In a recent wave of cyber-espionage targeting the Tibetan community, a China-linked hacker group known as TAG-112 has compromised several Tibetan media and academic websites, including those of Tibet Post and Gyudmed Tantric University. This campaign, attributed to state-sponsored actors working for Beijing, reflects ongoing attempts to surveil and gather intelligence on the Tibetan exile community and its activities.
TAG-112: A Distinct yet Aligned Threat Actor
The Insikt Group at Recorded Future has been tracking TAG-112’s activities and notes that the group shares multiple characteristics with Evasive Panda, another known Chinese state-sponsored cyber group. However, despite their overlapping targets and tactics, TAG-112 is viewed as a distinct subgroup due to its comparatively less sophisticated methods. Unlike Evasive Panda, TAG-112 does not use custom malware; instead, it relies on Cobalt Strike—a legitimate cybersecurity tool now widely misused by cybercriminals for command-and-control functions during real attacks.
Insikt Group analysts believe that TAG-112 and Evasive Panda may be serving similar intelligence objectives set by Chinese authorities, particularly concerning ethnic minority groups like the Tibetan community, which Beijing views as potentially subversive.
The Mechanics of the Attack: Exploiting CMS Vulnerabilities
Both compromised websites—the Tibet Post and Gyudmed Tantric University—were almost certainly built on the Joomla content management system (CMS). Researchers suggest TAG-112 likely exploited outdated CMS components, a common vector for cyber-espionage groups to insert malicious code. Through this exploit, visitors to the affected sites were prompted to download a disguised “security certificate” that delivered the Cobalt Strike payload, effectively granting attackers access to users’ systems.
Persistent Targeting of the Tibetan Exile Community
The Tibetan community, especially those in exile, has long been a focal point for Chinese cyber-espionage campaigns. This latest attack is part of a broader pattern in which Chinese state-backed groups routinely target ethnic, religious, and human rights organizations perceived as opposing or challenging the Chinese Communist Party (CCP). Researchers expect TAG-112 and Evasive Panda to continue targeting these groups as part of a coordinated effort to suppress potential separatist sentiments and monitor the activities of ethnic minorities linked to China.
Expanding Beyond Websites: Broader Surveillance Efforts
Earlier this year, Evasive Panda executed a similar campaign using compromised translation software, affecting Tibetans across several countries, including India, Taiwan, Hong Kong, Australia, and the United States. The malicious software exploited linguistic tools widely used by the Tibetan diaspora, embedding spyware that could relay sensitive data back to Chinese intelligence agencies.
A Broader Context of Cyber Surveillance on Minorities
China’s cyber operations extend beyond the Tibetan community, with ethnic minorities such as Uyghurs and human rights organizations operating within China’s sphere of influence also being frequent targets. Beijing’s reliance on groups like TAG-112 and Evasive Panda underscores its commitment to using cyber-espionage to monitor and suppress perceived threats to its national interests and ideological conformity. For the CCP, controlling narratives and curbing dissent among minority communities are priorities, making cyber-espionage a primary tool in enforcing state oversight.
As Chinese state-backed actors continue to exploit security weaknesses across platforms like Joomla, experts are urging organizations, especially those serving vulnerable communities, to maintain rigorous cybersecurity protocols, including regular CMS updates and network monitoring to detect potential breaches.
Implications for Cybersecurity and Human Rights
This campaign highlights the rising risks for organizations that support human rights and ethnic minority groups. Organizations operating in or connected to politically sensitive regions must remain vigilant against increasingly sophisticated cyber threats. As TAG-112 and groups like it continue targeting high-risk communities, cybersecurity measures such as multi-layered defenses, prompt CMS updates, and employee awareness are critical to countering this form of state-backed surveillance.
The TAG-112 campaign emphasizes the complex intersection of cybersecurity and human rights, showing how cyber tactics are deployed to support state agendas that infringe on the rights of ethnic and religious minorities. For the global cybersecurity community, these attacks underscore the urgent need for international vigilance, collaboration, and protective measures against cyber-espionage campaigns directed at vulnerable groups.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
