-by The Record, 13 November 2024
A China-linked state hacker group has compromised Tibetan media and university websites in a new espionage campaign, researchers have found — part of a series of attacks targeting the Tibetan community in order to collect intelligence for Beijing.
The websites of the digital news outlet Tibet Post and Gyudmed Tantric University were hacked in late May and remain compromised as of the time of writing. Researchers at Recorded Future’s Insikt Group track the group behind the activity as TAG-112.
The Record is an editorially independent unit of Recorded Future.
According to a new Insikt Group report, TAG-112 has several overlaps with another Chinese state-sponsored group, Evasive Panda, which has been described as “highly skilled and aggressive.”
Evasive Panda is also interested in targeting the Tibetan community and previously compromised the Tibet Post. Both threat actors have also manipulated hacked websites to prompt visitors to download a malicious file disguised as a “security certificate.”
Despite these similarities, Insikt Group analysts believe TAG-112 is a separate hacker group, as it lacks Evasive Panda’s sophistication and hasn’t deployed custom malware. Instead, the group used Cobalt Strike, a legitimate cybersecurity tool designed to help security professionals simulate cyberattacks. The Cobalt Strike Beacon payload has been widely adopted by hackers to carry out real attacks.
TAG-112 is likely a subgroup of Evasive Panda, working toward the same or similar intelligence requirements, researchers said.
Both websites compromised by the group were “almost certainly” built with the Joomla content management system (CMS), which “if not maintained and updated… become[s] an easy target for cyber threat actors,” the researchers said. The group likely exploited a vulnerability in the websites to upload the malicious code. Click here to read more.