practicing in the fields of academia and journalism. In the experts' opinion, the compromised personal information concerning people whose job is in this sector might be leveraged in future attacks via widely-known social engineering techniques (Lemon, 2010).

The stolen papers comprise includes topics which that more or less have something to do with PRC: politics, ethnicity and religion in central Asia; Chinese military exports; connections between armed groups in China; the containment of the PRC, foreign policy stand on Sino-Indian and Taiwan relations, etc. Again, these documents were available to the public; however, in itself the interest in them is indicative of who may lurk in the Shadow network.

List of the affected institutions affected by the Shadow network

National Security Council Secretariat, India

Diplomatic Missions, India

Military Engineer Services, India

Military Personnel, India

Military Educational Institutions, India

Institute for Defence Studies and Analyses, India

Defence-oriented publications, India

Corporations, India

Maritime, India

United Nations

(Information Warfare Monitor, 2010)

Part II

I. Technical Investigation

The team behind the Shadows in the Cloud report, Information Warfare Monitor (IWM) featuring Shadowserver Foundation, conducted a thorough technical investigation consisting of the several interrelated ingredients:

DNS Sinkholing

Generally speaking, this technique requires the registering of domains previously employed by the entities behind certain cyber-exploitation activities, in our case such asthe subversive attacks against Tibetan institutions like the Office of His Holiness the Dalai Lama (OHHDL).

Hence, by registering those domain names that were used before by cyber cyber-exploiters as command and control servers, the team was able to monitor the incoming traffic to those still compromised computers still compromised, which, in turn, allowed them to gather important information on the methods of the attacks, the structure of the spy ring, communication means, and nature of the onesose who had fallen victims.

It was found that one computer at OHHDL was compromised by both GhostNet and the Shadow network. Several expiring domains were linked to cyber cyber-intrusions against OHHDL and the investigators managed to register some of them—some common for both spy rings, some linked to Shadow network only.

After the procedure was set in motion, the researchers "were able to observe the file paths associated with malware that were requested by compromised computers
(Information Warfare Monitor, 2010, p. 28)." Although they found 6,902 unique IPs utilized as hosts to command and control servers, counting the IPs merely is not an accurate indicator of size.

Supposedly, "botnets are generally much smaller than the total sum of unique IP addresses (Information Warfare Monitor, 2010, p. 28)." Because of the ulterior motive to target specific set of victims or data, the structure of such a cyber-exploitation as Shadow network is expected to be small.

Malware Analysisanalysis

Through the Collection collection of malware samples from various types of cyber cyber-intrusion, through which can be specified the exploits, vectors of cyber breach, and the concrete social engineering tactics & and topics can be specified, as well as the command and control servers which the hostile intruder uses. With malware consisting mostly of DOC, PDF, PPT, and EXE file extensions, in our case, seemingly there was extra malware on the servers under the attackers' control (Information Warfare Monitor, 2010).

Command and control topography of malware servers

By summarizing the data drawn from sources such as the field investigation, sinkholing process, and malware analysis, the results were sufficient to promote allow accurate mapping of the malware command and control infrastructure.

Identification of victims—it was possible, owing to a qualitative all-round analysis of the sinkhole server connections, recovery of initially exfiltrated documents, and observing control panels in use by the exploiting entities for directing the compromised computers.

Data recovery—this This action was possible after the discovery of drop zones used by the attackers as a warehouse for stashing stolen files.



  • Microsoft Word 2003 and Power Point 2003 files— – old and well-known in the hacker community.
  • PDF CVEs 2009-0927, 2009-2990, 2009-4324— – recent status, a few weeks/months before being patched.
  • No 0zero-day

Malicious binaries found on command and controls

27 Twenty-seven malicious binaries are found, 2 two of them predisposed to more specific functionality— – reaching out to Yahoo! Mail accounts as a part of command and control structure, and installing new ones on the compromised computers.

Attackers connect to the Tor anonymity network

One malware sample hosted on wwwfox99/ established a connection with command and control server in order to download additional elements (nscthttp.gif, docBack.gif, top.gif, and tor.gif), which respectively allowed connection to the Tor network, an anonymity system protecting against traffic analysis attacks, often used by human rights activists and journalists (Information Warfare Monitor, 2010).

According to Dan Egerstad, a computer security researcher, the intruders may have been exploiting the Tor network as a tool for data exfiltration: "…the traffic he (Tor) sniffed belonged to someone who had hacked the accounts and was eavesdropping on them via the Tor network. As the hacked data passed through Egerstad's Tor exit nodes, he was able to read it as well (Zetter, 2007, par.11)."

Attackers were using Enfal trojanTrojan

The existence of Enfal trojan, a well-known of its kindTrojan, is often evidential evidence of prevalent and common command and control structure shared between affiliated malware networks. It could be seen as a sign that the exploiters exchange techniques and tools or share some interest in attacking similar sets of targets (Information Warfare Monitor, 2010).

Conclusion on malware grounds

The field research made done by IWM and Shadowserver Foundation laid special emphasis upon OHHDL's computer system, "had been compromised by at least two different types of malware associated with targeted malware intrusions. Based on our understanding of the malware, the domain s and on-going research we assess that this compromise also involved at least two different cyber espionage groups and potentially even a third one." (Information Warfare Monitor, 2010, p. 13).

Command and control Control infrastructureInfrastructure

As is often is the case with advanced persistent threats, the infrastructure relying on a stable core is crucial, so that the attackers can maintain prolonged access to compromised systems.

In effect, the structure has two main functions: to set up an exfiltration path to drop zones or to command and control servers directly; , and to enable intruders to issue instructions to compromised machines.

The Shadow network Network structureStructure

Shadow network relies on leveraging several layers, i.e., tiers, of command and control infrastructure:

  1. Social networking websites, — newsgroups, blogs, and social networking services— — Twitter, Google Groups, Baidu Blogs, Blogspot,— — submitted to the perfidious notion of retaining a sustainable prolong presence by building a system around components that do not look malicious.

    Because these companies are so popular and the people, as well as the products manufactured by Internet security vendors, recognize them as trusted, the connections to these social network platforms remain are allowed at a firewall level, even when other connections to command and control systems from the same structure are blocked (Information Warfare Monitor, 2010).

    In addition to building up a resilient and concealed command and control infrastructure, these intermediaries can provide a new attack vector, updating compromised computers with new malware, relay files or links to recipients in a targeted organization, extract documents, emails, and other data to a drop zone (Robertson, 2010).

Concerning the data exfiltration and communication parts, intruders have a diversity of connections means at their disposal between the links holding together the Shadow network in order to find the most effective way of stealing data, in terms of lurking longer in the shadows and remain undetected. For example:

The attackers used these Yahoo! Mail accounts as command and control in conjunction with traditional mechanisms, such as HTTP connections to web servers. Therefore, even if the traditional web-based command and control channels were shut down the attacker could retain control(Information Warfare Monitor, 2010, p. 22)

Not surprisingly, the traffic being disguised in such a manner was appearing appeared as innocuous to network administrators and defense mechanisms like firewalls (Walters, 2011).

  1. Free web hosting services— — once Once the targeted user accesses the contagious social platforms, they normally direct the compromised computers to another type of command and controls nexus, most often settled on free web hosting providers.
  2. Other clusters of command and control servers——soon Sooner or later, the suspicious misuse of the free web hosting services draw attention that is unwanted not wanted for by the wrongdoers' attention. As it is in the general case, these services are disabled over time on the grounds that they are used in illegal activities. To avoid failure, exploiters usually find a way, with the help of the built social network system, to route they attack and beacon (i.e., attempt to establish connection) it to a more sustainable core of command and control servers. Those are allegedly located in PRC.


Shadow network C & C functioning


Ingenious for its simplicity, the Shadow network structure for long worked as an impeccable, flawless machine (Robertson, 2010).

Recourse to Palantir technologyTechnology

The ability to wield handle tremendous amounts of complex information is a crucial requirement for a properly conducted online intrusion investigation. As it was already discussed, in the Shadow case the usage of social media and other similar intermediates further complicated breaking the knot. Consequently, this statement of from the head of Palantir's cyber crew, Shreyas Vijaykumar, is not surprising: "Attackers are getting smarter and using techniques like social media infrastructure to make it harder for automated systems to catch them"(Chiang, 2010, par. 6)."

Owing to its adaptive software, which is based on the one used on PayPal, Palantir is able to:

  • perform an easy easy-to to-handle search tasks by performing a deep scan through multiple data sets at the same time;
  • connect the dots between seemingly unrelated fraudulent payments. As a result, many cyber cyber-criminals, schemes, and plots are have been exposed and duly prosecuted.

Given the readily implementation of the Palantir intelligence platform by notable institution like such as the Central Intelligence Agency, the Federal Bureau of Investigation, and the Pentagon, some experts advocate more frequent recourse to the PayPal-based technology in elaborate cyber investigations (Chiang, 2010).

II. Attribution aspects Aspects of the Shadow networkNetwork

Owing to the inherent obscurity of the modus operandi at the disposal of the entities under investigation, it is safe to say that the attribution procedure is a complex task. Cyber Cyber-criminals usually put a great deal of effort into camouflage camouflaging their identity. The dispersion of the investigated networks across numerous platforms and national jurisdictions serves as evidence in support of that fact. Politicization of the attribution question further render makes it difficult to answer firmlygive firm answers to questions concerning attribution.

For these reasons among others, finding de jure an irrefutable proof is highly unlikely. However, de facto may not be entirely a causa perduta, especially if the investigation team succeeds in building solid, evidence-backed arguments based on circumstantial traces.

Speaking of indirect proof, elaborate research into the following components, laid out as a checklist, may disperse the cloud of attribution a bit:

  • nature and timing of the attack
  • targeted data resources
  • the exploit
  • the malware
  • the command & control infrastructure
  • methods & behavior post the initial compromise
  • ongoing intelligence collection & historical information
  • political screening
  • other contextually relevant information
  • Going from the general to the particular, the investigators behind the Shadow report claim that they have two "key pieces of information": — 1) an email address linked to the attackers which serve a manual purpose, explaining step-by-step how they could use Yahoo! Mail as a command and control server; 2) IP addresses attackers seemingly used to send emails from the Yahoo! Mail accounts, transformed into an inseparable part of the command and control structure.

    Because all of the IP addresses in use by the attackers when sending these Yahoo emails, whose content of new malware was definitely sent to the already infected computers, appeared to be located in Chengdu, Sichuan, the IWM & and Shadowserver researchers pose offer their '"most plausible explanation' explanation" about the author(s) of the Shadow network:

    Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground. Given the often murky relationships that can exist between this underground and elements of the state, the information collected by the Shadow network may end up in the possession of some entity of the Chinese government. (Information Warfare Monitor, 2010, p. 40).

    PRC Position

    The official state-supported news agency Xinhua published an official disclaimer by from the Chinese government, defining as "groundless" whatever the idea that there was any involvement in the Shadow network. Speaking in support of this assertion, The the Chinese foreign ministry spokesperson Jiang Yu said: "Some reports have, from time to time, been heard of insinuating or criticizing the Chinese government…I have no idea what evidence they have or what motives lie behind" (Markoff & Barboza, 2010, par. 8)."

    Furthermore, she says that because "hacking is an international crime and all nations should join hands to deal with hacking crimes"
    (The Economic Times, 2010, par.3)," China has already participated in joined international initiatives and mechanisms from with global and regional meaning, such as APEC, ASEAN, and SCO.

    According to Nart Villeneuve, a researcher who took part in the Shadow network investigation, after the Shadow report was ready, they contacted China's National Computer Network Emergency Response Technical Team, or (CNCERT) by abbreviation. From CNCERT, however, answered that they had not received any reports of such a security incident from the Canadian-American joint research team (Lemon, 2010).

    III. Importance of Shadows networkNetwork

    Unexpectedly vast area of influence

    The very beginning of the Shadow network is tocan be assigned to the moment when the Tibetan organization sought help in relation towith a possible cyber cyber-security breach within their computer systems. Although initially it was expected to be a minor case, what resulted from is the discovery of not only GhostNet, a large international sophisticated cyber exploitation, but also of the Shadow network, —an even more targeted and sophisticated kind of cyber-exploitation (Information Warfare Monitor, 2010).

    High-tech technology amounts to high-tech threats

    Our networked societies time and again aspire to the rapid implementation of technological meansy in all areas of life. The tricky part, however, is that the fast pace of technological application sometimes does not go hand in hand with equivalent in scale security measures (Deibert & Rohozinski, 2010). As a result, "networked societies can be compromised through networks in which they are invariably linked and mutually dependent" (Information Warfare Monitor, 2010, p. 43)."

    Potential for collateral compromise

    The Shadow network clearly demonstrates capabilities in this department. The investigation indicates beyond question that unwitting third parties could take the blow even if they are not placed at the foresight forefront at all. Data on such third parties can be retrieved from a compromised computer and, with the help of a little logic and an intelligent approach, the cyber cyber-intruders can put together all the pieces of the jigsaw puzzle, which, in turn, would provides them with operational and actionable intelligence that can be used for further malevolent cyber cyber-activities (Information Warfare Monitor, 2010).

    Repurposing criminal networks for political cyber-exploitation

    This is Another another implication brought about byof the Shadow network finding. : The research team observes that seemingly there is a blurring between malware and techniques employed by common cyber cyber-criminals and actors involved invariably in politically motivated cyber cyber-attacks. It should be noted that this obscurity is often a sought effect to perplex further the proper attribution of given act (Information Warfare Monitor, 2010).

    Broadly-used online platforms repurposed as vectors of attack

    Last but not least, the Shadow network is a case of considerable importance for the fact that many "ordinary" services that characterize more or less our networked society today (social networking, peer-to-peer technologies, cloud computing) can be encircled by a corrupt cloud of malware and wrong intentions, thus altering their original functionality. At first look trustworthy, as it appears that these new platforms could can be set to purpose aspropagate malware propagation and to establishing establish a resilient command and control skeleton (Information Warfare Monitor, 2010).


    The Shadow network impresses, inter alia, with the way criminal actors can misuse popular, legitimate, esteemed services, that were made after allcreated for amusing social purposes. In such athis context, it would be perfectly understandable if one might feel a lack of safety while being online. The Director director of the Citizen Lab at the Munk School of Global Affairs, which is associated with the University of Toronto, gives a warning loud and clear: "There is a vast, subterranean ecosystem to cyberspace within which criminal and espionage networks thrive. The Shadow report shows that the social media clouds of cyberspace we rely upon today have a dark, hidden core" (Defense Update, 2011, par.7)."

    In spite of the point of view that such techniques do not actually represent actually noanything new per se, the Shadow network is a unique case massive of worldwide cyber cyber-exploitation that should must be reckoned with for the reasons enumerated in the previous chapter, and not only.

    The contemporary society is extremely interconnected through all kinds of technology means. This trend is not going to change, ; quite the opposite. , It it is growing rapidly in an unstoppable spiral reaching to the sky, as if it is a peculiar mutated plant from the Jack and the Beanstalk story.

    Perhaps the most essential lesson that we can extract from the Shadows in the Cloud case we can extract comes from the wording formulated by one member from the team that made the report: "It's not only that you're only secure as the weakest link in your network. But in an interconnected world, you're only as secure as the weakest link in the global chain of information" (Markoff & Barboza, 2010, par.5)."

    Reference List

    Chiang, O. (2010). PayPal-Based Technology Helped Bust India's And The Dalai Lama's Cyberspies. Retrieved on 12/05/2013 from

    Defense Update, Lance & Shield Ltd. (2010). The Dark side of Cyberspace. Retrieved on 12/05/2013 from

    Deibert, R. & Rohozinski, R. (2010). Risking Security: The policies and paradoxes of cyberspace security. International Political Sociology, 4:1, 15-32.

    F-Secure (2010). PDF Based Targeted Attacks are Increasing. Retrieved on 12/05/2013 from

    Information Warfare Monitor & Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation. Retrieved on 08/03/2013 from

    Kak, A. (2012). Mounting Targeted Attacks with Trojans and Social Engineering — Cyber Espionage. Retrieved on 08/03/2013 from

    Lemon, S. (2010). Update: Researchers track cyber-espionage ring to China. Retrieved on 12/05/2013 from

    Markoff, J. & Barboza, D. (2010a). Researchers Trace Data Theft to Intruders in China. Retrieved on 12/05/2013 from

    Markoff, J. & Barboza, D. (2010b). 2 China Schools Said to Be Tied to Online Attacks. Retrieved on 08/03/2013 from

    Markoff, J. & Barboza, D. (2010). Researchers Trace Data Theft to Intruders in China. Retrieved on 12/05/2013 from

    Robertson, G. (2010). Canadian researchers reveal online spy ring based in China. Retrieved oon 12/05/2013 from

    Satpathy, Pradhan & Ray, (2012). Application of data fusion methodology for computer forensics dataset analysis to resolve data quality issues in predictive digital evidence. The International Journal of Forensic Computer Science, 7(1), 16-23.

    The Economic Times (2010). China rejects allegations of hacking Indian defense websites. Retrieved on 12/05/2013 from

    Walters, B. (2011). Free Expression the Price of Yahoo! Sale to China? Retrieved on 12/05/2013 from

    Zetter, K. (2007). Tor Researcher Who Exposed Embassy E-mail Passwords gets Raided by Swedish FBI and CIA. Retrieved on 12/05/2013 from

    Defense Update, Lance & Shield Ltd. (2010). The Dark side of Cyberspace. Retrieved on 12/05/2013 from

    F-Secure (2010). PDF Based Targeted Attacks are Increasing. Retrieved on 12/05/2013 from

    Information Warfare Monitor & Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation. Retrieved on 08/03/2013 from

    Kak, A. (2012). Mounting Targeted Attacks with Trojans and Social Engineering — Cyber Espionage. Retrieved on 08/03/2013 from

    Lemon, S. (2010). Update: Researchers track cyber-espionage ring to China. Retrieved on 12/05/2013 from

    Markoff, J. & Barboza, D. (2010a). Researchers Trace Data Theft to Intruders in China. Retrieved on 12/05/2013 from

    Markoff, J. & Barboza, D. (2010b). 2 China Schools Said to Be Tied to Online Attacks. Retrieved on 08/03/2013 from

    Robertson, G. (2010). Canadian researchers reveal online spy ring based in China. Retrieved on 12/05/2013 from

    Satpathy, Pradhan & Ray, (2012). Application of data fusion methodology for computer forensics dataset analysis to resolve data quality issues in predictive digital evidence. The International Journal of Forensic Computer Science, 7(1), 16-23.

    The Economic Times (2010). China rejects allegations of hacking Indian defence websites. Retrieved on 12/05/2013 from

    Zetter, K. (2010). Spy Network Pilfered Classified Docs From Indian Government and Others. Retrieved on 12/05/2013 from

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.