Citizen Lab (previously) is one of the world’s top research institutions documenting cyber-attacks against citizen groups, human rights activists, journalists and others; ten years ago, they made their reputation by breaking a giant story about “Ghostnet,” malicious software that the Chinese state used to convert the computers of the world’s Tibetan embassies into spying devices.
A decade later, Citizen Lab has published a new report that painstakingly documents the new ways in which a hacking group Citizen Lab calls “Poison Carp” (presumably, Chinese state hackers or contractors) have targeted Tibetan activists and the Tibetan government in exile.
The new attacks, dubbed “Missing Link,” are “one-click mobile exploits” — Whatsapp chat URLs that are targets are tricked into clicking, which then take over the targets’ mobile devices, turning them into roving bugs that expose the targets to the intimate, pervasive, continuous surveillance.
The exploits used by Poison Carp are the same zero-days that were deployed in “watering hole attacks” on Uyghur Muslims in China’s Xinjiang province.
To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018, TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups, TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and install spyware on iPhone and Android devices. The campaign appears to be carried out by a single operator that we call POISON CARP. The campaign is the first documented case of one-click mobile exploits used to target Tibetan groups. It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community.
Between November 2018 and September 2019, we collected one iOS exploit chain, one iOS spyware implant, eight distinct Android exploits, and an Android spyware package. The iOS exploit chain only affects iOS versions between 11.0 and 11.4, and was not a zero-day exploit when we observed it. The Android exploits include a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was patched, but whose patch had not yet been distributed to Chrome users. Other exploits include what appears to be lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Tencent’s Xuanwu Lab (CVE-2016-1646), a member of Qihoo 360’s Vulcan Team (CVE-2018-17480), and by a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).
The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups. In August 2019, Google Project Zero reported on a digital espionage campaign identified by Google’s Threat Analysis Group that used compromised websites to serve iOS exploits (including a zero-day in one case) to visitors for the purpose of infecting their iPhones with spyware. Subsequent media reporting cited anonymous sources who stated that the campaign targeted the Uyghur community and that the same websites were being used to serve Android and Windows malware.1 Following these reports, Volexity published details of a digital espionage campaign against Uyghurs that used compromised websites to infect targets with Android malware. While Volexity did not provide any technical indicators that overlap with Google’s report, they speculated that the operator may be the same in both cases. Our report provides these missing links.
Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits [By Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert/Citizen Lab]
Don’t be fooled — the pandas in a new animal cafe in Chugdu, China are actually Chow Chow dogs with dyed fur.
Muslim woman who escaped from a Chinese concentration camp describes gang-rapes, torture, forced medical experiments
Sayragul Sauytbay is a Chinese Muslim of Kazakh descent who escaped en route to one of the notorious Xinjiang province concentration camps for Muslims in 2018, after she was sentenced to serve as a regular inmate following her release after more than a year’s incarceration as a camp teacher; after she escaped into Kazakhstan, she […]
So, this is fun: starting in December, Chinese citizens who want to snag a new phone number or sign up for internet service will have no choice but to allow their faces to get scanned. This new bag of Orwellian bullshit was announced at the end of September by the country’s Ministry of Industry and […]
It can be tough to convey to kids just how big and amazing the world really is, even with the internet. One of the great things about augmented reality is how it can combine education with tactile experience, making the facts really hit home. That’s just one great feature of this SmartGlobe 3-in-1 Illuminated Globe, […]
Paying for things is all too easy online these days, and that’s why managing your money has gotten so hard. We’ve all done it: You sign up for a streaming subscription or gym membership, blow past the free trial date, and it becomes a part of your monthly expenses. Some of us juggle so many […]
Most of us don’t think about our toilet brush any more than we need to, and why would we? It’s gross. But frankly, that’s why most brushes – and therefore most toilets – are filled with even more bacteria and germs than we might think. Luckily, the LUMI Self-Sanitizing Toilet Brush & Base is here […]