On Campus

UToronto researchers uncover vast online spy ring

Mostly Chinese-based operation tapped into classified documents in 103 countries

A cyber spy network based mainly in China has tapped into classified documents from government and private organizations in 103 countries, according to a report by Canadian researchers that was released Sunday.

The work of the Information Warfare Monitor initially focused on allegations of Chinese cyber espionage against the Tibetan community in exile, including the Dalai Lama, who is frequently denounced by Chinese officials.

The research eventually led to a much wider discovery of compromised machines, the Internet-based research group said.

Information Warfare Monitor is a joint effort of the SecDev Group in Ottawa and the Citizen Lab at the University of Toronto.

The group said in a news release that investigators conducted field research in India, Europe and North America, including in the private office of the Dalai Lama, the Tibetan government-in-exile and several Tibetan NGOs.

“We uncovered real-time evidence of malware that had penetrated Tibetan computer systems, extracting sensitive documents from the private office of the Dalai Lama,” Investigator Greg Walton said.

During the second phase of the investigation, the data led to the discovery of insecure, web-based interfaces to four control servers. The interfaces allow attackers to send instructions to and receive data from compromised computers.

“What we found is not so much unprecedented in scope and sophistication,” said Nart Villeneuve, a senior IWM analyst.

“But the relatively small size of the network and concentration of high-value targets is significant. It does not fit the profile for a typical cyber crime network.”

Principal investigators Ron Deibert and Rafal Rohozinski said: “This report serves as a wake-up call.”

“At the very least, the large percentage of high-value targets compromised by this network demonstrates the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet.”

The compromised computers included, among many others, the ministry of foreign affairs of Iran; the embassies of India, South Korea, Indonesia, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN Secretariat; the Asian Development Bank; news organizations and an unclassified computer located at NATO headquarters.

The research group said while its analysis points to China as the main source of the network, it has not conclusively been able to detect the exact identity or motivation of the hackers.

A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved.

The researchers said they have notified international law-enforcement agencies of the spy operation.

The F.B.I. declined comment on the operation.

– The Canadian Press

Looking for more?

Get the Best of Maclean's sent straight to your inbox. Sign up for news, commentary and analysis.