Spies caught plundering secret Indian docs

Shadow Network busted

An espionage gang that infiltrated Indian government computer networks across the globe has been pilfering highly classified documents related to missile systems, national security assessments and the United Nations, according to researchers who tracked the intruders for eight months.

The gang, dubbed the Shadow Network, was monitored by researchers from the Munk School of Global Affairs at the University of Toronto and the SecDev Group. With assistance from colleagues at the Shadowserver Foundation, the white hat hackers watched the spies as they systematically compromised computers in government offices on multiple continents.

Shadow Network members also infiltrated the systems of Indian embassies in Kabul, Moscow and Dubai, India's Military Engineer Services, and several private companies. Reports they grabbed were frequently stamped with "Secret," "Restricted," and "Confidential" notices. The plundered documents also included a year's worth of personal email from the Dalai Lama.

The researchers are the same ones who last year discovered another stealthy spy ring dubbed Ghostnet. That group also stole documents from the Dalai Lama and from governments and corporations in more than 103 countries.

It was while following Ghostnet that the researchers stumbled onto the Shadow Network, which is believed to be a separate operation. By gaining access to the control servers Shadow Network spies used, the researchers were able to observe the theft of vast amounts of Indian government documents.

To conceal their tracks and to build redundancy into their operation, the spies configured their control servers to work with a wide range of free internet services, including Twitter, Google Groups, Baidu Blogs, and Yahoo Mail. The free services allowed the attackers to maintain control of compromised computers even if they lost contact with the command and control servers, the researchers said.

Following a trail of digital breadcrumbs, the researchers traced the attackers to China's Sichuan Province, though they noted it's hard to say conclusively that's where the individuals were located. Chinese government officials strongly denied the government was behind the attacks.

Members of the Shadowserver Foundation said they have already reported Shadow Network operations to China's National Computer Network Emergency Response Technical Team and called on the Chinese government to shutter the spy network.

The researchers' report, titled Shadows in the Cloud: An investigation Into Cyberespionage 2.0, is available here and there are additional details from The New York Times here. ®

Sponsored: Designing and building an open ITOA architecture