Tsering Dhundup
DHARAMSHALA, Dec. 21: The Chinese Communist Party (CCP) has launched a number of coordinated cyber espionage campaigns against the Office of His Holiness the Dalai Lama, Tibetan NGOs, media outlets, and the Central Tibetan Administration over the past 20 years, according to a report published on December 10 by the Tibetan Computer Emergency Readiness Team (TibCERT).
The report outlines that these cyberattacks have primarily targeted Tibetan NGOs, the Central Tibetan Administration (CTA), media organisations, and the Private Office of His Holiness the Dalai Lama (OHHDL). The methods used in these attacks include deceptive emails that appear to come from Tibetan organisations or human rights groups, as well as Distributed Denial of Service (DDoS) attacks and watering hole tactics. These efforts aim to disrupt operations, steal sensitive data, and interfere with the flow of information within the Tibetan community.
Attribution of these attacks remains challenging. While technical evidence, including malware and attack patterns, suggests a shared origin for many of the campaigns, political attribution is more complex. Past cyberattacks have been linked to state-sponsored groups, such as the Chinese People’s Liberation Army’s (PLA) Unit 61398, which was named in the 2013 Mandiant APT1 report. These attacks are widely believed to align with the political goals of the Chinese government, focused on surveillance, censorship, and suppression of the Tibetan diaspora.
TibCERT’s report documents 63 public cases of cyberattacks, targeting organisations such as the Tibetan Women’s Associationand Students for a Free Tibet as frequent targets. Tibetan activists, the CTA, and media groups also face consistent cyber threats. The attacks began in 1999, when the Tibetan community first established its online presence. Key events include the 2009 GhostNet operation, which affected government offices in 103 countries, including the Private Office of His Holiness the Dalai Lama, and a series of attacks between 2018 and 2019 that exploited vulnerabilities in mobile devices, compromising both iOS and Android devices of key Tibetan figures.
The report identifies email attachments as the main method or pathway that attackers use to infiltrate a system or network which is responsible for 60% of incidents. Attackers have also used phishing campaigns and mobile malware to infiltrate systems and steal data.
In response to these threats, TibCERT has recommended several measures to strengthen digital security within the Tibetan community. These include implementing comprehensive digital security policies, raising awareness through training, and encouraging behavioural changes to enhance cyber resilience. Despite these recommendations, the report concludes that the threat of cyber espionage remains a significant concern, with the CCP continuing to intensify its cyber operations against the Tibetan community.
