A telltale e-mail address in the GhostNet report led two researchers to the online home of a seemingly low-level Chinese hacker, according to an analysis posted on Thursday, but an author of the original report stressed that the cyber criminal is likely only related to a lesser piece of malware.
The latest analysis follows the online trail from an e-mail address turned up by researchers as part of their investigation into GhostNet, a cyber espionage network that spanned 1,295 compromised systems including computers belonging to embassies and dissident groups. The e-mail address led to a twenty-something Chinese hacker born in Chengdu City in the Chinese province of Sichuan, according to a blog post by Scott Henderson, a blogger who follows the Chinese hacking community.
However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.
"That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT," Villeneuve said.
On Monday, university and industry researchers revealed the results of a 10-month investigation into a botnet designed to spy on compromised computers. The surveillance network, which targeted systems used by the offices of the Dalai Lama and Tibetan independence organizations, had infected 1,295 computers in 103 countries, almost a third of which were considered high-value targets.
The command and control servers led back to a province in China — not the first time that an investigation into cyber espionage attacks led back to the asian giant. Government officials in Belgium, Germany, India, the United Kingdom and the United States, for example, have all warned that attacks emanating from China have targeted sensitive networks in their countries.
On Tuesday, Foreign Ministry spokesman Qin Gang denied the conclusions of the GhostNet report, saying that its authors "are bent on fabricating lies of so-called Chinese computer spies," according to Voice of America.
On Friday, Henderson updated his blog, adding that the Chinese hacker had contacted him. Henderson is the author of The Dark Visitor, a book about the Chinese hacking community.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos