China-Linked Hackers Target Tibetan Websites, Raising Fears of Widespread Surveillance
On November 12, cybersecurity firm Recorded Future released a report detailing a China-linked cyberattack on Tibetan community websites, allegedly aimed at collecting personal information from visitors. The hacker group TAG-112, believed to be a subgroup working for the Chinese Communist Party (CCP) since 2012, is identified as the likely perpetrator. This group is reportedly part of a broader CCP strategy targeting entities that it deems threats to its rule, often referred to as the “five poisons,” which include Tibetans, Uyghurs, Taiwan, Falun Gong practitioners, and pro-democracy advocates.
The report highlights that the attackers compromised Tibetan sites including Tibet Post and the Gyudmed Tantric University, which specializes in Tibetan Buddhist education, on or around May 23. While Gyudmed University has since rectified the breach, Tibet Post remains compromised. According to Recorded Future, the malware used in these attacks is a known tool often exploited by cyber actors for remote access and espionage against Tibetan entities.
“The continued cyber-espionage targeting of Tibetan organizations underscores the CCP’s far-reaching efforts to monitor what it perceives as separatist threats,” the Recorded Future report stated.
Cybersecurity professionals are concerned about the sophisticated tactics used in this campaign, including the deployment of Cobalt Strike—a legitimate software tool often misused for remote access in advanced cyberattacks. Recorded Future’s analysts recommend that organizations considered CCP targets implement intrusion prevention measures and monitor their networks closely for potential breaches.
This campaign is not the first of its kind. Recorded Future previously reported CCP-backed efforts to monitor Tibetan groups and other perceived threats from locations such as China’s Tsinghua University, known for its cyber capabilities. Recorded Future linked Tsinghua’s cyber infrastructure to monitoring entities across a broad range of targets, including the Alaska state government, Mongolian institutions, the United Nations office in Nairobi, and companies like Daimler AG.
China’s cyber operations against the “five poisons” have spurred human rights concerns, with experts describing these activities as “transnational repression.” The U.S. government has expressed strong concerns, noting that China’s campaign includes tracking dissidents abroad, infiltrating diaspora communities, and attempting to coerce individuals into returning to China to face detention.
“This is extremely dangerous for American taxpayers,” warned Dafna Rand, U.S. Assistant Secretary of State for Democracy, Human Rights, and Labor, at an event last month. “The PRC is emboldened to go after dissidents not only within its own borders but also those who have fled.”
Comments