A new malware campaign has been discovered that is targeting supporters of Tibet’s independence.
Experts consider this to be an attempt at espionage in order to gather information on the pro-Tibetan movement.
The Tibet issue has been a thorny one for mainland China since the administration sent troops to the mountainous region in 1950.
The population of Tibetan Buddhists resident on the Tibetan Plateau have struggled to retain their independence from China, facing brutality and persecution that forced their leader, the Dalai Lama, into exile in northern India in 1959.
Though the central region is now autonomous, the province is still officially under the control of the Chinese government and remains a contentious issue for human rights activists.
Discovery by Cisco Talos
Cisco Talos is a cybersecurity research laboratory that works on identifying malware and finding ways to help average computer users avoid being hacked.
Their researchers discovered this latest malspam and are certain that it is a cyber-espionage campaign as opposed to financial motivations, possibly state-promoted or supported from the Chinese government.
A PowerPoint Presentation Sent as an Email Attachment
Emails were sent to the entire mailing list of the Central Tibetan Administration (CTA), considered to be the Tibetan government in exile, with the subject line “Tibet-was-never-a-part-of-China.”
The email was made to look as though it had been sent from the CTA, using the email ID “Tibetan News” and contained an attachment with a PowerPoint presentation identical to the PowerPoint found on the CTA website published at the beginning of November 2018.
The 60th anniversary of the Dalai Lama’s exile is approaching amidst growing tensions as the Chinese government ramps up its denouncing of the holy leader.
It seems the attackers decided to harness the occasion, stating in the email body that in celebration of the anniversary, the CTA was proposing “a mid-way approach” to Tibetan-Chinese negotiations, an approach that the Dalai Lama himself originally proposed and was then voted on democratically by the Tibetan people.
Fake ‘Reply to’ Email
The attackers corrupted the “reply to” address so that responses to the email would be sent to the attackers themselves.
The attached PPT file, once opened, triggers the download of a Trojan virus which then takes over the system via the remote command center operated by the hackers.
The Trojan, named “ExileRAT,” is a remote access Trojan which can be controlled by the command center to extract information, most likely with regard to the pro-Tibetan movement.
The researchers at Cisco Talos find concerning government-initiated campaigns a trend among authoritarian regimes.
The kinds of malspam often funded and backed by governments are not like ransomware attacks, since demands for money are rarely made.
Instead, the focus is on gathering information in order to advance control and censorship of the population.
The research team pointed out a very similar project that was carried out in Iran to target the users of banned messaging service “Telegram” among its citizens.
Tibetans Repeatedly Targeted
This is not the first time Tibetans and their supporters have been targeted by cyberattack groups.
A Trojan known as LuckyCat was traced back to Chinese hacking groups with the same purpose, to collect information on potential activist activity.
The location of the CTA in Dharamshala, India, and consequently outside the jurisdiction of China, possibly contributes to the use of malware in order to gather such information.
Cyber-espionage may appear the only way, albeit an unethical way, for state actors to keep tabs on the Tibetan leaders and their people. The Tibetans, known to be a peaceful people, will have to take precautions to protect their servers from future attacks.