Virtual Investigators Hack The Hackers When Chinese hackers swiped classified secrets from Indian government computers, they were unaware that their operation had also been hacked. A team of virtual investigators based at the University of Toronto, headed up by Rafal Rohozinski, spends their time tracking, and stopping, e-crime.
NPR logo

Virtual Investigators Hack The Hackers

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Virtual Investigators Hack The Hackers

Virtual Investigators Hack The Hackers

Virtual Investigators Hack The Hackers

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

When Chinese hackers swiped classified secrets from Indian government computers, they were unaware that their operation had also been hacked. A team of virtual investigators based at the University of Toronto, headed up by Rafal Rohozinski, spends their time tracking, and stopping, e-crime.


And now, the story of the hacker hunters who tracked down a network of Chinese cyber spies. Last week, the New York Times reported that a team of investigators in Canada followed a group called The Shadow Network as they pilfered secret documents from government and military computers in India and read the Dalai Lama's email.

If you have questions about how they did it, what they found and what it means, our phone number is 800-989-8255; email us,

Rafal Rohozinski is the principal for the SecDev Group based in Ottawa, Canada, and he joins us today from the Canadian Broadcasting Center there. Nice to have you with us today.

Mr. RAFAL ROHOZINSKI (Principal, SecDev Group): Good to be here.

CONAN: And how did you get onto this?

Mr. ROHOZINSKI: Well, this investigation was actually a follow-up to something we did last year called GhostNet, where we did examine the computers of the Dalai Lama, by their invitation, largely because they suspected that those computers had been systematically bugged over a longer period of time. We conducted a very thorough forensic investigation of those systems as well as an investigation that told us a little bit about their information handling practices.

And lo and behold, we uncovered a network we called the GhostNet Network which included ultimately 103 different countries, about 1,500 computers, including everything from the Iranian foreign ministry, the Laotian prime minister's office, to the Israeli consulate in Hong Kong.

The Shadow Network was really a follow-up to that. We had a hunch that if a target is particularly tempting, an attacker will come back. So we went back to the same computer systems in the Dalai Lama's office and followed a few of the rabbit holes that were perhaps less clear from last time around. Lo and behold, we discovered a completely independent and separate cyber espionage network, this one targeting, from what we discovered later, largely the Indian national security and defense establishment.

CONAN: And well, who would be interested in both the Dalai Lama's email and the Indian military and political establishment?

Mr. ROHOZINSKI: Well, that's what makes these two networks, I think, really unique in that they don't really fall into the pattern of what we consider cybercrime. Cybercrime, generally speaking, is very much oriented towards the smash and grab. You know, what you can get very quickly that you can turn around into cash.

So extortion, for example, against online gambling sites has been a very traditional way that cybercrime has worked or stealing people's credentials so you could use their credit cards in order to quickly liquidate that into either goods or cash. But these networks aren't really those - don't fit those profile.

CONAN: Mm-hmm.

Mr. ROHOZINSKI: The stuff that they're gathering is more, to use an analogy, like high art. There's an intrinsic value to it, obviously, but there has to be a client. And in this case, because this was politically sensitive information, our assumption is that the client would be a state or an intelligence agency that has a need for this kind of information in order to create a broader intelligence picture.

CONAN: And the first suspect on many people's list would be China.

Mr. ROHOZINSKI: Well, true. And, in fact, you know, I think that our investigation has pretty conclusively come up to the conclusion that in both cases, the attackers were located in China. During the GhostNet investigation, we were able to track the attacker back to Hainan Island, which is an island off the south coast of China. And in this case, we were able to actually identify two individuals that were resident in Sichuan Province, China.

CONAN: And have you been able to track any connection with the Chinese government?

Mr. ROHOZINSKI: No, not directly. And in fact, we go out of our way to make that clear in both the reports. Now, that doesn't necessarily mean that the Chinese government is not involved. But I think what it points to is a much broader characteristic of cyber espionage, and that is simply this: Unlike 30 years ago, where signals intelligence, meaning spying through the use of either tapping into communications happening in the ether or through fiber optic cables and other telecommunications systems was really all about building the platform that could hone in on these systems, whether those were satellites in space or pods put on fiber optic cables. That no longer really is required to carry out this kind of intelligence.

In fact, in the globally interconnected world based on the Internet protocol, you can essentially build tools that do this kind of spying for next to nothing. In fact, you can outsource it so that it's possible for any individual with the requisite amount of skill and motivation to build these kinds of systems. And that simply means is that governments don't have to operate the platform. They can either outsource for it...

CONAN: Mm-hmm.

Mr. ROHOZINSKI: ...they can issue letters of marque, essentially creating pirates in cyberspace to gather it, or they can simply make it clear that they're interested in information from - obtained from these kinds of sources and whoever provides it - however provides it, they provide it to do so on their own initiative.

CONAN: Letters of marque authorized to privateers in the old days of sailing ships and - not quite pirates. They were sort of authorized pirates. They didn't get on if they were caught. But nevertheless, if this is, indeed, some sort of private - there is a culture of hackers. And we remember, in this country, just kids who would assault the very best just to test themselves against the computers at the Pentagon or at the Central Intelligence Agency.

Mr. ROHOZINSKI: Correct. And I think that we can't discount that as being one of the things or one of the factors that's driving the current sort of fascination with cyber espionage. I mean, let's look at it realistically. The vast majority of people that are coming on the Internet from the developing world - and I think we should include China definitely in that category - are young individuals under the age of 25, full of what you might call digital promiscuity. For them, to some extent, you know, hacking the Dalai Lama's computer may be the equivalent of playing the world's greatest videogame, except for real.

You know, realistically, it's the hackers that built the Internet. It's the hackers that led to the dotcom explosion in the 1990s. There's nothing to say that the current - what we see as malignant behavior in terms of espionage isn't actually the tip of the iceberg of something much more positive down in the future. That may be a positive and optimistic way of looking at it. The reality is also though that currently we are seeing cyber-espionage.

CONAN: And this kind of work you saw, systematically attacking the Indian military and political structures, that suggests a lot of people focused on one target.

Mr. ROHOZINSKI: That's correct, and that's why we're fairly categorical in calling this cyber-espionage. The range of targets that were chosen, both by GhostNet and the Shadow Network, was very, very narrow. It required what you might call a lot of domain expertise in order to know what exactly was being stolen from these computers.

Moreover, with the Shadow Network, we were able to locate the drop zones, where the documents that were being stolen were being staged by the attackers before being taken to another location. So we had an opportunity to see the documents they were taking. In many cases, these were documents that were stamped: secret, top secret, classified, in other ways. They included minutes of the National Security Council of India, they included assessments of the security situation in border regions, bordering China. They were fairly specific documents. So an analysis of the pattern of stuff that was being taken gave you a sense of what it was that the attackers were after, very specifically.

CONAN: The story in the Times last week said that the Indian government, you'd notified them and told them what was going on, and they said they would look into it. They didn't really have a lot of comment then. Has there been a more specific reaction to this development since then?

Mr. ROHOZINSKI: Well, I can't really speak on behalf of the Indian government. I can say that we certainly did notify them and notify them on multiple levels, and we notified appropriate institutions that should have been able to take action against that.

We also - you know, the data that was being taken didn't just belong to the Indian government. In fact, some of what we recovered, for example, were visa applications made by citizens of Canada working in Kandahar province and Kabul. Now it doesn't take a large stretch of the imagination to realize that there are not a lot of tourists in Afghanistan at the moment and that these were individuals that were working with either ISAF or the NATO force. And as a result, it really points out that there's an operations security issue around the way that data provided to third party actors may actually affect your own country as well.

CONAN: Let's get a caller in on the conversation. 800-989-8255. Email us: Our guest is Rafal Rohozinski, a principal at the SecDev Group and co-author of "Shadows in the Cloud: An Investigation Into Cyber Espionage 2.0."

Chris(ph) is on the line. Chris calling from Sacramento.

CHRIS (Caller): Yes. My question is, when do you think Microsoft is going to get serious about patching all the security holes and leaks in their software and prevent these cyber-attacks?

CONAN: Is this a Microsoft problem, Mr. Rohozinski?

Mr. ROHOZINSKI: Well, I think we can - well, I'll tell you something. We can say that the largest part of the problem may be a Microsoft problem, but it -certainly in terms of the GhostNet investigation, there were some mail servers which were also hacked which we suspect were not Microsoft products. In other words, it's not exclusively a Microsoft problem. Secondly, it's not just the software that secures the information. It's also the information security handling practices.

I mean one of the characteristics of the last 10 years is that public administration systems in countries like India and most of the developing world have moved far quicker in terms of embracing the way that information technologies have allowed them to work with documents than they have in developing policies that are appropriate to data moving from paper form to digital form. And as a result, in some respects information is probably more secure in a cabinet under the watchful eye of an Indian bureaucrat than it is on an Internet-collected computer.

CONAN: Believe me, it's secure there. It's secure in that cabinet. Never getting out of that cabinet.

(Soundbite of laughter)

Mr. ROHOZINSKI: Exactly.

CONAN: And you also suggests in your piece - and, Chris, thanks very much for the call - that indeed some of this information may have been pilfered not from computers in the offices of these agencies, but some people may have taken information home and put it on their personal computer.

Mr. ROHOZINSKI: Well, that's correct. And, in fact, we suspect that probably the classified information - that is, those documents which were clearly stamped either confidential secret, top secret, were actually taken from closed networks by bureaucrats and officials, put onto their home laptops and then compromise from that location.

CONAN: Now, do you think the government of the People's Republic of China, have they taken any action against the Ghost Network or the Shadow Network?

Mr. ROHOZINSKI: Well, in fact, it's interesting. As I said earlier, we really took pains here to point out that what we thought we had was evidence of a crime in progress and trying to provide the Chinese authorities in both cases with enough data to say, look, we have evidence here which we feel fulfills standards of evidence that you can then investigate in order to effectively at least be able to talk to the individuals who we say are - have been responsible for these things.

In the first case, it took China several weeks before they issued a flat denial, basically claiming that the report was just subterfuge. This time around it took them about six hours to say the same. In other words, they essentially dismissed the validity of the report without ever taking steps to investigate their basis.

CONAN: And does that make you more suspicious or is this just a reaction of this kind of government?

Mr. ROHOZINSKI: I think it's actually quite difficult to say. On one hand, yes, obviously it does make us suspicious that they're not even willing to take a few steps in terms of investigating it further because certainly it would be in their interest to do so if, for no other reason, add substance to the claims they make that they take cyber-crime seriously. On the other hand, obviously an accusation of cyber-espionage is something which elevates things to a high level of political rhetoric. So for that reason alone, perhaps the Ministry of Foreign Affairs chose to react this way rather than in a more measured way.

CONAN: Rafal Rohozinski, thank you very much for your time today.

Mr. ROHOZINKSI: You're very welcome.

CONAN: Rafal Rohozinski is the principal of the SecDev Group. He joined us from the Canadian Broadcasting Center in Ottawa. You're listening to TALK OF THE NATION from NPR News.

Copyright © 2010 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.