SANS Digital Forensics and Incident Response Blog

Insights into Information Warfare, by Example

By Michael Cloppert


This past weekend, news broke from a variety of sources about the IWM's release of a document detailing a sophisticated long-running campaign of attacks which compromised computers at the Office of His Holiness the Dali Lama (OHHDL), titled The snooping dragon: social-malware surveillance of the Tibetan movement. The linked document is the best reference I can find as of writing of this entry; it appears to be a summary by Cambridge University researchers of the same incident. The broader umbrella of activity by what appears to be the same group is being called "GhostNet," and supposedly has impacted organizations in 103 countries.

I have long desired to author an entry discussing common components of contemporary sophisticated attack campaigns, but my own concerns over the lack of citations and operational security imperatives have prevented me from doing so. Here I will provide a qualitative comparison of the report to that end, as well as a few lessons that can be learned. Please note that, much to my regret, many of the points I make herein are not cited as they are the result of my professional experience in the defense industrial base, amongst others. Public domain discussions from that industry can be particularly hard to come by - more on this later.

Let me be the first on this blog to say that the Cambridge report is one of the best analyses of an attack linked to a specific actor or group that I've seen from an intelligence perspective in the public domain. Threat-focused in nature, it correctly scopes analysis on qualification of the actors behind the attacks, rather than simply the vulnerabilities exploited. Incident responders take note: when formulating your response and writing incident reports, the intent, motive, and modus operandi of the adversary are the most important pieces of qualitative data. It is from this which all decisions of the adversary, and by extension attacks against your systems and network, are made. A successful response will therefore be guided by this same knowledge. Somewhat aside, I think one of my favorite quotes from the paper is this one: With hindsight, the Tibetans were fortunate in that the Chinese made the operational error of using surveillance product for a minor and tactical diplomatic purpose. This conclusion demonstrates applied understanding of information warfare (IW) theory by the authors, specifically computer network exploitation (CNE)'s role in achieveing social and political objectives [1].


The Cambridge article, while light on technical details, offers quite a few insights as to how the OHHDL attack was executed. As it happens, many of the aspects of this report have in fact been seen over the past few years in attacks by advanced adversaries. Consistent with contemporary sophisticated attacks seen elsewhere, and worth noting for any analyst who protects highly sensitive data on internet-connected machines which may be of specific value from a CNE perspective, are:

  • Email attachments as malcode introduction vector; particularly Office and PDF documents.
  • At least cursory knowledge of social fabric shared by targets, often beginning with open-source research.
  • Leverage access to real emails to legitimate hostile attachments: [The attackers] also stole mail in transit and replaced the attachments with toxic ones.
  • Persistent access to data and systems is maintained over time to achieve multiple operational imperatives.
  • HTTP-compliant command-and-control (C2) channel.
  • Consistent C2 protocol, servers used between distinct attacks.
  • Robust capabilities of malware to collect information from host systems.
  • Inferred in paragraph 1 of pg 8, code is often not detected by anti-virus software.
  • Ongoing intrusions in an attempt to maintain footholds into the organization.

Naturally, there are common tactics, techniques, and procedures (TTP's, to borrow the military parlance) that have been adopted by advanced adversaries in recent years that aren't discussed in the article - presumably because they were not observed in this case, or perhaps omitted for brevity. While not a complete list, below are some other common TTP's of the modern upper-echelon adversary.

  • A feedback loop reinforcing knowledge of social networks, facilitated by information gleaned from compromised systems and accounts.
  • Email delivery vector using URL rather than attachment - to executable, trojanized document, ZIP file, etc.
  • Compromise of suppliers or service companies to exploit established relationships (human or technological) with the target organization.
  • Compromise of legitimate industry- or technology-focused websites to deliver malware, with selective activation of victims in target organizations.
  • USB memory sticks as delivery vector for highly-targeted malware.
  • Manually-crafted malware evolution in direct response to mitigation steps.
  • Adversary situational awareness: rapidly "smash and grab" when it appears the intrusion has been discovered.

Normally I would classify these points according to their respective stage of attack, but I want to save that discussion for another separate entry. While some of them can be called "creepy," these approaches certainly can't be considered all that insightful or revolutionary. Much of this has been discussed in theoretical terms within our community for a very long time. The difference is that some people are now doing that which was only possible in the past, with a high level of sophistication in the tools themselves and maturity of internal procedures.

Lessons Learned in Report Writing

While the report is a job well done, I do want to call out two aspects that are a bit misleading, and should be read with a grain of salt (they also make great lessons learned for other analysts). First, attribution of the activity to "Chinese intelligence services" seems to be made exclusively by the geographic location of the IP addresses, without further references. It is notable that the branch of the Chinese intelligence services which focuses on Tibet is in the same province as the C2 servers, no doubt, but to go on and draw conclusions based on this alone is hasty IMO. Attribution can have serious consequences, so it should be done with the utmost of care where assumptions are clearly explained and shown to be valid.

Second, there is a heavy focus on red-teaming and user awareness as countermeasures to these attacks. While perhaps appropriate recommendations for OHHDL, I feel obligated to point out that this is necessary but insufficient for organizations that can afford a robust security staff whose threat environment includes actors such as these. The only way to address these threats is to model computer network defense as an intelligence-driven operation. This is another approach I'd like to dive into more detail on in a future post.

On Counter-Intelligence

Finally, and with some reticence, I want to briefly touch on a very difficult problem that arises in defending networks against adversaries such as these: balancing disclosure with intelligence priorities. It bears repeating: defending against these sorts of adversaries is an intelligence operation. The authors of the report state:

established governments appear unwilling to discuss their experience of such attacks; the Tibetan openness is by comparison truly enlightened.

The need for the disclosure of adversary TTP's to help the broader community is often painfully juxtaposed against the reality of the implications of security intelligence: when sophisticated adversaries discover specific TTP's have been exposed (known as counter-intelligence), they simply change them. This is not a fear, it is an observed reality. The impact to network defense, then, is that new potentially undetectable activity is occurring. I am going to leave it at that, providing no opinion as to where the line should be, and ask that readers not engage in an intractable, lengthy philosophical debate, but focus on the other items discussed above.


[1] Rattray, Gregory J., Strategic Warfare in Cyberspace, Massachussets Institute of Technology, ISBN 0-262-18209-2, 2001.

Michael is a senior member of an incident response team for a large defense contractor. He has lectured for various audiences from IEEE to DC3, and teaches an introductory class on cryptography. His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering and has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others.