Chinese hackers target Tibetan websites in malware attack, cybersecurity
group says
Send a link to a friend
 [November 13, 2024]
By DAVID RISING
BANGKOK (AP) — A hacking group that is believed to be Chinese
state-sponsored has compromised two websites with ties to the Tibetan
community in an attack meant to install malware on users' computers,
according to findings released Wednesday by a private cybersecurity
firm.
The hack of the Tibet Post and Gyudmed Tantric University websites
appears geared toward obtaining access to the computers of people
visiting to obtain information on them and their activities, according
to the analysis by the Insikt Group, the threat research division of the
Massachusetts-based cybersecurity consultancy Recorded Future.
The hackers, known in the report as TAG-112, compromised the websites so
that visitors are prompted to download a malicious executable file
disguised as a security certificate, Insikt Group said. Once opened, the
file loads Cobalt Strike Beacon malware on the user's computer that can
be used for key logging, file transferring and other purposes, including
deploying additional malware.
“While we do not have visibility into the activity that TAG-112
conducted on compromised devices in this campaign, given their likely
cyber espionage remit and the targeting of the Tibetan community, it is
almost certain that they were engaged in information collection and/or
surveillance rather than destructive attacks,” Insikt Group senior
director Jon Condra told The Associated Press.
“This behavior aligns with historical targeting of the Tibetan
community,” he said.
Chinese authorities have consistently denied any form of state-sponsored
hacking, saying China itself is a major target of cyberattacks.
The Chinese Foreign Ministry said it was not aware of the hacking of the
two websites reported by the Insikt Group.
“China's stance on the issue of cybersecurity is consistent and clear,”
the ministry said in a faxed reply to a request for comment without
elaborating.
According to the Insikt group research, the sites were first compromised
in late May and the attacks bear many overlaps with a previously tracked
hacker group known as TAG-102, leading analysts to conclude it is a
subgroup of the already known group “working toward the same or similar
intelligence requirements,” Insikt Group said.
Overlaps include reuse of specific tactics, techniques and procedures
and going after identical targets, Condra said.
“These two threat clusters are almost certainly interrelated,” he said.
[to top of second column]
|
The Chinese flag flies at a plaza near the Potala Palace in Lhasa in
western China's Tibet Autonomous Region, June 1, 2021, as seen
during a government organized visit for foreign journalists. (AP
Photo/Mark Schiefelbein, File)
TAG-102, known by multiple names such as Evasive Panda and
StormBamboo, has been in operation since as early as 2012, and is
widely thought to be a Chinese-sponsored advanced persistent threat,
or APT, group, Insikt Group said.
Among other things, it uses custom malware frameworks used by other
Chinese APT groups and its targeting “aligns with likely Chinese
intelligence requirements,” Condra said.
“The group has engaged in a wide variety of campaigns over the
years, with an emphasis on targeting individuals and organizations
in opposition to the Chinese government, such as human rights
organizations, religious organizations, ethnic minority groups,
academic institutions, and supporters of democracy or independence
movements in Taiwan, Hong Kong, and even in mainland China,” Insikt
Group said.
The university and the news website, which are both located in
India, have been informed by Insikt Group of the hack. As of this
week, it appears the Gyudmed Tantric University, which is a place of
learning about Tibetan Buddhism, language, history and culture, has
remediated the problem while the news website remained compromised,
Condra said.
The Tibet Post is known for promoting democracy, freedom of speech
and for advocating Tibetan independence from China, he said.
China claims Tibet has been part of its territory for centuries,
although it only established firm control over the Himalayan region
after the Communist Party swept to power during a civil war in 1949.
Many Tibetans' loyalties still lie with the Dalai Lama, the
spiritual leader who has lived in exile in India since a failed
anti-Chinese uprising in 1959.
China has been regularly accused of human rights abuses in Tibet,
including earlier this year over its efforts to forcibly urbanize
villagers and herders as part of a drive to assimilate rural
Tibetans through control over their language and traditional
Buddhist culture.
All contents © copyright 2024 Associated Press. All rights reserved
 |
