Gh0stNet

The latest security news (hype?) is the discovery of Gh0stNet. Links:

• Original papare: Tracking GhostNet: Investigating a Cyber Espionage Network
• F-Secure blogpost about it
• The paper from Cambridge: The snooping dragon: social-malware surveillance of the Tibetan movement

My take on it? There is no proof that China is behind this. There are alternative explanations (as the paper correctly points it out on page 47, but I don’t think that most people got that far). The fact that all those government institutions got penetrated only shows that most people don’t get security (even in “high risk” places). Yes, some of the attacks were targeted, but we hear almost daily about your average worm penetrating all kinds of “big” institutions.

A qualm of mine with the report is too secretive: it tries to black out essential parts (no MD5 is given for the files, etc). Also, there are some aspects which make the fact that this was a “professionally run” operation less believable:

• From what I’ve seen, the associated GUI only makes it possible to control one machine at a time. This is very ineffective.
• They mentioned that one of the first files to be retrieved trough the network was one to contain email addresses. This seems to be indicative of spamming-operation more than an infiltration operation

Picture taken Môsieur J.'s photostream with permission.