Espionage Tactics Against Tibetans

A Citizen Lab research study of Chinese attack and espionage tactics against Tibetan networks and users.

This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on "inside" knowledge of community activities. This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.

We connect the attack group's infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic. We provide further context on Scarlet Mimic's targeting and tactics, and the intended victims of their attack campaigns. In addition, while Scarlet Mimic may be conducting malware attacks using other infrastructure, we analyze how the attackers re-purposed a cluster of their malware Command and Control (C2) infrastructure to mount the recent phishing campaign.

This move is only the latest development in the ongoing cat and mouse game between attack groups like Scarlet Mimic and the Tibetan community. The speed and ease with which attackers continue to adapt highlights the challenges faced by Tibetans who are trying to remain safe online.

News article.

Posted on March 10, 2016 at 2:16 PM • 14 Comments


ThothMarch 10, 2016 6:06 PM

These exploits are simply methods that are out there. There are many higher assurance techniques available to improve security and some are already rather mature (i.e. hardware protection via smartcards) but the thing is most of our systems are simply not catching up. Research on microkernel and minimal TCBs, verifiable systems and such have existed for decades with small communities with little interest (due to resources and public interest).

We are still seeing people trying to harden Linux kernels with huge TCB baae to make it "secure" when we could have pushed more efforts into more secure microkernel directions (i.e Genode project).

We have hardware assisted login via security devices (i.e. FIDO devices) but the cost of deploying FIDO services for small servers and small groups can be tough duebto resources. Google supports FIDO login but the uptake of such measures to increase security is not seeing more use fast enough likely because people don't want to carry yet another security device although fair enough a phone-based 2FA is enough to ruin a person's day. Is this just technology being unstable for 2FA or people just being lazy on security ?

We know to be careful of clicking on suspicious links or opening email attachments but I guess not many of us bother to think twice before clicking on link or downloading email attachment contents despite nowing the risks.

This isn't just a Tibetan issue but an issue on a global scale with bad actors ranging from lone wolf hackers to organised crimes and state actors.

Despite years on research and education on Security, we still have't moved much in my opinion. Secure technologies are still something most common people shun and think it's for the paranoid until something extremely nasty happens to them.

Clive RobinsonMarch 10, 2016 6:21 PM

There is a question that arises from,

    The speed and ease with which attackers continue to adapt highlights the challenges faced by Tibetans who are trying to remain safe online.

Which is,

    Is it actually possible to "remain safe online" when communicating over an insecure network that an attack controls in part or full?

It can safely be assumed that whoever the attackers are they are very well informed about their target. In the past it might have been assumed that there was "an inside man" or two. However these days if it's state sponsored attack, then there is a good chance that the attackers have gained access to a router upstream of one or more of the targets key players, if not their actuall machines or both.

We now know this is "bread and butter" work for the likes of the NSA, GCHQ et al, so there is no reason to suppose that China --or India-- do not have similar capabilities. In the case of China it's more than likely they have full access to router hardware and software design documents and source code etc. This is because China is now one of the worlds leading data comms infrastructure and consumer equipment suppliers, thus getting access covertly would not be difficult in any number of ways.

From what has been alleged in the past about Chinese theft of IP from the likes of Cisco, it would imply that China has good access to design data for the majority of routers at all levels manufactured in the world. Thus it would also be likely that they have good knowledge of how to subvert them...

From a first sight "Political MO" this fits in with other directly attributable behaviour of the Chinese Government to Tibet and it's exiled Government. China certainly controls the Tibetan data communications, and India controls the data communications for part of the Tibetan Government in exile. Which gives both China and India significant advantages. Whilst India is certainly concerned about China, it has historicaly considerably greater concerns over the countries and regions to it's North West.

RalphMarch 10, 2016 6:50 PM

Here's the problem: people assume that a "State Sponsored Attack" or "APT" is not something to be worried about... because, they'll only attack prime ministers, presidents, and kings and other "important people"... not us common "little people"...

Well. This is not so. This is a myth.

In certain countries (like... say... China) when I go down to the open air market to buy vegetables, every single seller there will try to cheat me with every trick in the book. In fact, if one of them ever tries to be "fair" to me, their peers will look down on them as being stupid and leaving money "on the table" that was rightfully theirs for the taking... Everyone who walks by is a mark, who must be cheated to the maximum they'll allow. Only stupid people will allow it though, so if you allow it you just deserve to be cheated. Think about what that means: the victim is always at fault, not the perpetrator.

This philosophy pervades not only every business transaction, but also everyone who learns much about computers. If you're stupid enough to not protect your computer systems, you deserve to have everything on them stolen. Might is right, weakness should always be exploited. Or as Mao Zedong said, "Power comes from the barrel of a gun."

If you haven't personally experienced this APT yet, you're just waiting your turn to be caught, that's the only thing keeping you temporarily "safe"... It's only a matter of time.

RalphMarch 10, 2016 7:22 PM

It amazes me that the majority of people seem to have the reasoning powers of fish.

MIA Paper PlanesMarch 10, 2016 11:02 PM

Good article, like to see media coverage kept up on it, but unfortunately, nothing new.

Tracking it back, was interesting to see the attackers also targeting such groups as Russian anti-terrorist groups. Clearly, this was also China, seeking to pilfer information on their own terrorist concerns from the Muslim Chinese community they are targeting.

Amateurish actions involved -- make no mistake this is PRC work.

This speaks of how tense Russian-Chinese relations really are.

China and Western nations work very closely and share openly on terrorist data. No reason not to.

While Nation State attribution can be forged, and some grisly false flag operation could be run -- people forget, leaders of major nations are not really crazy nor stupid. Even if they have to pretend to be so for diplomatic advantage.

North Korea really hacked Sony. The US really hacked Kaspersky. US and Israel really hacked Iran.

And Russian military intelligence really has been hacking power plants for potential future combat advantages. They certainly were behind the Ukrainian power plant sabotage hack this December.

Even nation states use crappy COTS tools for reconnaissance. Some actually, 'not so crappy'. Much recon can be performed stealthy, but plenty can not. So this is the only way to provide any manner of stealth to such behavior.

Exposing difficult to find, critical security vulnerabilities is a known, precious commodity. Likewise, with extremely well written rootkit code.

(Further argument: )


65535March 11, 2016 7:58 AM

‘Espionage tactics against Tibetans’

Segueing into legal "espionage tactics by the FBI/NSA against Americans" in the Apple case:


‘DOJ to Apple: Start Cooperating or You’ll Get the Lavabit Treatment’

“DOJ has submitted its response to Apple in the Syed Farook case. Amid invocations of a bunch of ominous precedents — including Dick Cheney’s successful effort to hide his energy task force, Alberto Gonzales effort to use kiddie porn as an excuse to get a subset of all of Google’s web searches, and Aaron Burr’s use of encryption — it included this footnote explaining why it hadn’t just asked for Apple’s source code [the Lavabit NSL] …a reference to the Lavabit appeal, in which Ladar Levison was forced to turn over its encryption keys… Lavabit submitted an amicus in this case (largely arguing against involuntary servitude). But as part of it, they revealed that the reason the government demanded Lavabit’s key is because “in deference to [Edward Snowden’s] background and skillset, the Government presumed the password would be impossible to break using brute force.” … that says that for phones that — unlike Farook’s which had a simple 4-digit passcode — the government maintains the right to demand more, up to and including their source code. [The FBI/DOJ arguing] it is just about this one phone. But that footnote, along with the detail explaining why they felt the need to obtain Lavabit’s key, suggests it’s about far more than even Apple has claimed thus far.” -Emptywheel



‘In Bizarre Move, Dianne Feinstein Attacks Tech Companies for Profiting Off Spying on Their Customers’


“…why is the Ranking Member of the Collect It All Committee raising these concerns — aside from maybe just now learning how much companies have on her? … The only explanation (aside from some recent discovery of how much of her own data these companies have) I can think of is that DiFi has learned how little data iMessage and Signal collect on people, and was supposed to complain that she is furious that companies that, by collecting so little, limit how cooperative they can be in cases of legal requests, also offer security for their customers. But she appeared to be reading from a written statement, so that doesn’t make sense either. The only other possibility I can imagine is that the government is trying to expand its access to this proprietary information under PRISM, and providers are balking...” –Emptywheel

[I would have posted this in the Friday open thread but it not up – feel free to move it to the squid thread]

Clive RobinsonMarch 11, 2016 9:15 AM

@ 65535,

I would have posted this in the Friday open thread but it not up...

Sometimes the "early bird" does not get a wriggler breakfast...

Bruce tends to post at two times on a Friday, the days blog page around 14:00 UK time or early morning US time, sometimes earlier depending on his time zone at the time. And the Friday Squid "late lunch" or POETS time in the US (and even on the occasional weekend day, which could mean it was one heck of a lunch on the Friday ;-)

65535March 11, 2016 10:13 AM

@ Clive
Wow, you have got this blog thoroughly analyzed. Good going.

Next, to the obvious errors in the FBI’s court reponse

Where is the evidence that Apple cracked the iPhone's security for China? Oh, that's right, there is none, becasue it didn't happen. Apple gave the Chinese government access to iCloud data just like they give access to the feds here. -CraigJArs Praetorian


“Apple should fire back. So you want to treat Americans like the Chinese?”- Akemi Ars Scholae Palatinae

See comments

actual Government Brief:

Dirk PraetMarch 12, 2016 5:10 PM

@ 65535

Re. DOJ to Apple: 'Start Cooperating or You’ll Get the Lavabit Treatment’

I would very much like to see the DoJ demand Apple to turn over the full iOS source code. It would set a formidable precedent for seizing immensely valuable intellectual property from a party that is neither accused of nor complicite in any crime. Next thing you know, they can go after any company or private individual holding IP that for whatever reason is of special interest to the government. Just get a judge to produce a warrant.

Time for the US tech industry to get really scared and start looking into off-shoring solutions.

Clive RobinsonMarch 13, 2016 10:00 PM

@ Dirk Praet,

Time for the US tech industry to get really scared and start looking into off-shoring solutions.

They do it for "tax reasons" so some are already quite aways down that road.

One tax trick is to put IP etc in a place with favourable tax arangments and then use "licencing arangments" to pull "earnings excess to expenditure" which would otherwise be taxable out of a higher tax jurisdiction.

In essence it's like using back-to-back loans from a low or no tax haven off shore (often ex-british colonies).

So large corporates are well versed in setting up such "out of jurisdiction" entities.

But the DOJ / FBI either forget or discount what the result of their little power grab will be...

I think it's safe to say that "brains" are not realy an "export controlable" item. The US has seen the result of "off shoring" manufacturing jobs (devistation of urban environments, drugs, crime, destitution etc). Caused by the removal of "low wage earners" disposable income from the local economies thus slowing or stopping "economic churn". What do people think is going to happen when corporates and major companies start to "Off Shore IP"?

ianfMarch 29, 2016 12:48 PM

[Clearing the backlog.]

@ Ralph “is amazed me that the majority of people seem to have the reasoning powers of fish.

Could it be because the majority of people once were fish (=atavism)? The minority must be within the statistical error, or else they're all from that vast empty vacuum between Venus and Jupiter.

     … and then reflects on the analogy between risks of "State Sponsored Attacks;" the (allegedly common) Chinese marketplace cheating practices; and the[re] similarly all-pervading philosophy (or, rather, pedestrian mentality) of business transactions and computer security. Long story short: “Everyone who walks by is a mark who must be cheated to the maximum they'll allow. Only stupid people will allow it though, so if you allow it you just deserve to be cheated. Think about what that means: the victim is always at fault, not the perpetrator.

I can relate to that in other settings. It also reminded me of something I once read which took me a while to re-discover to present here as YA sample of (somewhat analogous) non-occidental mentality. From a 1989 review of “The Closed Circle: An Interpretation of the Arabs” that asks aloud "Why Aren't the Arabs More Like Us?:"

    […] In contrast to the prevailing attitude in Western society, shame for an Arab does not derive so much from the commission of misdeeds […] as from being bested by another. Thus there is no shame in engaging in what Westerners would regard as lying or cheating, especially in commercial transactions; for the exclusive aim is to come out on top, regardless of the methods used. It is an attitude that has caused much misunderstanding and ill-feeling between Arabs and Westerners.

@ Dirk Praet [12 March 2016] comments Re: DOJ to Apple: 'Start Cooperating or You’ll Get the Lavabit Treatment’ with […] “Time for the US tech industry to get really scared and start looking into off-shoring solutions.

If I'm not mistaken, practically all Apple hardware (which is what they primarily sell) is "Made in China," "Made in The Philippines," "Made Anywhere But In The U.S.A.," etc. The software and hardware design is done in California, but also in other places. Management is by remote control anyway. So, in a dream scenario… Apple reaches out to the Republic of Ireland—the most suitable option—gets SERIOUS SUBSIDIES (also for a MagLev train link between Dublin Airport and its own campus across the island), and iron-clad assurances of "eternal business sovereignty" from the host government, and moves over within 5 years or so with perhaps 30% of its present-day U.S. force (the critical rest becomes Apple subsidiary still in the U.S.) Meanwhile, the Op-Ed pages of leading American papers, and all talking heads on TV wring their hands and pull their hair in anguish in front of banners reading "Where Did We Go Wrong?" and "The End of American Century." Can't wait for that to happen.

    On a more serious note, when will the EU get its act together, and strive towards breaking the American market monopoly on smartphones and computers? If we could do that with the Airbus upending the cart of dominance of Boeing etc, we could do that with the electronic gadgets, too. Getting Apple to show the DoJ the finger, becoming an EU asset, would be a good start.

Dirk PraetMarch 29, 2016 7:57 PM

@ ianf

On a more serious note, when will the EU get its act together, and strive towards breaking the American market monopoly on smartphones and computers?

Any such initiatives would be massively appreciated. We are way too dependent on the US for way too many things.

Clive RobinsonMarch 30, 2016 12:46 AM

@ Dirk Praet, ianf,

Any such initiatives would be massively appreciated. We are way too dependent on the US for way too many things.

It's slightly worse than US manufacturers, it's also EU manufacturers under US control directly or indirectly... And the US driven "Trade" negotiations have a "one way backdoor" via the inter state dispute resolution processes (think as it as a form of "economic migrancy" by gun point and you won't be far wrong).

The EU realy must reject very robustly any such control mechanism it will be a very long term "evil" which will poison any future US-World relationships at all levels.

As for initiatives there have been many in the past, the EU has not held back on providing funding. It was by and large the consumers that whined for "compatability" with US products. Later US Corporate lobying of non elected EU legislators, which has caused considerable havoc one way or another (patents, copyright control being just two of very many).

As far as comms go the EU was years ahead of the US and in many respects still is. The way the US has played catch up has been to either manipulate the legal or regulatory process and where that did not work buy up EU and other Non US companies. Now they are "ham-stringing" the trade process to further close the gap.

The US attempts to maintain control of international trade and to extend the primacy of their legislation into all other nations is fairly relentless. Which means you can be certain that they will use whatever means they have to hand be it fair or foul to stop any kind of EU break away on technology.

The tech community all had a chortal at North Korean, Russian and Chinese attempts to come up with their own OS's, but since the Ed Snowden revelations I don't hear many "ho ho's" any longer, especially since Win10, and court chalanges to "Safe Harbour" data protection, with trade bodies of proffessions with confidentiality requirments saying "No Cloud, No Win 10".

Further the press have been reporting the significance of the DOJ/FBI -v- Apple, all be it quite badly, but there is now an increasing will to get out from under the US Tech Thumb, the trick will be managing to maintain it in the face of what will be a significant "all fronts attack" by the US.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.