Chinese state-sponsored hackers recently compromised two prominent Tibetan websites in a sophisticated cyber-espionage campaign to distribute the notorious Cobalt Strike malware.
The attack, attributed to the threat group TAG-112, highlights the ongoing digital threats faced by ethnic and religious minorities in China.
Recorded Future observed that hackers attacked the targeted websites, Tibet Post and Gyudmed Tantric University, in late May 2024. Both sites use the Joomla content management system, which the attackers exploited to inject malicious JavaScript code.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
The hackers employed a clever social engineering tactic to trick visitors into downloading the malware:-
- Malicious JavaScript detects if the visitor is using a Windows operating system.
- If compatible, the script initiates a connection to the attacker’s command-and-control domain.
- A spoofed TLS certificate error page mimics Google Chrome’s warning.
- Users are prompted to download a “security certificate” to resolve the issue.
- Clicking the download link initiates the Cobalt Strike payload.
Cobalt Strike: A Powerful Cyber Weapon
Cobalt Strike is primarily designed as a penetration testing tool and has become a favorite among cybercriminals and state-sponsored actors. It provides robust capabilities for:-
- Remote access
- Lateral movement within networks
- Command and control operations
This campaign identified six distinct Cobalt Strike Beacon samples, all communicating with the attackers’ infrastructure.
TAG-112’s operations share similarities with another Chinese APT known as TAG-102 (Evasive Panda). Both groups target Tibetan communities and use similar tactics. However, TAG-112 appears less sophisticated, relying on off-the-shelf malware rather than custom tools.
This campaign underscores China’s ongoing efforts to monitor and control ethnic and religious minorities. The targeting of Tibetan websites aligns with the Chinese government’s broader strategy of surveillance and information control.
To protect against such attacks, organizations should implement robust intrusion detection and prevention systems, conduct regular user training on phishing and social engineering tactics, enable real-time monitoring for Cobalt Strike C&C servers, and maintain vigilant network traffic analysis.
As cyber-espionage campaigns continue to evolve, potential targets, especially minority groups and organizations, must remain vigilant and prioritize cybersecurity measures. The TAG-112 attack is an important reminder of the persistent digital threats communities face under scrutiny from state actors.
Attend a Free Webinar on How to Maximize Cybersecurity Program ROI