Hackers Target Tibetans With Malicious Google Drive Files
After Tibetans pledged to “detach from attachments,” their enemies adjusted.
Last year, a digital security group encouraged Tibetans who are often targeted by cyberattacks not to open suspicious files sent to them via email and "detach from attachments" to avoid being hacked.
Months later, the hackers who target them seem to have adjusted, using links to Google Drive files in their latest hacking attempts, rather than simple files attached to phishing emails, according to a new report that details a series of recent attacks on Tibetan human rights activists and Hong Kong pro-democracy groups
In one of the recent attacks, the hackers sent an email containing a link to a PowerPoint Slideshow hosted on Google Drive, according to new research published by Citizen Lab, the digital watchdog at the University of Toronto's Munk School of Global Affairs, on Monday.
Human rights organizations, as well as dissidents, are the often forgotten victims of cyberespionage.
Given that .PPS files don't display correctly within Google's in-browser viewer, the hackers were trying to get the the victim to download the file and get infected.
This attack, which leverages a different vulnerability from previous attacks against the same group, seems to be a direct response by the hackers to the campaign "detach from attachments," promoted by the digital security group Tibet Action Institute.
"It is both rewarding and flattering to know that the campaign and curriculum we developed are working," Nathan Freitas, the director of technology at the Tibet Action Institute, told Motherboard. "But obviously very concerning that our well-resourced adversary is adapting their techniques as well."
The report also highlights once again that human rights organizations, as well as dissidents, are the often forgotten victims of cyberespionage, and the most vulnerable ones too. These victims may not receive adequate training on how to guard against phishing attacks, and may not have the resources to buy or upgrade their systems.
"Tibetan exile refugees have many things to worry about and consider in their daily lives, and digital security may not always come to the top of that priority list," Freitas admitted.
That's where he and his colleagues at the Tibet Action Institute come in.
"Our hope is that by finding ways to deal with these types of attacks in an approachable, day-to-day manner is the best, most sustainable response we can take," he added.
"Tibetan exile refugees have many things to worry about and consider in their daily lives, and digital security may not always come to the top of that priority list"
The campaign is an example of "approachable" strategies to counter cyberattacks. And it seems to be working, given that the hackers that target Tibetans in the diaspora are now using phishing attacks with Google Drive links "on a regular basis," according to Freitas—although Freitas added that "it's been a long time since anyone in our organization has been compromised."
The Citizen Lab report doesn't document any successful attack, but it also shows only a small sample, so it's possible that other targets are falling for these new techniques, according to John Scott-Railton, one of the researchers who worked on the report.
Either way, this is yet another reminder that attackers have an inherent advantage in cyberspace, especially when targeting activists or human rights dissidents.
"Attackers keep being sneaky [and] are exceptionally adaptable and nimble," Railton told Motherboard. "Detach from from attachments seems to have been a remarkably successful campaign aimed at changing behavior."
"But for an attacker to make elements of that a little obsolete," he added, "all you need to do is shift up tactics."
So who are these hackers targeting Tibetans? While the researchers at Citizen Lab did not want to point the finger, all signs seem point to the Chinese government, which has a long history of targeting Tibetan and Uyghur activists as well as Hong Kong pro-democracy groups.
This story has been updated to add a comment from Nathan Freitas.