Ghostnet

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
GhostNet, a threat actor identified as a significant cybersecurity concern, was uncovered in 2009 as a cyber espionage operation that infiltrated computers across 103 countries. The operation demonstrated the vulnerability of government agencies and embassies worldwide to targeted cyber attacks. In one of its notable actions, GhostNet infected 1,295 computers, including the Dalai Lama's network in Dharamsala, India. The cyberespionage operation is believed to originate from China, further escalating global cybersecurity tensions. Between June and September 2022, GhostNet utilized several command and control (C&C) servers to carry out its operations. The first known C&C server (5.230.73[.]250) was activated on June 1, 2022, followed by others throughout August and September. These servers were instrumental in managing the botnets used in GhostNet's cyber-attacks, allowing for remote control and data exfiltration from compromised systems. In retaliation to GhostNet's activities, hackers targeted various entities linked to the group's presumed origins. Notably, the website of the U.S. Embassy in Beijing was defaced with the phrase "Down with the Barbarians!" Additionally, the email accounts of the Save Darfur Coalition, an organization opposing Chinese involvement in Sudan, were targeted in 2008. These incidents highlight the far-reaching impacts of GhostNet's operations and the subsequent retaliatory actions within the broader context of international cybersecurity.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ghostnet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Asylum Ambuscade: crimeware or cyberespionage? | WeLiveSecurity
CERT-EU
7 months ago
Ten Cybersecurity Horror Stories
CERT-EU
10 months ago
China's Hacker Army
MITRE
a year ago
Stealing US business secrets: Experts ID two huge cyber 'gangs' in China
MITRE
a year ago
Operation “Ke3chang”: Targeted attacks against ministries of foreign affairs | Mandiant