According to an investigation report released by a private internet security company on Wednesday, November 13th, a hacker group believed to be supported by the Chinese Communist government has breached two well-known Tibetan exile websites with the intention of installing spyware on users’ computers to steal information.
The analysis by Insikt Group of Recorded Future, a cyber threat intelligence company based in the United States, revealed that a hacker group named TAG-112 attacked the Tibetan exile media outlet “Tibet Post” based in Dharamsala, India and the renowned Tibetan Buddhist academic and educational institution “Gyudmed Tantric University” located in southern India. It appears that the motive was to infiltrate visitors’ computers to gather personal and activity-related information, marking a significant breach.
Jon Condra, the Senior Director of Strategic Intelligence at Insikt Group, as cited by the Associated Press, mentioned that while the specific activities conducted by TAG-112 on the compromised devices remain unknown, given the Chinese authorities’ history of cyber attacks on ethnic minorities and religious groups in China, it is highly likely that the intent was information gathering and surveillance rather than destructive attacks.
Condra stated that this behavior aligns with the Chinese Communist Party’s longstanding actions targeting the Tibetan community.
The report by Insikt Group indicated that the TAG-112 hackers embedded malicious JavaScript on these websites, impersonated TLS certificate errors, and tricked visitors into clicking on counterfeit certificate HTML pages. The fake error page mimics the TLS certificate of the Google Chrome browser.
Upon clicking, users unwittingly initiate the download of Cobalt Strike software, a legitimate tool commonly used by security testers but frequently exploited by hackers for remote access and command execution. This software can be used to record keystrokes, transfer files, and carry out other functions, including deploying similar malicious software.
The report highlighted that TAG-112 possibly exploited vulnerabilities in Joomla, a popular content management system (CMS), to access the targeted Tibetan websites. Websites created with Joomla become frequent targets for attackers if not properly maintained and updated. TAG-112 likely leveraged these vulnerabilities to successfully upload malicious JavaScript files, which were still active on these websites as of early October 2024.
The Chinese authorities have consistently denied any form of state-sponsored cyber attacks.
The Chinese Ministry of Foreign Affairs stated that they were unaware of the reported cyber attacks on the two Tibetan community websites by Insikt Group.
The attacks on these websites first occurred at the end of May, and they share many similarities with the previously tracked Chinese government-supported hacker group TAG-102. Analysts thus believe that TAG-112 is a subsidiary organization of a known entity, “efforting towards similar or related intelligence needs.”
Insikt Group emphasized that Chinese hacker groups have engaged in various forms of attacks over the years, primarily targeting Chinese dissidents, such as human rights organizations, religious groups, ethnic minority groups, academic institutions, as well as supporters of democratic or independence movements in Taiwan, Hong Kong, and even mainland China.
Insikt Group has notified universities and news websites in India regarding the cyber intrusion incident.
As of this week, efforts to teach and preserve Tibetan Buddhism, language, history, and culture at Gyudmed Tantric University in India seem to have resolved the issue, while “Tibet Post” continues to be under attack.
“Tibet Post” is an online news media outlet based in India, dedicated to reporting news related to Tibet, the Tibetan community, and the Tibetan government in exile.
Australian scholar Feng Chongyi previously told Dajiyuan that Tibetans and Uighurs have always been key targets of the Chinese Communist Party’s stability maintenance efforts. Tibetans resist in a non-violent manner, through non-cooperation. He stated, “The CCP represses dissidents, represses different religions, represses different races, different ethnic groups. This is consistent behavior, determined by its essence.”