Spy Network Infiltrates Public, Private Computers
JACKI LYDEN, host:
It's like the plot of a great techno-thriller. Mysterious hackers, possibly based in China, break into computers around the world to conduct secret surveillance. And the key to unlocking this plot comes from the office of the Dalai Lama through a group of high-tech sleuths based in Toronto and Cambridge, England. The story was reported today by the New York Times.
Ross Anderson is a professor in security engineering at the University of Cambridge in England and was on the British team that investigated the spy operation. He co-authored a report titled, "The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement," and he joins us now on the line from England. Ross Anderson, welcome to the show.
Mr. ROSS ANDERSON (Professor of Computer Security, Cambridge University): Hi.
LYDEN: So, this is really quite fascinating. Tell us how it worked.
Mr. ANDERSON: Last September, we got a call for help from the Dalai Lama's private office. And one of my research students, Shishar Nigaraja(ph), happened to be in Delhi waiting for a visa. So, I said, right, get on a train up to Dharamsala and see what's going on.
And what he found was that somewhat over half of the computers at the Dalai Lama's private office had been compromised by malware that is somewhat more sophisticated than we'd come across before.
LYDEN: Let me just make a quick point here. Malware is software with bad intent?
Mr. ANDERSON: Software with bad intent, yes, and things like viruses and worms. In this case, it was a rootkit, which enabled the attackers from a distance to control the computers, so they could rifle through the files and see if anything there was of interest. And it later turned out that they could even turn on the computer's camera or microphone to do surveillance of people in the room.
LYDEN: So, the people in the Dalai Lama's office brought this to your attention, and then what did you do?
Mr. ANDERSON: Well, we found out how the malware had been installed. And it was quite clever in that the attackers had observed that various Tibetans had spoken to each other on public fora so that, for example, A would say to B, wasn't it terrible what happened in Shigatse last week. And then, the Chinese would say to A, pretending to be B, hey, I just found a PDF about that thing in Shigatse. And if A then clicks on that to read it, he would get his machine infected.
Now, once the Chinese had used this technique in order to infect one machine in the private office, they then compromised the private office's mail server, which was in fact a machine in California, and once they owned that, they were able to put infected attachments into many of the e-mails that were sent internally between members of the private office.
LYDEN: These spies were able to compromise hundreds of computers in more than 100 countries, correct?
Mr. ANDERSON: Well, what happened afterwards is that our colleagues in Canada did an exploit of their own in that they took over one of the Chinese control computers in Hainan, and they found that this machine was being used to control, or had at one time been used to control, a bit over 1,000 other infected PCs.
There were a lot of them in places like India, Vietnam, Laos, and there were a smaller number elsewhere in the world, including some in America at places like Associated Press and indeed the likes in New York.
LYDEN: Has this spy network already had an effect on international relations?
Mr. ANDERSON: It certainly has had, and the interesting thing is that the reason the Tibetans figured out that they'd been hacked was that on more than one occasion, when the Dalai Lama tried to arrange meetings with foreign dignitaries, the Chinese diplomats got advance word of this and got hold of the dignitaries and said, hey, you'd better not do that.
LYDEN: Well, have you ever seen Web espionage to this extent?
Mr. ANDERSON: Well, what we've seen up to now has tended to be either highly targeted technical stuff or else phishing in the sense of, you know, the millions of spams that you get every day that are trying to recruit you to do money laundering or to steal your bank account details.
What's fascinating about this is that it's a kind of crossover. And you know, my real concern is this, that I keep on asking myself what's going to happen if people mount an attack like this against a typical Fortune 500 company? And the answer I get when I think about this is, well, they would go through it like a knife through butter.
LYDEN: Ross Anderson is a professor in security engineering at the University of Cambridge and was one of the researchers who uncovered this massive computer spying operation. Thank you very much for joining us, sir.
Mr. ANDERSON: Thank you.