By Tenzin Dharpo
DHARAMSHALA, Sept. 26: Members of key Tibetan groups were targeted by malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists and other fake personas, according to researchers at ‘The Citizen Lab’ based in University of Toronto.
Researchers said that unknown operators named as POISON CARP have between November 2018 and May 2019, targeted senior members of Tibetan groups—including the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups.
Operators for instance, posed as New York Times reporters and Amnesty International researchers while sending the malicious links. The one-click links when clicked automatically exploit and install spyware on unpatched iOS and Android devices. Similar spywares were used on Uyghur groups in the Xinjiang region where minority Muslim natives face persecution from the Chinese government.
“Compared to the usual phishing emails or malicious attachments that Tibetans receive, attacks that can break into mobile phones at the tap of a link require enormous investment to design and execute. While Tibetan organizations are no strangers to digital spying, POISON CARP represents a major escalation in efforts to penetrate and sabotage these groups,” Bill Marczak, Research fellow, Citizen Lab said.
The attacks were first notified to the Citizen Lab by the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition of Tibetan organisations to improve digital security through incident response collaboration and data sharing which was alerted of suspicious links by members of the Tibetan groups.
Its Secretary Lobsang Gyatso Sither said, “The highly targeted nature of these attacks presents a huge challenge for security and safety of Tibetans. The only way to mitigate these threats is through collaborative sharing and awareness. TibCERT is the way forward to protect the Tibetan Community.”
Although Tibetan groups have long been the target of highly sophisticated and well-funded cyber attacks since over a decade, in 2012 security software company AlienVault made revelations that linked software details with that of a programme distributed by a Chinese company based in Chengdu, the capital of Sichuan province.
The same year, Internet security company Kaspersky Labs had intercepted a new variant of the Tibet malware for Apple’s OS X, distributed as part of a seemingly politically motivated APT (advanced persistent threat) attack. “Unlike some other recent malware attacks on OS X, the Tibet malware appears to be a concentrated political effort from mainland China against Tibetan activist groups, and is not being actively spread to other parts of the world. Therefore, the Tibet malware may be an attempt to spy and steal information about him and his activities, and those of similar groups that have been at political odds with China,” Kaspersky said at the time.