China Cyber Attack on Tibetan Sites
In a recent cybersecurity incident, two prominent Tibetan websites, Tibet Post and Gyudmed Tantric University, have become the latest targets of a sophisticated cyber-espionage campaign orchestrated by China’s state-sponsored threat group TAG-112. This campaign, exposed by Recorded Future’s Insikt Group, illustrates China’s intensified surveillance and control efforts over Tibetan organizations through cyberattacks.
The attackers compromised the websites in May 2024, exploiting security gaps in Joomla, a widely used content management system, to embed malicious JavaScript. This script spoofed a TLS certificate error, prompting visitors to download a supposed “security certificate” which, once executed, released the Cobalt Strike malware onto their systems. The malware, a legitimate tool often used by security professionals for network penetration testing, is also commonly exploited by cyber threat actors to gain unauthorized access and remotely control compromised systems.
Overview of TAG-112’s Attack Techniques
The TAG-112 threat group, supported by the Chinese state, used advanced obfuscation and infrastructure shielding tactics to disguise its operations. By employing services like Cloudflare, TAG-112 effectively concealed its command-and-control (C2) infrastructure from detection. Operating through domains such as update[.]maskrisks[.]com, the group meticulously structured its attack to imitate legitimate security protocols, deceiving visitors into clicking a “download” button that unleashed the Cobalt Strike malware.
This attack chain marks a distinctive, though less sophisticated, approach compared to that of TAG-102, another Chinese threat group that has previously targeted Tibetan entities. While TAG-102 has developed custom malware and employed complex obfuscation techniques, TAG-112 operates with a reliance on widely available cyber-espionage tools and simpler attack vectors. Nevertheless, the overlap in techniques, particularly the spoofed TLS error page, highlights a broader pattern within China’s state-sponsored campaigns against ethnic and religious minority groups.
The Role of Cobalt Strike in TAG-112’s Cyber-Espionage Campaign
Cobalt Strike, though primarily a legitimate tool for cybersecurity testing, has emerged as a potent weapon in the hands of malicious actors. TAG-112 deployed Cobalt Strike to establish persistent remote access within the compromised systems, potentially enabling prolonged surveillance and data collection. Recorded Future’s Insikt Group identified six unique Cobalt Strike beacon samples associated with TAG-112, demonstrating the group’s capability to manage and monitor compromised networks. These samples communicated with TAG-112’s C2 infrastructure, providing the attackers with extensive control over infected devices.
The strategic deployment of Cobalt Strike underscores the Chinese government’s intent to exploit vulnerable Tibetan organizations, aligning with a broader agenda of digital surveillance over groups seen as potential threats to its influence. Tibet, with its rich cultural and religious significance, has long been a focal point of Chinese cyber-espionage. These attacks represent an alarming trend within the broader Chinese state security apparatus targeting minority communities for surveillance and control.
Addressing and Mitigating Threats from State-Sponsored Cyberattacks
The TAG-112 cyber campaign serves as a sobering reminder of the cybersecurity risks facing ethnic and religious minority organizations. To defend against such state-sponsored threats, Recorded Future recommends the following measures:
The Ongoing Threat to Tibetan Entities and Broader Implications
TAG-112’s campaign signals an ongoing commitment from Chinese cyber-espionage actors to infiltrate and monitor Tibetan organizations, reflecting the Chinese government’s broader objective to keep minority communities under tight scrutiny. As China advances its digital surveillance capabilities, these state-sponsored cyberattacks threaten to erode the digital freedom and security of ethnic and religious minorities worldwide.
The attacks on Tibet Post and Gyudmed Tantric University represent a targeted effort not only to gather intelligence but to exert influence over Tibet’s cultural institutions, threatening the free exchange of information and self-expression within these communities. Such cyber-espionage campaigns, while intended to prevent instability from the Chinese government’s perspective, are detrimental to the digital rights and privacy of those in the affected regions.
Conclusion
The cybersecurity landscape for Tibetan organizations and other vulnerable groups has become increasingly hostile, with TAG-112’s campaign underscoring the urgent need for robust security measures. As the cyber-espionage tactics of state-sponsored groups continue to evolve, it is imperative for Tibetan organizations, advocacy groups, and allies to fortify their defenses, raise awareness, and collaborate to mitigate the risks posed by such persistent threats.