The Shadow Network is aChina-based computer espionage operation that stole classified documents and emails from theIndian government, the office of theDalai Lama, and other high-level government networks.^[1][2] This incident is the secondcyber espionage operation of this sort by China, discovered by researchers at theInformation Warfare Monitor, following the discovery ofGhostNet in March 2009.^[3][4][5] The Shadow Network report "Shadows in the Cloud: Investigating Cyber Espionage 2.0" was released on 6 April 2010, approximately one year after the publication of "Tracking GhostNet."^[6]

The cyber spying network made use of Internet services,^[5] such associal networking andcloud computing platforms.^[4] The services includedTwitter,Google Groups,Baidu,Yahoo Mail,Blogspot, andblog.com,^[5] which were used to hostmalware^[7] and infect computers with malicious software.^[4]

The Shadow Net report^[8] was released following an 8-month collaborative investigation between researchers from the Canada-based Information Warfare Monitor and the United StatesShadowserver Foundation.^[3][7][9] The Shadow Network was discovered during the GhostNet investigation,^[3] and researchers said it was more sophisticated and difficult to detect.^[3][5] Following the publication of the GhostNet report, several of the listed command and control servers went offline;^[3][10] however, the cyber attacks on the Tibetan community did not cease.^[10]

The researchers conducted field research inDharamshala, India, and with the consent of the Tibetan organizations, they were able to monitor the networks in order to collect copies of the data from compromised computers and identify command and control servers used by the attackers.^[7][11] The field research done by the Information Warfare Monitor and the Shadowserver Foundation found that computer systems in the Office of His Holiness the Dalai Lama (OHHDL) had been compromised by multiple malware networks, one of which was the Shadow Network.^[12]

Further research into the Shadow Network revealed that, while India and the Dalai Lama's offices were the primary focus of the attacks,^[5] the operation compromised computers on every continent except Australia and Antarctica.^[1][13]

The research team recovered more than 1,500 e-mails from the Dalai Lama's Office^[1][4] along with a number of documents belonging to the Indian government.^[1] This included classified security assessments in several Indian states, reports on Indian missile systems,^[10] and documents related to India's relationships in the Middle East, Africa, and Russia.^[1][5] Documents were also stolen related to the movements ofNATO forces in Afghanistan,^[5] and from theUnited Nations Economic and Social Commission for Asia and the Pacific (UNESCAP).^[4][5] The hackers were indiscriminate in what they took, which included sensitive information as well as financial and personal information.^[4]

The attackers were tracked through e-mail addresses^[4] to the Chinese city ofChengdu in Sichuan province.^[1][3] There was suspicion, but no confirmation, that one of the hackers had a connection to theUniversity of Electronic Science and Technology in Chengdu.^[2] The account of another hacker was linked to a Chengdu resident who claimed to know little about the hacking.^[5]

• Shadowserver Foundation
• Citizen Lab
• The SecDev Group (dead;archive)
• Information Warfare Monitor

• Cyberwarfare by China
• Spyware
• Cyberattacks
• Cyberwarfare
• Espionage projects
• Cybercrime in India
• 2010 in China
• Mass intelligence-gathering systems
• Cyberattack gangs
• Chinese advanced persistent threat groups
• China–India relations
• Chinese information operations and information warfare
• Tibetan diaspora in India
• 14th Dalai Lama
• Hacking in the 2010s
• Political repression in China
• 2010 crimes in India
• 2010s in Himachal Pradesh
• Dharamshala
• Central Tibetan Administration

• Articles with short description
• Short description matches Wikidata
• Use dmy dates from April 2025