Indian national security information, emails and other sensitive documents were stolen from the Dalai Lama’s office, and the hackers have been traced to China, according to a report by researchers at the University of Toronto.
The report titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0″ describes a hacking operation called the “Shadow network” that researchers observed as it broke into computers and stole information, including personal banking information, scans of identification documents, job applications, legal documents and information about ongoing court cases. Indian embassies, corporations, military institutions and defense-oriented publications were among those who were targeted. In addition, researchers reported the hackers stole at least 1,500 emails from the Office of the Dalai Lama.
The researchers said they believed the hackers were able to compromise computers by infecting victims primarily via email, using social-engineering techniques to convince their victims to open malicious file attachments. The attackers also used various exploits and file types to compromise their victims, including PDF, PPT and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003.
Although the researchers were able to trace the hacking to core servers located in China and to people based in the city of Chengdu, they found no evidence of involvement by the Chinese government, and the identity and motivation of the hackers remains unknown.
Noting the worldwide move toward cloud computing and the security issues that have risen, the researchers said clouds provide criminals and espionage networks with cover, tiered defenses, redundancy, cheap hosting and conveniently distributed command and control architectures. In addition, they provide a powerful mode of infiltrating targets who have become accustomed to clicking on links and opening PDFs and other documents as naturally as opening an office door.
“What is required now is a much greater reflection on what it will take, in terms of personal computing, corporate responsibility and government policy, to acculturate a greater sensibility around cloud security,” the report concluded.