Cybersecurity company Recorded Future published a
report on Nov. 12 revealing a China-linked attack on Tibetan community websites, which is believed to target the personal information of visitors.
The hacker group TAG-112 is believed to be a subgroup of a ring that has been used by the Chinese Communist Party (CCP) to launch cyberattacks on the Tibetan community since 2012.
The Tibetan community is one of what the CCP considers to be five “poisons” to its rule, as its existence offers people an alternative vision of China. The other four groups are the Uyghur ethnic minority in Xinjiang, Falun Gong (a spiritual practice also known as Falun Dafa), Taiwan, and the Chinese democracy movement.
The CCP often accuses Uyghurs, Taiwan, and pro-democracy groups of inciting “separatism,” which it made an illegal offense with penalties as harsh as the death sentence earlier this year.
According to the report, hackers compromised the websites of Tibet Post and Gyudmed Tantric University on or around May 23. Recorded Future informed both sites of the attack, and the university, which teaches about Tibetan Buddhism, has remedied the issue, but the news site is still compromised.
“This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities,” the report reads.
Cobalt Strike is
legitimate software, but bad actors have used it to carry out sophisticated cyberattacks and remotely access and command compromised targets, according to Recorded Future. The company recommends that organizations that are CCP targets consider intrusion prevention systems and regularly monitor their network traffic for signs of compromise.
Recorded Future has previously released reports on other CCP-backed cyberattack campaigns, including others against the Tibetan community.
One
campaign to spy on the Tibetan community was identified as being carried out from Tsinghua University, often called “China’s MIT,” and used the same infrastructure that has targeted the government of Alaska, entities in Mongolia, the United Nations office in Nairobi, the Kenya Ports Authority, and Daimler AG in Germany. The report noted that the reconnaissance targeting of the other entities occurred during or after talks concerning China’s trade and investment.
Recorded Future noted that state universities in China are often involved in CCP-backed cyberattack campaigns, either directly or indirectly, citing several examples. They have also been linked to Chinese military cyber efforts and espionage and trade secret theft cases in the United States.
The CCP’s targeting of what it considers domestic threats, or the “five poisons,” extends overseas, which human rights groups
describe as “transnational
repression.”
U.S. officials say the CCP’s transnational repression efforts
pose an “extremely dangerous” national security threat that is unique among foreign espionage efforts. It involves not only the surveillance of overseas dissidents but also the infiltration of diaspora groups and illegal efforts to blackmail people into returning to China to face detention or worse.
“Not only do they go after dissidents and political oppositionists and civil society and journalists and bloggers within the PRC [People’s Republic of China], but now are emboldened to go after dissidents, and Chinese nationals, and maybe those who have been exiled or fled,” Dafna Rand, assistant secretary of state for Democracy, Human Rights, and Labor,
said at an event last month.
“This is extremely dangerous to the American taxpayer. This means that the United States is fair game for the PRC and others.”