Tenzin Nyidon
DHARAMSHALA, Nov. 15: A state-sponsored hacking group, believed to be linked to China, has compromised two websites associated with the Tibetan community in a malware attack, according to findings released Wednesday by the Insikt Group, the threat research division of Massachusetts-based cybersecurity consultancy Recorded Future.
The attack targeted the websites of Tibet Post, a Tibetan news outlet based in Dharamshala, and Gyudmed Tantric University, a religious institution in Hunsur Rabgyaling, South India. The hacking group, identified as TAG-112, compromised these sites to gain access to visitor information and track their activities. According to Insikt Group, the hackers manipulated the websites to prompt visitors to download a malicious file, which was falsely labeled as a security certificate.
Once downloaded and opened, the file installs Cobalt Strike Beacon malware onto the visitor’s computer. This malware enables the hackers to conduct key logging, transfer files, and deploy additional malware, effectively compromising the users’ devices and potentially giving hackers access to sensitive data.
A staff member who wished to remain anonymous from Tibet Post International, an online news outlet that publishes in English, Tibetan, and Chinese, disclosed to Phayul that their website has faced a string of cyberattacks, impacting their digital operations. The first, more severe hack targeted their Chinese site in July 2023, shortly after publishing articles on His Holiness the Dalai Lama’s birthday celebrations. This incident required the team to rebuild the Chinese site entirely. A second hack occurred in late May, compromising their English website. Most recently, two weeks ago, their English website faced yet another attack. “These repeated cyber-attacks highlight the risk Tibetan website faces, with hacking attempts frequently disrupting the ability to operate securely,” the staff member told Phayul.
Tenzin Gyal, from the Tibet Action Institute, a Tibet-focused civil society organisation providing education and training programs to help Tibetans defend against relentless cyber threats from China, spoke to Phayul about the measures Tibetan websites and organisations can adopt to mitigate risks. “Tibetan websites and organisations facing state-sponsored threats should prioritise robust digital hygiene. While ensuring regular content updates and thoughtful website design, equal attention must be given to the site’s security posture,” he noted. “Regardless of the content management system (CMS), theme, or plugins used, it is imperative to keep them updated. Additionally, the security of the hosting server must be rigorously assessed. These are foundational steps that website developers and organisations need to prioritise for a secure digital environment.”
Gyal further emphasised the role of preventative measures such as multi-factor authentication (MFA) for online accounts, which can significantly minimise the risk of unauthorised access. Regular software updates to patch known vulnerabilities and the adoption of end-to-end encrypted communication tools like Thunderbird for emails and Signal for messaging were also highlighted as essential steps for safeguarding sensitive information.
He emphasised the importance of training, stating, “Periodic Digital Security Training for staff is equally crucial. Such training equips individuals to recognise phishing attempts and other potential attack methods, empowering them to identify and respond to suspicious activities effectively.”
Speaking on the necessity of centralised digital security protocols, given the repeated targeting of Tibetan websites, Gyal highlighted the initiatives of TibCERT, a Tibetan cybersecurity team. “TibCERT has implemented a comprehensive Digital Security Policy (DSP) for its members, with regular updates to adapt to technological advancements. Expanding a centralised security framework to include Tibetan media and community organisations could significantly enhance collective defense,” he said.
“By standardising security practices, pooling resources, and streamlining incident response protocols, this approach would help minimise vulnerabilities and enable quicker, more effective responses to threats. Such coordinated efforts would strengthen community safety, leveraging shared expertise to build a more resilient digital security infrastructure.”
This targeted attack reflects ongoing cyber-surveillance efforts by Chinese state-sponsored actors. In September 2023, a series of Tibetan institutions, including the Kagyu Monlam Trust International and the Monlam IT website, were targeted by a China-linked hacking group. The attack, uncovered by cybersecurity firm ESET in January 2024 revealed that these organisations were compromised using similar tactics to those seen in other state-sponsored cyber operations.
