Cyber Espionage Targets Tibetan Community Ahead of Dalai Lama’s Birthday
Overview of Recent Cyber Attacks
In the lead-up to the Dalai Lama’s 90th birthday, two significant cyber espionage campaigns have been aimed at the Tibetan community. According to Zscaler ThreatLabz, these attacks, named Operation GhostChat and Operation PhantomPrayers, took place last month.
The Tactics Behind the Attacks
The cybercriminals behind these operations have employed a method known as watering hole attacks. This technique involves compromising legitimate websites visited frequently by a targeted group—in this case, Tibetans—to install malware on their devices. Researchers Sudeep Singh and Roy Tay revealed in their report that attackers redirected users from a trusted site to a malicious link, leading to the installation of either the Gh0st RAT or the PhantomNet backdoor on victim systems.
Details of the Operations
Operation GhostChat
In Operation GhostChat, attackers manipulated a web page linked to the Dalai Lama’s 90th birthday. They replaced a legitimate URL, “tibetfund.org/90thbirthday,” with a fraudulent link that directs users to “thedalailama90.niccenter.net.” The original site, designed for well-wishing messages to the Dalai Lama, was altered to include an option for users to send encrypted messages. To do this, users were prompted to download a secure chat application called TElement, positioned as a Tibetan version of Element.
However, this version was compromised. It contained a malicious DLL that allowed the Gh0st RAT to be installed—a remote access tool frequently utilized by various Chinese hacking groups. The fake web page also employed JavaScript to collect sensitive data, including users’ IP addresses and browser information, which was then transmitted back to the attackers.
Operation PhantomPrayers
Similarly, Operation PhantomPrayers utilized a different domain, “hhthedalailama90.niccenter.net,” to disseminate a fake application named "DalaiLamaCheckin.exe." This app featured an interactive map prompting users to "send your blessings" for the Dalai Lama by tapping their location. However, as with the previous operation, this app had hidden malicious functionality.
Once the app was opened, DLL side-loading techniques were employed to activate PhantomNet. This backdoor established communication with a command-and-control server over TCP, allowing attackers to send additional plugins for further exploitation of the compromised systems.
The Impact and Broader Context
The techniques used in these cyber attacks are indicative of a larger trend. Over the past two years, groups such as EvilBamboo, Evasive Panda, and TAG-112 have also targeted the Tibetan diaspora using similar methods to collect sensitive information. The approaches used in these recent campaigns highlight the ongoing threat posed by state-sponsored hacking focused on minorities and political dissidents.
Malware Capabilities
The Gh0st RAT stands out for its extensive functionality. It allows the attackers to manipulate files, capture screenshots, extract clipboard contents, record video from webcams, log keystrokes, and even manage running processes and services remotely. This capability underscores the alarming potential for damage that such malware can inflict on individuals and organizations within the targeted community.
Conclusion
As the cyber landscape continues to evolve, it raises important questions regarding the safety and security of communities like the Tibetan diaspora. The recent cyber espionage campaigns ahead of a significant event, such as the Dalai Lama’s birthday, demonstrate the lengths to which threat actors will go to infiltrate and gather intelligence. Awareness and vigilance are crucial in these uncertain times, as are robust cybersecurity measures to defend against these insidious attacks.
