A hacking group, believed to be Chinese state-sponsored, has targeted two websites associated with the Tibetan community in a recent cyberattack. The Tibet Post and Gyudmed Tantric University websites were compromised in an attempt to install malware on visitors' computers, as revealed by a cybersecurity firm's analysis.
The hackers, identified as TAG-112, manipulated the websites to prompt visitors to download a malicious file disguised as a security certificate. Once opened, the file installs Cobalt Strike Beacon malware on the user's computer, enabling activities such as key logging and file transferring.
The motive behind the attack appears to be information collection and surveillance, rather than destructive actions, targeting the Tibetan community. This aligns with historical patterns of cyber espionage against the community.
Chinese authorities have consistently denied involvement in state-sponsored hacking, emphasizing that China is also a victim of cyberattacks. The Chinese Foreign Ministry stated that it was not aware of the reported hacking incidents on the two websites.
Research indicates that the recent attacks share similarities with a known hacker group, TAG-102, suggesting a connection between the two groups. TAG-102, also known as Evasive Panda and StormBamboo, has been active since 2012 and is believed to be a Chinese-sponsored advanced persistent threat group.
The Gyudmed Tantric University, located in India, has addressed the security breach, while the Tibet Post remains compromised. The Tibet Post is recognized for advocating democracy, freedom of speech, and Tibetan independence from China.
China's claim over Tibet has been a contentious issue, with many Tibetans supporting the Dalai Lama and expressing concerns over human rights abuses in the region. The recent cyberattack underscores the ongoing tensions and challenges faced by the Tibetan community.
