Malware & Spywarecritical

GhostNet: China Hacks Tibetan Government in Exile and 103 Countries

Researchers at the University of Toronto discovered GhostNet — a Chinese state espionage operation controlling 1,295 computers in government and NGO offices across 103 countries, including computers in the Dalai Lama's offices.

Tibetan Government / 103 Countries·2009·2 min read

Background

The Information Warfare Monitor, a joint project of Citizen Lab (University of Toronto) and SecDev Group, was investigating computer security for the Tibetan diaspora community when they discovered a much larger espionage network. The Dalai Lama's offices had suspected their communications were compromised.

The Attack

GhostNet was a Remote Access Trojan network spread primarily through spear-phishing emails targeting Tibetan organisations, foreign affairs ministries, and embassies. Once installed, the RAT allowed operators to remotely activate webcams, microphones, collect documents, and take screenshots. The network had compromised computers in the offices of the Dalai Lama, the Tibetan government in exile, foreign affairs ministries in Bangladesh, Barbados, Bhutan, Brunei, India, and more — 1,295 computers in 103 countries total. The C2 servers were located in China.

Response

The researchers at Citizen Lab published their findings in March 2009 — a significant act of transparency in attributing a state espionage operation. Chinese government denied involvement. The Tibetan organisations cleaned their systems and implemented better security practices. The report was a foundational document in the emerging field of cyber threat intelligence.

Outcome

GhostNet was one of the first major publicly documented cyber espionage operations attributed to China. It demonstrated that China was conducting systematic network espionage against political opponents (Tibetan diaspora), diplomatic institutions, and governments simultaneously. The Citizen Lab report established a model for civil society cyber threat research.

Key Takeaways

  1. Political and civil society organisations are nation-state espionage targets and deserve security support
  2. Webcam and microphone access via malware enables real-time audio-visual intelligence collection
  3. Spear-phishing of diaspora communities is used to map their communications and identify informants
  4. Civil society cybersecurity research plays a critical role in attributing state espionage that governments cannot publicly disclose
GhostNetChinaespionageTibetan diasporaRAT

More in Malware & Spyware

2021critical

Pegasus Spyware: NSO Group's Commercial Tool Used Against Journalists and Dissidents

2 min readMalware & Spyware
2021critical

Emotet: The World's Most Dangerous Malware Takedown

2 min readMalware & Spyware
2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware