(Bloomberg) -- Alleged Chinese state-sponsored hackers are behind a barrage of emails that aim to collect intelligence from a range of targets linked to Tibet, posting at times as pro-independence political party and a prominent media organization, according to findings provided exclusively to Bloomberg News.
The hacking group known as TA413 uses fishing emails and customized malicious software to collect intelligence likely on behalf of the Chinese government, according to Recorded Future Inc., a Massachusetts-based cybersecurity firm.
Hackers exploited a zero-day vulnerability in a Sophos security technology to target Tibetan entities. They claimed in some instances to be the Tibet Times, a newspaper that’s operated in exile since 1996, the Tibetan Youth Congress and the Tibetan National Congress, according to research published Thursday.
Recorded Future said TA413 “has been particularly relentless in its targeting of the Tibetan community,” with a special focus on monitoring sources of information from Tibet. The targeted entities are located in Dharmasala, in northern India, beyond the grasp of Chinese law enforcement, but vulnerable to digital spying.
Tenzin Robyang, the managing director for the Tibet Times, said the newspaper regularly reports on people in Tibet who have gone missing or been arrested, and has become the target of frequent cyber-espionage attempts.
“We’re a small media house, we don’t have a technical person on staff to constantly watch the back-end and see what is happening to our website,” he said.
The malicious activity results in website downtime and lost photos, he said. Staffers back up their systems using physical hard drives, while technical specialists work to salvage data from hacked systems.
“The Chinese have kept strict vigilance on the outflow of news, compared to seven or eight years ago, it’s much more difficult now,” Robyang said.
In one case, TA413 hackers masqueraded as the Central Tibetan Administration, the government in exile, promising a grant for female photographers. In fact, the messages included malicious Microsoft attachments that would have given the spies access to victims’ data.
“The company you mentioned has fabricated so-called ‘attack by Chinese hackers’ many times,’” a Chinese foreign ministry spokesperson said in a statement to Bloomberg. “It has no professionalism nor credibility. I believe international community would have their own judgment.”
The People’s Republic of China asserted sovereignty over Tibet in 1951 as part of a broader effort by Mao Zedong’s communists to consolidate control over territory historically claimed by China before decades of colonialism, war and internal strife. The Dalai Lama fled to India to escape a government crackdown in 1959, and a Tibetan-independence movement has endured overseas ever since.
The security firm Proofpoint Inc. in September 2020 reported that TA413 had targeted Tibetan targets, using malware and spoofed web domains to breach victims. Attackers have used exploit code that multiple suspected Chinese hacking groups share, researchers noted.
“Over the past several years, we have observed TA413 activity relentlessly targeting organizations and individuals associated with the Tibetan community,” said the Recorded Future report published Thursday. “Targeting this community has been a constant and is almost certainly indicative of the group’s primary intelligence assignments.”
Sophos patched the security vulnerability in March, a process that would require organizations to update their systems.
Pro-Beijing hackers have spent years trying to infiltrate Tibetan organizations as part of attempts to spy on individuals as well as to find data that could help identify other people to spy on, according to Lobsang Sither, director of technology at the Tibet Action Institute, a non-governmental organization that helps hacking victims recover from intrusions.
“It’s something that happens constantly. It’s been almost two decades,” he said. “Whether it’s about protests or advocacy, or the Free Tibet movement, they are after information.”
(A previous version incorrectly reported that hackers had used zero-day enamelware to target Tibetan agencies.)
©2022 Bloomberg L.P.