On September 9 of last year, a Tibetan journalist received an email with what looked like a link to a Google document about a controversial Buddhist sect.<\/p>\n
10 March 2016 \/\/ 08:26 PM CET<\/p>\n
On September 9 of last year, a Tibetan journalist received an email with what looked like a link to a Google document about a controversial Buddhist sect.<\/p>\n
It could have been an interesting document, and it wasn\u2019t an attachment, something Tibetans activists and journalists have been specifically trained<\/a> to avoid. Yet the journalist found it suspicious. Instead of clicking through, the journalist immediately reported the email to a group of researchers who have been tracking cyberattacks against Tibetans for years.<\/p>\n The journalist\u2019s instinct not to click and instead flag the email shows that in the years-long fight between Chinese hackers and Tibetans, the embattled group is making significant strides in forcing its attackers to adapt just by being more vigilant. And it might be thanks to the work of a small nonprofit that focuses on teaching Tibetans how to protect themselves online.<\/p>\n Lobsang Gyatso Sither, a Tibetan living in exhile in Dharamsala, India, is at the forefront of this battle. He has been working on the ground among the Tibetan diaspora to train and educate them about cybersecurity as part of the Tibet Action Institute.<\/p>\n Sither said that the journalist didn\u2019t click because they had been trained to be \u201csure rather than sorry\u201d\u2014one of the main lessons of his training.<\/p>\n \u201cIf you are not sure who the sender is, always assume the worst,\u201d he told Motherboard in an online chat from Dharamsala. (Sither said has saw the email in question, as well as many more similar ones, but declined to identify the journalist to protect her identity.)<\/p>\n As it turned out, the email was indeed an attempt to hack the journalist, a phishing attack part of a larger operation to hack into Tibetans\u2019 Google accounts, according to a new report published on Thursday by Citizen Lab<\/a>, a research group at the University of Toronto’s Munk School of Global Affairs.<\/p>\n For years, hackers likely working for the Chinese government have been trying to gather intelligence and track down Tibetans in the diaspora as well as members of pro-Tibet human rights groups. The new report highlights yet another change in tactics in a battle that\u2019s been a constant cat-and-mouse game between the hackers and their targets. And while it\u2019s hard to tell how successful this espionage campaign has been overall, the fact that the hackers have been forced to shift tactics various times in the last few months could mean that the awareness efforts led by Sither and the Tibet Action Institute are working.<\/p>\n \u201cIt\u2019s a good sign,\u201d Nathan Freitas, the director of technology at the Tibet Action Institute, told Motherboard.<\/p>\n The group has been raising awareness and teaching Tibetans that they themselves can be the best defense against hackers. In Late 2014 the group tried to teach Tibetans not to open attachments with a funny YouTube video<\/a> called \u201cdetach from attachments.\u201d Now, they are trying to emphasize the importance of avoiding outdated software with another playful video encouraging Tibetans to keep their computers updated<\/a>.<\/p>\n While these efforts might seem basic and perhaps even cheesy, they are make cybersecurity approachable and easy to understand. And some evidence shows they might be working.<\/p>\n The Citizen Lab report detailed three different phishing attacks against Tibetans, and linked them to a known hacker group<\/a> with likely ties with the Chinese government. These recent attacks were all designed to trick the targets into giving up the passwords of their Google accounts, according to the researchers.<\/p>\n Last year, in the months following the \u201cDetach from Attachments\u201d campaign, Citizen Lab showed that the hackers had started moving away from attaching documents laced with malware, and instead started leveraging files uploaded to Google Drive<\/a> to trick their targets to download files and hack their computers. Now, after exposing the use of Google Drive links, it seems the hackers are again adjusting their methods trying to steal Google credentials rather than infect targets.<\/p>\n Phishing isn\u2019t a sophisticated hacking technique per se, but if done well, it can be effective. And if successful, it could allow hackers to infiltrate the lives of Tibetans in the diaspora and inside China, putting them and their contacts in danger.<\/p>\n \u201cThe attackers\u2019 goal is to simply cause havoc and fear, and disrupt the ability of Tibetan exile groups to organize and communicate on the internet,\u201d Freitas said.<\/p>\n The mere fact that these emails ended up in a report shows that at least some Tibetans have been able to avoid some cyberattacks. But these new wave of attacks shows that the hackers aren\u2019t giving up either.<\/p>\n \u201cThese attackers are patient, responsive, and will adapt,\u201d Masashi Crete-Nishihata, the research manager at Citizen Lab, told me. \u201cThere is no one step that guarantees security all the time. Defense is a process.\u201d<\/p>\n In this case, the hackers reused some of the same infrastructure from past cyberattacks against Tibetans as well as Uyghur, another minority that\u2019s been in the crosshairs of the Chinese government. This allowed Citizen Lab researchers to link the phishing attacks to a hacking group previously identified by the security firm Palo Alto Networks and dubbed Scarlet Mimic<\/a>.<\/p>\n It\u2019s unclear who is really behind the group, given its choice of targets and the infrastructure they use, all signs seem to point to China. (The Chinese embassy in Washington D.C. did not answer to a request for comment.)<\/p>\n While they\u2019ve been able to document part of this cyberespionage campaign, Citizen Lab researchers warned that the hackers are still out there, and are likely using other tactics to target Tibetans. In other words, this is just a glimpse into the larger cyberwar that\u2019s not going to stop anytime soon. Both Citizen Lab and the Tibet Action Instutute expect more to come, especially on days like March 10, which marks the anniversary of the 1959 Tibetan uprising<\/a>, as hackers tend to latch onto current events or significant dates to craft phishing emails.<\/p>\n\n
\u201cIf you are not sure who the sender is, always assume the worst.\u201d<\/h3>\n<\/blockquote>\n
\n
\u201cThere is no one step that guarantees security all the time. Defense is a process.\u201d<\/h3>\n<\/blockquote>\n