Based on the character of the documents (and not IP addresses) we assessed that we recovered documents from the National Security Council Secretariat (NSCS) of India, the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria. In addition, we recovered documents from India’s Military Engineer Services (MES) and other military personnel as well as the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh. Documents from a variety of other entities including the Institute for Defence Studies and Analyses as well as India Strategic defence magazine and FORCE magazine were compromised.
Questions regarding those who are ultimately responsible for this cyber-espionage network remain unanswered. We were, however, able to benefit from a great investigation by The Dark Visitor who tracked down lost33, the person who registered some of the Shadow network’s domain names that we published in the GhostNet report and his connections ot the underground hacking community in China. Based on the IP and email addresses used by the attackers we were able to link the attackers to several posts on apartment rental sites in Chengdu.
I’m still convinced this is private sector, not least because there are all sorts of potential buyers for this kind of information, not least within the United States. There are lots of state and para-state actors who would like to listen to confidential diplomatic traffic between India and its Kabul embassy – for instance - and would be glad to pay at least a certain amount for a certain amount of it. This is China exporting its internal chaos again.
And importing India's internal chaos. I'm about to blog about this; the Shadowserver Foundation report also gives some details of what Ghostnet was after, and a lot of it was documentation on the Naxalites and other Indian insurgencies. Does the Party want to know about them because they are a weakness of India's? Or because they fear that they might be a model for a future insurgency in China - a super-MGI? Or do the semi-official hackers want to know about them because they are themselves as much rebels as they are agents of the state?
Or perhaps one of them just has a blog to feed?
Posted by: Alex | April 07, 2010 at 11:24 AM
There's another possibility: Hacker bragging rights. Those are some serious, and safe, bragging rights.
Posted by: Cian | April 07, 2010 at 11:53 AM