Chinese cyber spies continue to thrive, apparently unmolested, infecting computers around the world with powerful bots and using them to extract sensitive data, usually without the victims ever knowing.

The latest revelations come in a report entitled “Shadows in the Cloud: An investigation into cyber espionage 2.0,” available here.

The report was co-authored by three organizations: SecDev, an Ottawa, Canada-based security consulting firm; The Citizen Lab at the University of Toronto’s Munk Centre for International Studies; and the U.S.-based Shadowserver Foundation.

“Shadows in the Cloud” is an update of last year’s report from The Citizen Lab and SecDev introducing “GhostNet,” a shadowy group of Chinese-based cyber spies using targeted attacks on government, industry and NGO computers to gather intelligence. (We wrote about SecDev and the original report here.)

The Chinese government disavowed knowledge of that activity so there was no reason to think it had stopped – indeed, in light of Google’s experience, every reason to think it was ongoing. The researchers wanted to know about current levels of activity and methods.

Quick answers: the modus operandi remains pretty much the same, with some wrinkles mainly to do with how targets are infected and information is relayed to control computers. The locus of activity remains China.

The targets remain similar, including governmental and non-governmental organizations at odds with China’s interests – the government of India, for example.

In some cases, the victims were the very same ones targeted by GhostNet. Despite the earlier investigation, the Tibetan government in exile was once again being attacked – a testament to the determination of the people involved and the difficulty of detecting or preventing such attacks.

The level of activity was, if anything, higher.

This time out, the Canadians had help from the Shadowserver Foundation, an interesting volunteer organization of security professionals, conducting research that they share with the world, at no cost. Yes, as in free.

A cynic might dismiss the foundation as a bunch of do-goodniks. In its call for volunteers, it actually cites “purely white hat intentions” as the primary qualification for acceptance into its happy band.

When we caught up with Steven Adair, the Shadowserver security researcher who headed the organization’s efforts on the “Shadows in the Cloud” project, we noticed he frequently referred to the cyber spies he investigated as “the bad guys.”

You hear this sometimes from law enforcement professionals too – though not often from cops investigating violent crime. It connotes a kind of boyish relish for the chase, and implies the quarry are peers – if not moral, then intellectual.

But, hey, there’s nothing wrong with that. If guys like Steven Adair get off on the game of chasing cyber “bad guys” and they’re willing to share the fruits of their efforts with the rest of us, more power to ‘em.

And the white hats at the Shadowserver Foundation do share. It’s a large part of the organization’s raison d’être.

It considers itself a “watchdog group.”  Its mission is to “improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.”

To that end, it gathers, tracks and reports on malware, botnet activity and electronic fraud. (Hence its involvement in the “Shadows in the Cloud” project.) The key part is reporting. The foundation regularly publishes reports on its investigations and white papers.  

Even better, it conducts automated ongoing investigations of malware attacks and attempted attacks. If you register IP addresses associated with your networks (here), the foundation will automatically send you reports of any attacks on your infrastructure.

“It’s a pretty good service,” Adair says. “And at a great price of zero dollars.”

The foundation’s involvement in “Shadows in the Cloud” came about because of the earlier SecDev/Citizen Lab report. Adair read it with great interest, noting that it talked about many of the same types of espionage botnets he was investigating – in fact, some of the same botnets. 

As with the GhostNet report, this one carefully steers clear of accusing the Chinese government of conducting cyber espionage – despite circumstantial evidence pointing in that direction.

Much of the activity, the report stresses, could as easily involve “citizen hackers,” individuals loyal to the Chinese government spying on their own time, or intelligence-for-sale operations that dig for information someone might want to buy. Like the Chinese government.

Fighting cyber crime

We asked Adair about the implications of “Shadows in the Cloud” for enterprise security. Are private sector organizations at risk from the same kind of targeted attacks? And what can they do about it if they are?

“These kinds of attacks can happen to anyone that has something of value to steal,” Adair says.

Think about it: confidential customer information, marketing strategies, trade secrets, drug formulas. What company doesn’t have information that somebody else wants and might be willing to pay for – or break the law to obtain.

The espionage activity the foundation and its partners investigated for “Shadows in the Cloud” appears politically motivated. But the mechanisms – bots deployed through adroitly social engineered e-mails that can take control of a target computer, extract data from it and send the data to a control server – could be used as easily for industrial espionage.

One of Adair’s most chilling observations: “There are many, many more networks like the one that we zeroed in on. There are probably dozens or hundreds of them, going after all kinds of different organizations in different countries.”

“We’re not trying to make people paranoid, but they should be worried,” he says

What can companies do to protect themselves?

Oddly, not much more than savvy organizations with responsible security policies are already doing, Adair says. “Some of it goes back to the basics of cyber security, such as keeping patches and virus scanners up-to-date.”

Many of the exploits he investigated involved attackers first leveraging security vulnerabilities to get access to e-mail lists, then spoofing the target with very plausible messages appearing to come from a colleague, with infected attachments.

They couldn’t have completed the first part of the process if targeted networks weren’t vulnerable in the first place because of unpatched software.

Teaching users about social engineering techniques so they recognize spoofs more easily may make sense if an employee is known to be regularly targeted, but it will likely only serve to make the average user paranoid, Adair says.

The trouble is, with targeted attacks on a relative handful of computers – the case with both industrial and politically-motivated espionage – hackers can afford to expend considerable resources on crafting spoofs that will be difficult or impossible to detect.

The foundation’s automated reporting service won’t do much good because it mainly deals with mass attacks not the highly targeted attacks we’re talking about here. Still, Shadowserver – Adair in particular – is vitally interested in botnets and espionage.

“If they think they’ve been attacked,” he says, “we’ll be glad to work with them.”

Gerry Blackwell is a veteran technology journalist based in Canada. He writes monthly for eSecurityPlanet on the topic of cyber security.