Chinese Hackers Weaponize Tibetan Websites in Sophisticated Espionage Plot

Chinese Hackers Weaponize Tibetan Websites in Sophisticated Espionage Plot

Here’s the enhanced and simplified version:

Chinese Cyber Espionage Campaign Targets Tibetan Institutions

A Chinese state-sponsored hacking group, TAG-112, has launched a sophisticated cyber attack against Tibetan media and educational websites. The campaign, detected in May 2024, specifically targeted Tibet Post and Gyudmed Tantric University websites.

Key Points:
– The attackers used compromised websites to deliver malicious code disguised as security certificates
– The attack specifically targeted Windows users through manipulated JavaScript
– Upon execution, the malware deployed Cobalt Strike, a powerful post-exploitation tool
– The attack likely exploited vulnerabilities in the Joomla content management system

Technical Details:
– The malware checks for Windows operating systems and specific browsers (Chrome/Edge)
– Uses a fake TLS certificate error to trick users
– Communicates with a remote server (update.maskrisks[.]com)
– Employs DLL side-loading techniques to deploy Cobalt Strike

Context:
TAG-112 is believed to be a subgroup of Evasive Panda (also known as Bronze Highland, Daggerfly, StormBamboo, and TAG-102), though it operates with less sophistication. The Tibet Post was previously targeted in September 2023 by Evasive Panda in a separate attack using MgBot and Nightdoor backdoors.

This campaign demonstrates China’s continued cyber espionage efforts targeting Tibetan organizations, though using less sophisticated methods than previous attacks.

Share This Article