Shadow Network

The Shadow Network is a China-based computer espionage operation that stole classified documents and emails from the Indian government, the office of the Dalai Lama, and other high-level government networks. This is the second cyber espionage operation of this sort discovered by researchers at the Information Warfare Monitor, following the discovery of GhostNet in March 2009. The Shadow Network report “Shadows in the Cloud: Investigating Cyber Espionage 2.0” was released 6 April 2010, approximately one year after the publication of "Tracking GhostNet".

The cyber spying network made use of Internet services, such as social networking and cloud computing platforms. The services included Twitter, Google Groups, Baidu, Yahoo Mail, Blogspot, and blog.com, which were used to host malware and infect computers with malicious software.

Discovery
The Shadow Net report was released following an 8-month collaborative investigation between researchers from the Canada-based Information Warfare Monitor, and the United States Shadowserver Foundation. The Shadow Network was discovered during the GhostNet investigation, and researchers said it was more sophisticated and difficult to detect. Following the publication of the GhostNet report, several of the listed command and control servers went offline; however, the cyber attacks on the Tibetan community did not cease.

The researchers conducted field research in Dharamshala, India, and with the consent of the Tibetan organizations, were able to monitor the networks in order to collect copies of the data from compromised computers and identify command and control servers used by the attackers. The field research done by the Information Warfare Monitor and the Shadowserver Foundation found that computer systems in the Office of His Holiness the Dalai Lama (OHHDL) had been compromised by multiple malware networks, one of which was the Shadow Network.

Further research into the Shadow Network revealed that, while India and the Dalai Lama’s offices were the primary focus of the attacks, the operation compromised computers on every continent except Australia and Antarctica.

The research team recovered more than 1,500 e-mails from the Dalai Lama’s Office along with a number of documents belonging to the Indian government. This included classified security assessments in several Indian states, reports on Indian missile systems, and documents related to India’s relationships in the Middle East, Africa, and Russia. Documents were also stolen related to the movements of NATO forces in Afghanistan, and from the United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP). The hackers were indiscriminate in what they took, which included sensitive information as well as financial and personal information.

Origin
The attackers were tracked through e-mail addresses to the city of Chengdu in the Sichuan province of China. There was suspicion but no confirmation that one of the hackers had a connection to the University of Electronic Science and Technology in Chengdu. The account of another hacker was linked to a Chengdu resident who claimed to know little about the hacking.