Shifting Tactics, Same Results: Users at Risk

Citizen Lab is releasing a new report today entitled, “Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans,” authored by Jakub Dalek, Masashi Crete-Nishihata, and John Scott-Railton.

Tibetans have long suffered persistent cyber espionage.  Being perceived as one of the political thorns in the side of the Chinese regime means that all those sophisticated digital spying campaigns we hear often about targeting companies and governments in the West — Tibetans have faced them too.  When it comes to cyber attacks, in other words, they have been canaries in the coal mine.

Today, the Citizen Lab is releasing a new report that details the latest iteration in a long-running espionage campaign against the Tibetan community.  Using malware and emails shared with us by trusted partners in Tibetan communities, Citizen Lab researchers were able to track the evolution in attacker behaviour from document-based malware attacks of the sort many are familiar with (“don’t click on that attachment, it might contain malware!”) to phishing attacks that draw on “inside” knowledge and attempt to trick users into entering credentials into cloud based infrastructure, like Google Docs.

One interesting observation we make is that this shift in tactics maps onto changes in security behaviours that the Tibetans themselves made.  To protect themselves and their community, some years ago Tibetans began advocating against opening attachments (“Detach from Attachments”).  The attackers noticed, however, and altered their methods too.  The speed with which this change happened shows how difficult it is for groups like the Tibetans to remain safe online.

Once again, what we find hitting civil society overlaps with what the private sector has previously identified hitting their clients.  In this case, we connect the attack group’s infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic.   We add some detail about the command and control infrastructure and targeting of victims to the Palo Alto report.

The information vacuumed up by whomever is behind these attacks is sensitive, and in the hands of a well-resourced adversary like China could cause serious damage to the safety and security of individuals in Tibet and beyond. The extracted information could also be used in support of efforts to frustrate and isolate political groups in the Tibetan diaspora.

We conclude the report with several tips, tools, and tactics on how users can protect themselves against this type of attack

The full report is here:

Update: Motherboard’s Lorenzo Franceshi-Bicchierai wrote up a great piece about it here: