Tibetans Under Cyber Attack – And The Security Industry Isn’t Helping

Cyber Repression: Every month or so, a report on the latest malware attack aimed at Tibetans will emerge. But the reality is the frequency and range of Internet-based assaults on the people of Tibet, as well as their families, friends and associates, are far greater than people know.

“Attacks happen pretty much every day,” says Nart Villeneuve, from FireEye. Activists, Tibetan leaders and human rights activists operating in the area are the traditional targets. Off-the-shelf malware is regularly thrown at their systems, as highlighted this week, when the website of the Central Tibetan Administration, the Tibetan Government-in Exile’s official Chinese language website, was hacked. Once users visited the site, they were redirected to an exploit that dropped a backdoor on their systems.

Earlier this month, Citizen Lab released a report on the Surtr malware family, which has been used to attack multiple Tibetan groups since November 2012. It was used to siphon off files and monitor users’ USB drives, whilst carrying out keylogging. It could also download additional malware, and had been seen in use with tools like Ghost RAT traditionally used in sophisticated campaigns.

To deliver the malware, the attackers sent out emails with a malicious attachment in spear phishing attacks. The messages themselves clearly indicated to Citizen Lab that the hackers had been actively monitoring mailing lists and discussion groups used by the Tibetan community.

Exploiting Tibetans

These attempts on activists are advanced, carried out for surveillance purposes. “Targets often get hit by the same kind of malware that large companies and governments get hit by,” Villeneuve notes. This makes China the chief suspect – though it denies all claims it does any kind of hacking.

Indeed, the very fact Tibetans are targeted so regularly has been used by at least one security company to its advantage. Earlier this year, Kaspersky, the same company that reported the infection on the Dalai Lama site, detailed a campaign in which it masqueraded as a Tibetan activist organisation. They talked about it at an event in Puerto Rico in February, in a seminar simply titled ‘How we became Tibetan activists and got targeted by hackers’. A source said researchers set up a website and complementary social media profiles, whilst organising pretend events for activists.

It did so, ostensibly, to gain an insight into politically-motivated hacking and to add fresh signatures to its malware databases to protect its wider customer base. Given China is the chief suspect of attacks on Tibet, and everyone wants to know what China is doing in the cyber arena, this kind of activity makes sense for companies like Kaspersksy. TechWeekEurope understands it is a common tactic amongst security companies in general.

But this has peeved genuine activists somewhat. Not only were some fooled by the fake activist body, but a massively profitable security company, which sells its software to Chinese organisations, was using the plight of the Tibetans to feed its products and therefore its profits. “It’s a good strategy, but it brings up a load of ethical questions,” says Lhadon Tethong, director of the Tibet Action Institute, who describes Kaspersky’s activities as “disturbing”.

Unrelenting, advanced attacks

Kaspersky has declined to comment. But regardless of the ethics, such projects show how attacks on Tibetans are unrelenting.  “I saw some just today,” Villeneuve tells TechWeekEurope, in mid-July. “The attackers are always sending out attacks because with their spear phishing model, they can’t control when someone is going to click.

“There are quite a few threat actor groups that are interested in Tibetan activist groups, so they end up getting a lot of malware.”

Attacks continue to rain down on Tibetans despite claims the refreshed Chinese government, with president Xi Jinping at its helm, is cooling its aggression in the region. Tethong says the opposite is true, however, and things have only gotten worse for Tibetans. Free Tibet recently reported a monk was shot in the head and six others injured when Chinese security forces discovered they were offering prayers to mark the Dalai Lama’s birthday. “It’s bad, if not worse, than it’s ever been,” Tethong says.

In the cyber sphere, where thankfully there is no bloodshed, it’s not just spear phishing that Tibetans are continuing to deal with on a daily basis. Denial of service attacks and watering hole campaigns, like the one on the Central Tibetan Administration site, are a regular occurrence. Video cameras and microphones are often hacked to spy on activist groups too.

“Some very close allies had a laptop on the table during their very high-level board meeting and someone noticed that the camera light was turned on… it is extremely concerning, the implications of that for the entire movement, for our highest level of leadership,” says Tethong.

Communications are also frequently snooped on. Earlier this year, activist groups warned Tibetans not to use WeChat, over concerns it had been used to track and jail those voicing their opinions, or to identify those sharing photographs of self-immolation protests of Buddhist monks. Mobile malware, aimed at Google’s Android OS, was also seen targeting them this year, posing as the legitimate Kakao Talk app. “Tibetans face arrest and worse simply for contacting foreigners on their phones or email,” says Alistair Currie, campaigns officer at Free Tibet.

And even those not fighting for Tibetan freedom, but who are in any way affiliated with campaigners for an independent state, are targets. Activists’ families, friends and online contacts have all been drawn into the surveillance operations of the attackers, whether they’re based in the region or not. Many have had their email accounts hacked to continue the vicious circle of malware proliferation amongst the community. The Dalai Lama’s birthday saw another batch of malicious emails sent across contacts, attempting to lure targets into clicking on an attachment purportedly detailing changes to a celebratory event in the US. Malware lurked inside.

Security companies ‘not helping’

Protection is a serious problem. Tethong admits people on her organisation’s network have clicked through and let malware run, but security software won’t help, as the attacks are often using zero day malware. Anti-virus, in particular, is useless. “The truth is, none of these protections will really work for people like us who receive zero-day attacks,” she says.

“Anti-virus companies would like us to remain not so in-the-know about how this stuff works and just rely on them to protect us. That will never, ever work.”

Others within the community agree the industry is not doing enough to protect activists. “The only real blame to the security industry is what it is actually doing to change that and protect people that largely remain vulnerable,” says Rapid7’s Claudio Guarnieri, talking about Kaspersky’s fake campaign.

What all this has done is entrench a distrust of basic electronic communications amongst the Tibetan community. “At this point, we just assume that all communications are compromised,” Tethong tells me. Perhaps this will be of detriment to surveillance campaigns. But if the activists can’t use quick and easy forms of communication,  the attackers will no doubt see it as an ancillary bonus.

In lieu of much assistance from the security industry, Tibetan activist groups are working alongside academia to improve “digital hygiene” amongst the community. Numerous security practitioners across the region and in India, where the in-exile government is based, are helping draw up educational campaigns, alongside concerned organisations across other nations. The best way to arm Tibetans against the onslaught is to teach them the best forms of defence. Peaceful resistance to Chinese rule continues.

This article is part of TechWeek’s Cyber Repression Series. Click through for other articles on attacks stemming from China on spiritual activists and military bodies, IP tracking in Bahrain and attacks surrounding the Zimbabwean election.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago