The new Shadowserver Foundation report is out; everyone has ooh’d over folk stealing the Dalai Lama’s e-mail, etc. Others have pointed to the concentration on the Indian military establishment.
Technically, all that’s interesting here is that the attackers used mass market Internet services, like Yahoo! Mail, as transports for their botnet command-and-control messages, and that they made a lot of use of dodgy PDF files as an attack vector, usually personalised to the target. Also, their network visualisations suggest that registering DNS names with minimal consequences is very important to the system as a whole – each name is requested by many, many bots and is used to identify many, many Web servers. Fast-flux would seem to be a crucial node in the system.
Politically, the first major insight is that it’s India that’s the top priority, and India beyond the Tibetan exile institutions. India, excluding the Tibetan targets, vastly dominates all categories of everything in the report. Indian institutions are the top targets – as well as a wide range of defence organisations, the Indian Railways are in there. There’s no word on Bollywood yet. So far, so clear – rather than worrying about much fancied dissidents or Tibetans, the strategic priority is the local peer competitor.
On page 33, however, detailing what was extracted from the Indian National Security Council Secretariat:
In addition to documents containing the personal and financial information of what appears to be the compromised individual, the exfiltrated documents focus on India’s security situation in the states of Assam, Manipur, Nagaland, and Tripura, as well as the Naxalites, Maoists, and what is referred to as “left-wing extremism”.
Now, it’s very possible that this is just the effect of dragging a big scoop through a flock of top Indian Civil Service presentations. On the other hand, why would China prize data on Shokly’s lot? Various options are possible. One, they’re splittists causing irresponsible destabilisation and obstructing construction – and they want to either know all about them in case of war, or else know all about them because they’re both a bunch of modern thinkers very keen on big coal mines.
Another would be that the Chinese side is interested in the Naxalites as a potential model for their own internal chaos, as Jamie Kenny would say. China’s forced-draft modernisation – as Samuel Huntington might have said in one of his periodic bouts of moral self-abasement – is constantly reacting with a tough working class that expresses its protests by burning down Communist Party offices. Like India, they have deeply uneven development, and a strange relationship between top-down, authoritarian modernisation and federalism. Perhaps they’re wondering what form a super-MGI would take?
Yet a further option would be that the Ghostnet team are interested in the Naxalites because they’re rebels themselves. They may be working for the Party, but it’s very clear from the report that the line between the commercial spammer/botherd business and the spooks is blurred. The same techniques and the same people and the same places appear in both. In one way, this suggests that the crimeware world is a significant resource for the Party and the government; in another way, it suggests that they’re beholden for this to an unruly and uncontrollable gang of botnet masters who’d frame their grandmothers as paedophiles for money, and do worse for bragging rights.