GhostNet
An investigation into the Dalai Lama's compromised computers uncovered a 1,295-machine espionage network reaching into 103 countries' ministries and embassies.
In 2008, the Office of the Dalai Lama asked researchers at the University of Toronto's Citizen Lab to examine its computers. The Tibetan government-in-exile suspected its communications were being read. They were right, and the scope of what the investigators found went far beyond one organization.
A network of 1,295 hosts
Over ten months, the Citizen Lab team — working with the Information Warfare Monitor — mapped a command-and-control infrastructure they named GhostNet. It linked roughly 1,295 compromised hosts across 103 countries. Close to a third of the targets were what the researchers classified as high-value: ministries of foreign affairs, embassies, international organizations, and news media. The implant could exfiltrate documents and, notably, silently activate a compromised computer's webcam and microphone — turning the machine into a listening device in a diplomat's office.
The infrastructure had strong indicators pointing toward origins in China, but the researchers were careful in their report to distinguish technical evidence from attribution, declining to definitively assign the operation to the Chinese state and noting the difficulty of doing so rigorously.
What the chronicle remembers
GhostNet is the report that brought systematic cyber-espionage against civil society and diplomatic targets into public, evidence-based daylight. It also established Citizen Lab's methodological template — patient technical investigation, careful attribution language, public reporting — that would later define the documentation of commercial spyware like Pegasus a decade on.