Why did GhostNet succeed?

The recent increase in attention given to cyber security is thanks in no small measures to the works published by Information Warfare Monitor and Shadowserver Foundation titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” as well as the earlier report titled “Tracking GhostNet: Investigating a Cyber Espionage Network“.  Both detail the existence of cyber espionage operations targeted against Tibetan and Indian officials and institutions, allegedly run by the Chinese. If you haven’t read these reports yet, you should.

There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.

The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.

What is surprising and frustrating  about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus  or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?

A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.

Connect

Connect to us through these channels

,

5 Responses to Why did GhostNet succeed?

  1. trickey April 22, 2010 at 3:42 pm #

    So long as data secuirty depends on the individual, there is no chance of eliminating all vulnerabilities. Somebody or the other will have classified information totally exposed.
    A decent document management system would have prevented this exposure no matter what the state of maintenance of these systems.

    [Reply]

  2. skn April 22, 2010 at 4:23 pm #

    @trickey: interesting thought. I wonder how would that work though. Once you have installed trojan and backdoors on to the local machines most forms of document control would not be able to mitigate ensuing problems.

    [Reply]

  3. trickey April 23, 2010 at 11:42 am #

    @skn
    My idea here is to have a central document management system in place which would enforce authorization, access control and encryption on the documents. Naturally, such a system is accessible only in the intranet.
    e.g. Access to the most sensitive documents could be restricted to actively maintained off-grid nodes with saving/caching,copy-paste and screen shots disabled.

    There is plenty that can be done once such a system is place, especially with a DMS based on modern security frameworks such as PAM,JAAS and Kerberos.
    Single-use passwords (delivered by secured means) could be enforced.
    On-screen keyboards could be added.
    Off-grid authentication(via SMS for example) could be enforced.
    Restrictions could be placed to allow access only via remote terminal with copy-paste disabled, so that there is no chance of caching/saving.

    The system could be as secure as you wanted it to be. It could evolve with the changing security environment.

    [Reply]

Trackbacks/Pingbacks

  1. Hardware security and the Chinese | Vyuha - May 17, 2010

    […] some call it extreme paranoia and see these as a knee-jerk response to the recent reports of cyber espionage attributed to non-state Chinese actors, while others claim it as having something to do with the 3G license auction or do with the cheap […]

  2. Early-Warning Indicators for Predicting Cyberwar Operations | Vyūha - November 23, 2010

    […] argument could be made that cyber early warning would not be feasible against a silent multi-month effort like that against Indian government and Tibetan computers. True, there are major differences. For […]

Leave a Reply