CyberRisk: Lessons from the GhostNet Report
Recently, a number of web sites I have developed came under a severe hacker attack. Starting last October, several sites were “vandalized” with the site’s home pages replaced with new ones proclaiming that the site had been hacked. A little research into the servers and I thought the problems had been solved.
I was mistaken.
The attacks continued for some months, escalating into a full-blown battle for control of my sites. DDoS, SQL injetion viruses, brute force attacks and god knows what else was thrown at my sites. Eventually, Google forced the site offline by proclaiming that my sites had become predator sites and that anyone visiting the sites should go elsewhere. Several months later, things are returning to normal. Considerable expense and hundreds of man hours were spent fixing the problems and, quite frankly, I am not entirely certain that it won’t happen again.
Questions remain. How did my sites get hacked, who did it and why was it done?
After considerable research into the subject, I discovered that these are the great unknown questions. Answers to these questions can at best be inferred. An acquaintance in the cyber-policy community heard my story and said “Iran and China. Look there for answers.” After further prodding, he referred me to a recent report issued by a Canadian organization, SecDev Group, which recently issued its report,”Tracking Ghostnet: Investigating a Cyber-espionage network.” This is a frightening exposé of a world around us that most of us, certainly myself, are totally unaware of but should pay close attention to. What I learned from this report was troubling given the risk that we all face from cyber-criminals, cyber-terrorists and nation states bent on asserting themselves on the world stage.
The report details hackers from China (PRC) who waged an attack on the Indian government and the offices of the Dalai Lama. These hackers were able to successfully intrude with impunity into the computers of these organizations, stealing secret information, identities and use those computers to wreck havoc elsewhere.
The pattern was a familiar one to me based on my experience. However, what happened next was even more striking.
As I was putting new security precautions in place on my servers, I found that I could track visitors to my sites. What I found was alarming to say the least. In the time I installed the intrusion tracking software (I am speaking about a couple of minutes), a single intruder had tried to enter the site 288 times.
I now know a new technology term: “IP address blocker.”