Summary: A China-linked hacker group, TAG-112, has compromised Tibetan media and university websites in an espionage campaign aimed at gathering intelligence for Beijing. This attack is part of a broader pattern of targeting the Tibetan community, which has been under threat from various Chinese cyber-espionage groups.
Threat Actor: TAG-112 | TAG-112
Victim: Tibet Post and Gyudmed Tantric University | Tibet Post and Gyudmed Tantric University
Key Point :
- TAG-112 has compromised the websites of Tibetan media and educational institutions to collect intelligence for the Chinese government.
- The group is believed to be a subgroup of Evasive Panda, sharing similar targeting interests but lacking its sophistication.
- Both groups have manipulated compromised websites to distribute malicious files disguised as security certificates.
- Exploiting vulnerabilities in Joomla-based websites, TAG-112 has utilized Cobalt Strike for their attacks.
- The Tibetan community remains a significant target for Chinese cyber-espionage efforts, viewed as subversive by the Chinese Communist Party.
A China-linked state hacker group has compromised Tibetan media and university websites in a new espionage campaign, researchers have found — part of a series of attacks targeting the Tibetan community in order to collect intelligence for Beijing.
The websites of the digital news outlet Tibet Post and Gyudmed Tantric University were hacked in late May and remain compromised as of the time of writing. Researchers at Recorded Future’s Insikt Group track the group behind the activity as TAG-112.
The Record is an editorially independent unit of Recorded Future.
According to a new Insikt Group report, TAG-112 has several overlaps with another Chinese state-sponsored group, Evasive Panda, which has been described as “highly skilled and aggressive.”
Evasive Panda is also interested in targeting the Tibetan community and previously compromised the Tibet Post. Both threat actors have also manipulated hacked websites to prompt visitors to download a malicious file disguised as a “security certificate.”
Despite these similarities, Insikt Group analysts believe TAG-112 is a separate hacker group, as it lacks Evasive Panda’s sophistication and hasn’t deployed custom malware. Instead, the group used Cobalt Strike, a legitimate cybersecurity tool designed to help security professionals simulate cyberattacks. The Cobalt Strike Beacon payload has been widely adopted by hackers to carry out real attacks.
TAG-112 is likely a subgroup of Evasive Panda, working toward the same or similar intelligence requirements, researchers said.
Both websites compromised by the group were “almost certainly” built with the Joomla content management system (CMS), which “if not maintained and updated… become[s] an easy target for cyber threat actors,” the researchers said. The group likely exploited a vulnerability in the websites to upload the malicious code.
The Tibetan community in exile, along with other ethnic minority groups in China, has long been a target for various Chinese cyber-espionage groups. Beijing perceives these groups as subversive or separatist elements challenging the Chinese Communist Party.
It is highly likely that both TAG-112 and Evasive Panda will continue their targeting of ethnic, religious, and human rights-linked organizations that operate in or have a nexus to China, researchers said.
Earlier in March, Tibetans were targeted with corrupted language translation software in a cyber-espionage campaign linked to Evasive Panda. The attack affected Tibetans living in India, Taiwan, Hong Kong, Australia, and the U.S.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/china-linked-tibetan-group-hacked-sites