Question

Explain attacking mechanisms (e.g., step by step procedures or phase by phase: Preparation, Initial Intrusion, Expansion, Persistence, Search and Exfiltration, Cleanup) of GhostNet in detail for a given real case (identified by yourself)

(Hints: You should focus on the procedures of the attacking mechanism. Explain the following steps in detail: Preparation, Initial Intrusion, Expansion, Persistence, Search and Exfiltration, Cleanup)

Answer 1

GHOSTNET:

This study that reveals the existence and operational reach of a malware-based cyber espionage network is called GhostNet. The operation’s command and control infrastructure was based mainly in the People's Republic of China.

GhostNet was discovered and named following a 10-month investigation by the Infoware Monitor (IWM).

GHOSTNET PART-1:

In GhostNet part I, the reader can learn more about the process of investigation that include researchers and investigators responsible for bringing this case to light, affected parties, attack vector etc.

GHOSTNET PART-2:

  In GhostNet part II, which is to be published separately, the main plot revolves around the reactions and allegations or the denials of security experts, parties involved, politician, and so on.

PREPARATION:

The GhostNet system directs infected computers to download a Trojan known as ghost RAT that allows attackers to gain complete, real-time control. These instances of ghost RAT are consistently controlled from commercial Internet access accounts located on the island of china republic.

Our investigation reveals that GhostNet is capable of taking full control of the infected computer, including searching and downloading some specific files, and \operating attached devices, including the microphones and web cameras.

INITIAL INTRUSION:

It was discovered on march 29, 2009 by republic of china.

EXPANSION:

  The SecDev Group ; Citizen Lab, Centres for International Studies, University of Toronto .These are the labs and universities that are responsible for the development of ghostnet expansion.

PERSISTENCE:

GhostNet was reported to have infiltrated the computers of political, economic and media targets in more than 100 countries, including the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, Pakistan and the office of the Prime Minister of Laos.

Some researchers have suggested that GhostNet might have been an operation run by citizens in China for profit or patriotic reasons. Alternatively, it may have been created by intelligence agencies from other countries such as Russia or the U.S. Every expert has a different opinion on who is behind them.

SEARCH AND EXFILTRATION:

At no point does it gather enough evidence to prove, conclusively, that the Chinese government or the People’s Liberation Army are behind the attacks. Just because Chinese computers are used in the scheme, does not mean that the Chinese authorities are behind the operation.

CLEANUP:

The analysts uncovered an operation nicknamed "GhostNet" that infected computers belonging Tibetan nongovernmental organizations.

Since the report became public in March, GhostNet has been vaporized. The servers collecting data went offline with a day of the report's release has been stopped. China officially denied any connection to operation, and those responsible for running it have never been identified.