GhostNet is a large-scale cyber spying operation that was discovered in 2009. It primarily targeted systems belonging to governments, activists, and organizations around the world. Entities involved in issues relating to China and Southeast Asia were more likely to become targets.
See also: cyber espionage
History of GhostNet
GhostNet was first uncovered by the Information Warfare Monitor (IWM). The IWM was a collaborative effort between the SecDev Group and the Citizen Lab at the Munk Centre for International Studies at the University of Toronto. It began investigating the operation in 2008 after a potential spyware infiltration of the Office of the Dalai Lama.
Its research revealed a large cyber espionage network that had breached 1,295 computers in 103 countries. Many of these belonged to embassies, foreign ministries, and other government offices.
How GhostNet works
- The operation begins by tricking users into downloading a malicious file. This is usually done through spear-phishing emails disguised to look like they’re from a trusted source. The email might contain a link or an attachment that downloads the malware when clicked or opened.
- Once the user interacts with the malicious link or attachment, the malware (in GhostNet’s case, a Remote Access Trojan known as ‘Ghost Rat’) is installed on the user’s computer.
- After it’s installed, the malware connects the infected computer to a server controlled by the attackers. This connection allows the attackers to control the infected computer remotely.
- The attackers can then use the infected computer to collect information. They can look through files, read emails, and even turn on webcams or microphones to record video and audio.
- The collected information is sent back to the attacker’s server, where they can analyze it and use it for their purposes.
- The malware tries to remain hidden on the user’s computer to continue collecting and sending information. It might disguise itself as a regular program or process to avoid detection.