Ghostnet

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
GhostNet, a threat actor identified as a significant cybersecurity concern, was uncovered in 2009 as a cyber espionage operation that infiltrated computers across 103 countries. The operation demonstrated the vulnerability of government agencies and embassies worldwide to targeted cyber attacks. In one of its notable actions, GhostNet infected 1,295 computers, including the Dalai Lama's network in Dharamsala, India. The cyberespionage operation is believed to originate from China, further escalating global cybersecurity tensions. Between June and September 2022, GhostNet utilized several command and control (C&C) servers to carry out its operations. The first known C&C server (5.230.73[.]250) was activated on June 1, 2022, followed by others throughout August and September. These servers were instrumental in managing the botnets used in GhostNet's cyber-attacks, allowing for remote control and data exfiltration from compromised systems. In retaliation to GhostNet's activities, hackers targeted various entities linked to the group's presumed origins. Notably, the website of the U.S. Embassy in Beijing was defaced with the phrase "Down with the Barbarians!" Additionally, the email accounts of the Save Darfur Coalition, an organization opposing Chinese involvement in Sudan, were targeted in 2008. These incidents highlight the far-reaching impacts of GhostNet's operations and the subsequent retaliatory actions within the broader context of international cybersecurity.
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Elderwood
1
Elderwood, also known as the Elderwood Group or the Beijing Group, is a notable threat actor believed to be responsible for numerous high-profile cyber attacks and espionage campaigns. The group's activities date back to at least 2005-2006 and have been linked to various significant incidents, inclu
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chinese
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ke3changUnspecified
1
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ghostnet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
China's Hacker Army
MITRE
a year ago
Operation “Ke3chang”: Targeted attacks against ministries of foreign affairs | Mandiant
CERT-EU
9 months ago
Ten Cybersecurity Horror Stories
CERT-EU
a year ago
Asylum Ambuscade: crimeware or cyberespionage? | WeLiveSecurity
MITRE
a year ago
Stealing US business secrets: Experts ID two huge cyber 'gangs' in China