Targeted cyberattacks against Tibetan non-governmental organizations were uncovered by security researchers at AlienVault Labs. The Central Tibet Administration and International Campaign for Tibet are among the targets of the spearphising attacks.
The Chinese regime is again the prime suspect, and researchers at AlienVault Labs believe the attacks are being run by the same group of Chinese hackers that launched the “Nitro” attacks on chemical and defense companies last year. According to a blog post, the attacks “are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.”
Jaime Blasco, labs director at AlienVault, said in an email interview that the cyberattacks carry a familiar signature, which leads him to believe there is more to the incident than meets the eye.
“I’m pretty sure this is a state-sponsored attack,” Blasco said.
“Take into account that we have published several campaigns of this kind in the past and we have discovered that the same techniques/tools and very often infrastructure that is being used to steal intellectual property from the US and other countries are also being used to attack activists in Tibet and other places,” he said. “We’ve seen several campaigns that seems to target mainly Tibet and Uyghur people but also other groups and individuals that support those groups like reporters, NGO’s and so on,” he said.
The attackers tried fooling the Tibetan groups with a series of emails related to the Kalachakra Initiation, which is a Tibetan religious festival. The emails used a known exploit, based around a Microsoft attachment.
The AlienVault blog post states that the malware used in the attack is a variant of Gh0st RAT, which is a remote access Trojan that “that enables anything from stealing documents to turning on a victim’s computer microphone.”
The Gh0st RAT trojan was the main tool used in last year’s Nitro attacks, which were also pinned on the Chinese regime. “It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons,” the blog post states.
“It is no surprise that Tibetan organizations are being targeted—they have been for years—and we continue to see Chinese actors breaking into numerous organizations with impunity,” it states. “Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.”
The Epoch Times publishes in 35 countries and in 21 languages. Subscribe to our e-newsletter.