GhostNet  (Back to overview)

aka: Snooping Dragon

Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)

Associated Families

There are currently no families associated with this actor.

@online{various:20090329:ghostnet:bc196b8, author = {Various}, title = {{GhostNet}}, date = {2009-03-29}, organization = {Wikipedia}, url = {}, language = {English}, urldate = {2020-01-07} } GhostNet
Gh0stnet GhostNet
2009-03-28Infinitum LabsInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Infinitum Labs}, url = {}, language = {English}, urldate = {2022-09-30} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet
2009-03Shishir Nagaraja, Ross Anderson
@techreport{nagaraja:200903:snooping:97d62e1, author = {Shishir Nagaraja and Ross Anderson}, title = {{The snooping dragon:social-malware surveillanceof the Tibetan movement}}, date = {2009-03}, institution = {}, url = {}, language = {English}, urldate = {2019-11-08} } The snooping dragon:social-malware surveillanceof the Tibetan movement

Credits: MISP Project