Son of Ghostnet: the mobile malware that targets Tibetans at home and abroad

Citizen Lab (previously) is one of the world's top research institutions documenting cyber-attacks against citizen groups, human rights activists, journalists and others; ten years ago, they made their reputation by breaking a giant story about "Ghostnet," malicious software that the Chinese state used to convert the computers of the world's Tibetan embassies into spying devices.

A decade later, Citizen Lab has published a new report that painstakingly documents the new ways in which a hacking group Citizen Lab calls "Poison Carp" (presumably, Chinese state hackers or contractors) have targeted Tibetan activists, the Tibetan government in exile, and Tibetans living in Chinese-occupied Tibet.

The new attacks, dubbed "Missing Link," are "one-click mobile exploits" -- Whatsapp chat URLs that are targets are tricked into clicking, which then take over the targets' mobile devices, turning them into roving bugs that expose the targets to the intimate, pervasive, continuous surveillance.

The exploits used by Poison Carp are the same zero-days that were deployed in "watering hole attacks" on Uyghur Muslims in China's Xinjiang province.

To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018, TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups, TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and install spyware on iPhone and Android devices.