Tallinn, ESTONIA — While the investigation into the GhostNet surveillance network took more than 10 months to finish, the creators of the network only needed a day to dismantle the botnet, Nart Villeneuve, an analyst with the Information Warfare Monitor, told attendees at the CCD COE Conference on Cyber Warfare on Thursday.

The speed with which the cyber spies dismantled the digital espionage network hinted that the attackers were more than your average hooligans. The surveillance network, which targeted systems used by the offices of the Dalai Lama and Tibetan independence organizations, infected nearly 1,300 computers in more than 100 countries. Almost a third of the systems were considered high-value targets including computers at various embassies, the Asian Development Bank and the Association of Southeast Asian Nations (ASEAN), according to the two reports documenting separate investigations into the botnet.

On Thursday, in a presentation at the cyber warfare conference held by the Cooperative Cyber Defence Center of Excellence, Villeneuve revealed that the cyber spies were quick to react, once the media reported on the investigations.

"It took about 24 hours before the network started to come down," Villeneuve said. "The attackers — presumably the attackers — started to remove the malware that was located on their servers. So all the binaries that were hosted on the high-end government Web servers disappeared, all the files that we had been accessing to connect to the control interface disappeared, and eventually the attacker took the domain names and changed the IP addresses to ... local host."

The Information Warfare Monitor, a collaboration between CitizenLab at the University of Toronto and the SecDev Group, turned over its lists of compromised computers to the Canadian Cyber Incident Response Centre, which has notified many of the affected organizations, he said. However, three months later, many of the victims have still not been warned, Villeneuve told attendees in Tallinn.

"As of now, that still really has not happened," he said. "There is apparently a lot of legal barriers to the disclosure of this information. For example, they want to run a harm test. Since we are able identify individual X at a particular embassy, if we disclose that information to that country, will that person face torture or some human rights violations."

Almost three months later, many questions remain unanswered by the investigations. But the important issue is the proof that such cyber activities are happening, Villeneuve said.

"Ultimately, we don't know who is behind GhostNet," he said. "What is interesting for us is the fact that it actually existed. That attackers using these unsophisticated methods were able to do this type of damage to organizations all over the world. And we think there is probably a lot of networks out there just like this. We just happened to uncover this one because the attacker made some critical mistakes."

If you have tips or insights on this topic, please contact SecurityFocus.