Citizen Lab (previously) is one of the world’s top research institutions documenting cyber-attacks against citizen groups, human rights activists, journalists and others; ten years ago, they made their reputation by breaking a giant story about “Ghostnet,” malicious software that the Chinese state used to convert the computers of the world’s Tibetan embassies into spying devices.
A decade later, Citizen Lab has published a new report that painstakingly documents the new ways in which a hacking group Citizen Lab calls “Poison Carp” (presumably, Chinese state hackers or contractors) have targeted Tibetan activists, the Tibetan government in exile, and Tibetans living in Chinese-occupied Tibet.
The new attacks, dubbed “Missing Link,” are “one-click mobile exploits” — Whatsapp chat URLs that are targets are tricked into clicking, which then take over the targets’ mobile devices, turning them into roving bugs that expose the targets to the intimate, pervasive, continuous surveillance.
The exploits used by Poison Carp are the same zero-days that were deployed in “watering hole attacks” on Uyghur Muslims in China’s Xinjiang province.
To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018, TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups, TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and install spyware on iPhone and Android devices. The campaign appears to be carried out by a single operator that we call POISON CARP. The campaign is the first documented case of one-click mobile exploits used to target Tibetan groups. It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community.
Between November 2018 and September 2019, we collected one iOS exploit chain, one iOS spyware implant, eight distinct Android exploits, and an Android spyware package. The iOS exploit chain only affects iOS versions between 11.0 and 11.4, and was not a zero-day exploit when we observed it. The Android exploits include a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was patched, but whose patch had not yet been distributed to Chrome users. Other exploits include what appears to be lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Tencent’s Xuanwu Lab (CVE-2016-1646), a member of Qihoo 360’s Vulcan Team (CVE-2018-17480), and by a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).
The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups. In August 2019, Google Project Zero reported on a digital espionage campaign identified by Google’s Threat Analysis Group that used compromised websites to serve iOS exploits (including a zero-day in one case) to visitors for the purpose of infecting their iPhones with spyware. Subsequent media reporting cited anonymous sources who stated that the campaign targeted the Uyghur community and that the same websites were being used to serve Android and Windows malware.1 Following these reports, Volexity published details of a digital espionage campaign against Uyghurs that used compromised websites to infect targets with Android malware. While Volexity did not provide any technical indicators that overlap with Google’s report, they speculated that the operator may be the same in both cases. Our report provides these missing links.
Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits [By Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert/Citizen Lab]
Last week, a drone video showing hundreds of people in China being shackled and blindfolded and made to kneel on a train platform went viral; a piece of amazing digital detective work by Nathan Ruser presents a compelling case that the video is real, and that it was recorded in August 2018 near the city […]
Early this month, Google’s Project Zero revealed a breathtaking attack on multiple OSes, including Apple’s Ios, in which a website that served Uyghur people was found to be hosting at least five different kinds of Ios malware that exploited previously unknown defects in Apple’s code (the attack is presumed to have been the work of […]
Many westerners are familiar with Chinese tech giants like Alibaba and Tencent, but I’d never heard of Pinduoduo before today: it’s gamified, group-purchasing bargain-hunting site founded by an ex-Googler four years ago, with 336m active monthly users and a $40b market-cap (analyst and author Rebecca Fannin calls it “Groupon on steroids”).
It’s a long road from a song in your head to a song on the charts – especially if you’re just learning to play. The good news is, anyone who’s willing to practice can make music. These online classes can make that process painless, with methods that can teach anyone guitar, piano or even the […]
If you’ve worked in any high-performing engineering lab, you already know about MATLAB. This computing environment and the language that powers it is perfectly suited to science and math, with an interface that makes it easy to express and visualize complex algorithms – not to mention an infrastructure that lets it easily work with other […]
Studies have shown cannabidiol (more popularly known as CBD) to be effective in two main areas: Pain relief and stress relief. Both of those make the non-psychoactive, cannabis-derived compound a natural for topical creams. There’s no shortage of CBD products out there, but here’s eight of our favorites, all specifically designed for dermatological use – […]