A cyber-espionage group based in southwest China stole documents from the Indian Defence Ministry and emails from the Dalai Lama's office, a group of Canadian researchers said in a report released Tuesday.

The cyber-spies used popular online services, including Twitter, Google's Google Groups and Yahoo mail, to access infected computers, ultimately directing them to communicate with command and control servers in China, according to the report, Shadows in the Cloud.

We have no evidence in this report of the involvement of the People's Republic of China (PRC) or any other government in the Shadow network, wrote the authors, who are researchers based at the University of Toronto's Munk School of Global Affairs.

But an important question to be entertained is whether the PRC will take action to shut the Shadow network down.

They concluded the network was likely run by individuals with connections to the Chinese criminal underworld, and information might have been passed to branches of the Chinese government.

I don't know what evidence these people have, or what their motives are, Chinese Foreign Ministry spokeswoman Jiang Yu said, in response to questions about the report. She added that China could investigate if it were provided with evidence.

Our policy is very clear. We resolutely oppose all Internet crime, including hacking.

Stolen documents recovered by the researchers contained sensitive information taken from India's National Security Council Secretariat, the group said.

They included secret assessments of India's security situation in its northeastern states bordering Tibet, Bangladesh and Myanmar, as well as insurgencies by Maoists.

Confidential information taken from Indian embassies include assessments of Indian relations with West Africa, Russia, former Soviet republics and the Middle East, it said.

Information supplied by visa-seekers to the Indian embassy in Afghanistan and the Indian and Pakistani embassies in the United States were also compromised, the report said.

We have heard about the hacking report and the concerned department is looking into the case, said Sitanshu Kar, spokesman for the Indian Defense Ministry.


A year ago, the same researchers described a systematic cyber-infiltration of the Tibetan government-in-exile, which they dubbed GhostNet.

Some of the command and control centres listed in the GhostNet report went offline, the researchers said, but provided leads for the latest investigation.

Domains used in both attacks resolved to an IP address in Chongqing, a large city in southwest China, while addresses in the nearby city of Chengdu were used to control Yahoo Mail accounts used in the attacks, the report said.

The report traced part of the network to individuals in Chengdu who are graduates of the University of Electronic Science and Technology of China and alleged to have links with the Chinese hacking community.

Attacks using social engineering to gain trust and access have garnered more attention since Google announced in January that it, along with more than 20 other companies, had suffered a hacking attack out of China. Google ultimately withdrew its Chinese-language search service from the mainland.

The cyber-spies managed to penetrate a circle of individuals with knowledge of Indian military projects, as well as acquiring information about military engineering projects, the report said.

A U.N. commission based in Thailand was also compromised.

The data gathered by the researchers showed that security breaches in one group can result in the theft of confidential information from another organization, a factor that makes it hard to distinguish the ultimate purpose of the cyber-spying.

The researchers said the capture of the emails from the Dalai Lama's office allowed the spies to track who might be contacting the Tibetan spiritual leader, who China accuses of seeking Tibetan independence.

(Additional reporting by Ben Blanchard and Bappa Majumdar in New Delhi; Editing by Benjamin Kang Lim and Sugita Katyal)