The Cyber War Against Tibet

Cisco Talos, a group of world-class researchers, analysts, and engineers, recently uncovered a new cyberespionage campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA). The document is a copy of a legitimate file titled “Tibet was never a part of China,” which is available for download from the CTA’s website tibet.net. The malicious version, however, contains a Remote Access Trojan (RAT). The email is targeted at pro-Tibet groups and individuals in order to distribute what has been dubbed ExileRAT. The attack delivers an Android- and Windows-based Trojan capable of stealing system and personal information, terminating or launching processes, or carrying out surveillance and the theft of data.

As the volume and sophistication of cyberattacks grow worldwide, it is essential for the CTA and Tibetan nongovernmental organizations (NGOs) to take necessary precautions to protect their sensitive data and personal information of employees.

The Tibetan community has been persistently targeted by digital espionage operations for over a decade. The scale of China’s operation was not clear until 2009, when the University of Toronto’s Citizen Lab released a report titled “Tracking Ghostnet.” The report explicitly laid out, for the first time, the scope of cyberespionage and how deeply it had infiltrated the Tibetan movement, including the office of the Dalai Lama.

The recent cyberespionage attempt targeting the CTA and Tibetan NGOs is just one facet of more comprehensive and sophisticated cyberattacks perpetrated by Chinese state-sponsored hackers. The goal is primarily to gain entry into the network system of the CTA, and consequently to monitor activities and extract information using various social engineering techniques.

Last year, Citizen Lab documented the use of suspicious emails with links to complex malware in its January 30, 2018 report, “Spying on a Budget: Inside a Phishing Operation With Targets Inside the Tibetan Community.” The source of the phishing operation could not be determined, according to Citizen Lab; Tibetans are inclined to believe that the Chinese government is behind these malicious activities. As Citizen Lab notes, “Uyghurs, Falun Gong supporters, and Tibetan groups are well documented targets of digital espionage operations that are often suspected to be carried out by operators directly sponsored or tacitly supported by Chinese government agents.”

The Tibetan Computer Resource Center (TCRC) comes under the direct administration of the Department of Information and International Relations under the CTA. Speaking to the author, Namgyal Lekshay, director of the TCRC, said: “In the past six months, we have been observing an increase in phishing operations targeting the Tibetan community. We created awareness amongst users about phishing attacks in a variety of ways, including educating [about] basic and safe browsing practices and also by notifying users of dangerous links in email and browsers [and] preventing suspicious account sign-ins and conducting workshops. We have suggested not to open unsolicited attachments from suspicious email accounts.”He further emphasized that “earlier, cyberattacks on Tibetan organizations were restricted only to special occasions, like the anniversaries of  March 10th Tibetan uprising day and the Dalai Lama’s birthday etc… but now the trend has completely changed. Tibetan organizations in Dharamshala are targeted with Distributed Denial of Service and phishing attacks frequently.”