Cybersecurity researchers traced a hacking network, which primarily attacked the Indian government and military, to servers in China and released their findings in a report posted online April 5.

The hacking network, dubbed Shadow by researchers from the Canada-based Information Warfare Monitor and the Shadowserver Foundation, an online organization, relies on core servers located in China, the report states. Specifically, servers in the city of Chengdu, which is the capital of the Sichuan province.

Around the core servers is a complex ecosystem of seemingly innocuous websites and dynamic server hosting, the report states. The outermost ecosystem layer consists of blogs, newsgroups and social networking services. When infected computers access those services, command and control transfers to another location, often an account hosted by free, web host provider. Should that middle layer be disabled--possibly due to detection of malicious activity by the web hosting service provider--infected computers then beacon to the stable inner core of servers, the report states.

"In total, we found three Twitter accounts, five Yahoo! Mail accounts, twelve Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on blog.com that were being used as part of the attacker's [outer layer] infrastructure," the report states.

Researchers relied on multiple techniques to map the network, including a domain name server sinkhole. DNS sinkholing is a technique in which system administrators register expired domain names previously used as command and control servers in cyber attacks in order to observe incoming traffic from still compromised computers.

The vast majority of the Shadow network's known attacks were directed to computers owned by Indian government, military, diplomatic and academic institutions. Researchers recovered documents stored on a hacker server marked as "secret," "restricted," and "confidential."

However, just because researchers uncovered evidence of hacked Indian computers doesn't mean that the Shadow network hasn't penetrated elsewhere, the report warns. Moreover, because information is shared online, entities not targeted for direct attack can still have their information compromised.

Although the core servers are located in China, there is no proof of Chinese government involvement. Although official involvement "is certainly possible," there is no direct evidence, the researchers write.

A Chinese Foreign Ministry spokesman told the official Chinese newswire on April 6 that he has "no idea what evidence they have or what motives lie behind."

For more:
- check out the report (.pdf), "Shadows in the Cloud: An investigation Into Cyberespionage 2.0"
- read this New York Times article about the researchers
- read a statement by the Chinese government calling the report groundless and urging international cooperation against hacking

Related Articles:
Proof of concept attack highlights new weakness in PDF specification
Schulz's cybersecurity imperative: Better, faster, cheaper
U.S. electrical grid probed but not yet attacked, says paper