Chinese hackers attack exile Tibetans with sketchy Firefox extension

By Choekyi Lhamo

DHARAMSHALA, Mar. 1: Chinese state-sponsored hackers have reportedly attacked Tibetan organizations in exile by using a malicious Firefox add-on that was aimed to steal Gmail and Firefox data and download malware on infected systems, according to cybersecurity firm Proofpoint. The sketchy phishing email intercepted by the firm posed as a message from the “Tibetan Women’s Association” and used the email subject “Inside Tibet and from the Tibetan exile community”. The attacks this month have been linked to a group under the codename of TA413 that targeted only Firefox users with an active Gmail session.

The Digital Security Program Director at Tibet Action Institute, Lobsang Gyatso Sither told Phayul, “In the last year or so, the number of targeted phishing attacks on the Tibetan community has been on the rise and we have been working with different Tibetan organizations to mitigate these threats. At the same time, we can see that the attacks are campaigns that have been running for years and the most recent report by Proofpoint also shows that APT group has been active since 2013 and continues to operate to compromise Tibetans.” 

The tech expert also cautioned against changing behaviours of such attacks, “instead of using an attachment or a link as seen more traditionally, this attack tries to make the user install a plugin so that the attacker can access to the users email account.” Proofpoint said that the attackers targeted Tibetan organizations with spear-phishing emails that took the members on websites where they’d be prompted to install a Flash update to view the content.

The cybersecurity firm noted that the extension also downloaded and installed the Scanbox malware on infected systems. The last recorded case of a ScanBox attack dates back to 2019 when Recorded Future reported attacks against visitors of Pakistani and Tibetan websites. This particular campaign codenamed ‘FriarFox’ started attacking early in Jan 2021 and continued throughout February. While this particular campaign targeted the Tibetan community, APT TA413 has been known to take aim at other political targets including European politicians last year.

Senior Director of threat research and detection at Proofpoint, Sherrod DeGrippo said, “Malicious browser plugins aren’t new, but they are an often-forgotten attack surface in many enterprises, and it was surprising to see an APT actor aligned with the Chinese state use this method . . . The complex delivery method of the tool, which we call the ‘FriarFox’ browser extension, grants this APT actor near total access to the Gmail accounts of their victims, which is especially troubling as email accounts really are among the highest value assets when it comes to human intelligence.”