Suspected Chinese hackers impersonated Tibet Media

(Bloomberg) – Suspected Chinese state-sponsored hackers are behind a deluge of emails seeking intelligence from a range of Tibet-linked targets, sometimes posing as a party pro-independence politics and a prominent media organization, according to findings provided exclusively to Bloomberg News.

Bloomberg’s Most Read

The hacking group known as TA413 uses fishing emails and custom malware to collect intelligence likely on behalf of the Chinese government, according to Recorded Future Inc., a Massachusetts-based cybersecurity firm.

Hackers exploited a zero-day vulnerability in a Sophos security technology to target Tibetan entities. They claimed in some cases to be the Tibet Times, a newspaper that has been operating in exile since 1996, the Tibetan Youth Congress and the Tibetan National Congress, according to a study released Thursday.

Recorded Future said TA413 “has been particularly relentless in its targeting of the Tibetan community”, with particular emphasis on monitoring Tibetan news sources. The targeted entities are located in Dharmasala, northern India, beyond the reach of Chinese law enforcement, but vulnerable to digital espionage.

Tenzin Robyang, managing director of the Tibet Times, said the newspaper regularly reported people in Tibet missing or arrested, and had become the target of frequent cyber espionage attempts.

“We’re a small media house, we don’t have a tech on staff to constantly monitor the back-end and see what’s happening on our website,” he said.

The malicious activity leads to website downtime and loss of photos, he said. Employees back up their systems using physical hard drives, while technical specialists work to recover data from compromised systems.

“The Chinese have kept strict vigilance on news release, compared to seven or eight years ago, it’s much more difficult now,” Robyang said.

In one case, TA413 hackers posed as the Central Tibetan Administration, the government-in-exile, promising a subsidy for female photographers. In fact, the messages included malicious Microsoft attachments that allegedly gave spies access to victims’ data.

“The company you mentioned has fabricated a so-called ‘Chinese hacker attack’ numerous times,” a Chinese Foreign Ministry spokesperson said in a statement to Bloomberg. “He has no professionalism or credibility. I believe the international community would have its own judgement.

The People’s Republic of China asserted sovereignty over Tibet in 1951 as part of a broader effort by Mao Zedong’s communists to consolidate control over territory historically claimed by China before decades of colonialism, war and internal conflicts. The Dalai Lama fled to India to escape government repression in 1959, and a Tibetan independence movement has endured abroad ever since.

Security firm Proofpoint Inc. reported in September 2020 that TA413 targeted Tibetan targets, using malware and spoofed web domains to rape victims. The attackers used exploit code shared by several suspected Chinese hacking groups, the researchers noted.

“Over the past several years, we have observed TA413 activity relentlessly targeting organizations and individuals associated with the Tibetan community,” the Recorded Future report released on Thursday said. “Targeting this community has been a constant and is almost certainly indicative of the group’s primary intelligence missions.”

Sophos patched the security flaw in March, a process that would require organizations to update their systems.

Pro-Beijing hackers have spent years trying to infiltrate Tibetan organizations in attempts to spy on individuals as well as find data that could help identify others to spy on, according to Lobsang Sither , director of technology at the Tibet Action Institute, a nongovernmental organization that helps hacking victims recover from intrusions.

“It’s something that happens constantly. It’s been almost two decades,” he said. “Whether it’s protests or advocacy, or the Free Tibet movement, they’re looking for information.”

(A previous version incorrectly reported that hackers used glazed zero-day software to target Tibetan agencies.)

Bloomberg Businessweek’s Most Read

©2022 Bloomberg LP