Handout C: Exfiltrated Files Report

Forensic analysis of files accessed and staged for exfiltration during Gh0st RAT compromise. The file categories and access patterns reveal the attacker’s intelligence priorities.

Accessed & Staged Files by Category

Category File Count Total Size Access Date Range Intelligence Value
Diplomatic Cables 243 18.2 GB Mar 14 - Mar 28 CRITICAL
Personnel Records 156 2.4 GB Mar 16 - Apr 02 HIGH
Meeting Minutes 89 1.1 GB Mar 17 - Mar 31 HIGH
Travel Records 67 840 MB Mar 20 - Apr 05 MEDIUM
Contact Lists 34 450 MB Mar 14 - Mar 18 MEDIUM
Financial Records 28 320 MB Mar 22 - Apr 10 MEDIUM
Network Architecture 12 180 MB Mar 25 - Mar 29 HIGH
Password Hashes 1,240+ 45 MB Mar 14 (initial) CRITICAL

IM NOTES (Do Not Show to Players): Intelligence priorities visible in access patterns:

  1. Diplomatic Cables First: Attackers immediately targeted diplomatic correspondence. 18.2 GB of cables suggests the attacker copied entire diplomatic databases.

  2. Personnel Records: 156 personnel files allow the attacker to profile embassy staff, identify key decision-makers, and assess vulnerability to future targeting.

  3. Meeting Minutes: Strategic discussions about policy positions, government concerns, and diplomatic negotiations.

  4. Travel Records: When diplomats travel, where they go, who they meet. Useful for planning future targeted compromise or physical security concerns.

  5. Contact Lists: Identify other organizations and individuals the embassy interacts with. Useful for targeting further operations.

  6. Password Hashes: The attacker immediately stole password hashes for all users, allowing offline cracking and escalation to other systems.

The pattern shows a signals intelligence operation, not a financial crime. The target is diplomatic and governmental information, not money.

Specific Files Staged for Exfiltration

DIPLOMATIC COMMUNICATIONS

Directory: \Users\Shared\Diplomat\Cables\
  2009-03-15_US_Tibet_Policy_Position.docx (2.3 MB)
  2009-03-18_EU_Coordination_Meeting_Notes.docx (1.8 MB)
  2009-03-20_ASEAN_Regional_Security_Briefing.doc (3.2 MB)
  2009-03-22_UN_Voting_Position_Analysis.xlsx (890 KB)
  2009-03-25_Private_Correspondence_Foreign_Minister.eml (2.1 MB)
  └─ [FLAGGED]: Contains handwritten notes on margin about
     "strategic considerations for Tibet autonomy discussions"

Directory: \Users\Shared\Diplomat\Archive\
  [ENTIRE DIRECTORY] 2003-2009 Diplomatic Correspondence Archive
  (estimated 180+ MB of systematic embassy communications)

Specific files accessed suggest the attacker had detailed knowledge of embassy filing systems and immediately targeted high-value diplomatic communications. The search for β€œPrivate Correspondence_Foreign_Minister” shows the attacker knew organizational hierarchy and targeted senior officials.

PERSONNEL & SECURITY

Directory: \HR\Personnel\
  [ACCESSED]: Complete personnel database
    - 156 staff records including:
      * Full names, positions, contact information
      * Security clearance levels
      * Assignment history
      * Salary information (sometimes exposed in HR databases)
      * Emergency contacts (useful for targeting pressure)

  [FLAG]: Deputy Chief of Mission (potential high-value target for future leverage)

Directory: \Security\Access_Logs\
  [ACCESSED]: Building access card logs
    - Who accessed what areas, when
    - Security routines and patterns
    - After-hours access patterns
    - Visiting guests and their security escorts

Access to personnel and security logs reveals the attacker’s interest in physical security and targeting key individuals. This information could be used for blackmail, kidnapping threats, or future social engineering against specific staff members.

MEETING MINUTES & STRATEGIC DOCUMENTS

Directory: \Strategic_Planning\2009\
  March_Embassy_Country_Assessment.doc (1.4 MB)
    └─ Contents: Assessment of regional government stability,
                 ethnic tensions, security concerns

  Internal_Policy_Debate_Tibet.doc (980 KB)
    └─ Contents: Internal government disagreement on how to handle
                 Tibet autonomy discussions and international pressure

  Intelligence_Briefing_Regional_Threats.doc (2.1 MB)
    └─ Contents: Assessment of various groups considered threats,
                 intelligence sharing with allied nations

Strategic documents give the attacker insight into government thinking, vulnerabilities in policy, internal disagreements, and which groups/nations are targeted for intelligence gathering. This is exactly the information desired in signals intelligence operations.

CONTACT & RELATIONSHIP INTELLIGENCE

Directory: \Contacts\Official\
  [ACCESSED]: Master contact database
    - Relationships with other embassies
    - Contact with international organizations (UN, ICRC, etc.)
    - Relationships with NGOs and civil society
    - Contact with media organizations

  [SAMPLE CONTACTS FLAGGED FOR EXFILTRATION]:
    * Dalai Lama's Representative (Thai office)
    * Tibet Human Rights Organization directors
    * International NGOs focused on human rights
    * Journalists covering geopolitical issues

The attacker specifically targeted contact information for organizations and individuals related to Tibet and human rights. This suggests follow-up targeting – the attacker could use these contacts to identify other potential targets for future GhostNet operations.

This pattern matches Citizen Lab’s findings: GhostNet compromised 1,295 computers across 103 countries, with special focus on Tibetan NGOs, foreign ministries, and international organizations.

Exfiltration Timeline Summary

Phase Duration Files Accessed Data Exfiltrated Attacker Activity
Phase 1: Discovery Mar 14-15 340+ 2.8 GB Mapping network, identifying high-value targets
Phase 2: Priority Extraction Mar 16-28 580+ 18.2 GB Copying diplomatic cables, strategic documents
Phase 3: Coverage Mar 29-Apr 10 470+ 8.1 GB Capturing personnel, security, relationship data
Phase 4: Archive Apr 11-30 190+ 4.2 GB Systematic backup of entire accessible network

Key Discovery Questions

  • What does the file access pattern reveal about the attacker’s priorities?

The attacker is not interested in financial data or intellectual property for commercial purposes. The priority is diplomatic and government information – cables, personnel, meeting minutes, and contacts. This is textbook signals intelligence gathering.

  • Why would the attacker need both current files AND historical archives?
  1. Comprehensive Picture: Understanding how positions evolved over time
  2. Blackmail Material: Historical compromising information on officials
  3. Organizational Learning: Understanding relationships and decision-making patterns
  4. Pattern Analysis: Identifying recurring themes in diplomatic thinking
  5. Context for Future Operations: Understanding what each nation/group cares about
  • How would you detect when files are being staged for exfiltration?

Traditional methods:

  • Monitor file access patterns for unusual volume
  • Alert on access to high-value directories (diplomatic files, security)
  • Track when large numbers of files are opened then transferred out
  • Monitor for archive creation (ZIP, RAR files created before transfer)
  • But: If the attacker has admin access, they can often disable logging or access archived files directly

IM Facilitation Notes

This handout shows:

  • Intelligence-driven targeting (not opportunistic)
  • Systematic data harvesting
  • Focus on diplomatic/government information (SIGINT)
  • Use of stolen contact data for targeting follow-up victims
  • Evidence pointing toward nation-state actor