By Joseph Menn
SANFRANCISCO (Reuters) – Sophisticated Chinese hackers who used a previously unknown iPhone security flaw to target ethnic minority Uighurs also went after Tibetans in exile, according to a report published on Tuesday.
It was the first detected use of malicious software against exiled Tibetans, who are protesting Chinese rule of the mountainous region, that required only a single click on a mobile device to work, experts at Citizen Lab said.
The link to the recently disclosed Uighur campaign suggests that forces likely working with the Chinese government are upgrading their surveillance efforts against key minorities more broadly, the nonprofit group said.
Citizen Lab, based at the University of Toronto, said it had worked with the recently established Tibetan CERT to monitor the cyber attacks, which occurred between Nov. 2018 and May 2019.
In the attacks, people posing as human rights workers or journalists contacted senior figures in Tibetan groups over Facebook’s WhatsApp messaging service, according to screen shots posted in the Citizen Lab report.
Using well-crafted cover stories, they tried to get the targets to click on links to websites that would have installed spyware on Apple or Android devices.
The Tibetans known to have clicked on the links were protected by patches that had been issued for the security flaws and they had updated their phones.
The spyware aimed at iPhones had also been used to target Uighurs in a campaign discovered by Google security researchers and disclosed this month.
An Apple spokesman said the attack tools did not work against the Tibetans who had updated their iPhones.
“We always encourage customers to download the latest version of iOS for the best and most current security enhancements,” said spokesman Todd Wilder.
China is facing growing international criticism over its treatment of Uighurs in Xinjiang. Members of the group have been subject to mass detentions in what China calls “vocational training” centres and widespread state surveillance.
A website that was hosting the Android tools, meanwhile, had also served malware to Uighur Android phones in an operation exposed this month by security firm Volexity lurking on websites frequented by Uighurs.
The two spying efforts have now been conclusively linked to each other and to the Tibetan hacks, said lead Citizen Lab researcher Bill Marczak.
“This is likely one operator or a small number of operators working closely together,” Marczak said.
“There’s a very clear nexus with China. It doesn’t automatically mean it’s the government, it’s kind of hard to say from a technical point of view. Maybe it’s likely,” he added.
The Uighur hacks included a “watering hole” approach, tainting a common internet gathering spot for the targets, that prompted Citizen Lab researches to look for similar infections on sites frequented by the Tibetan community.
They found none, but a similar watering hole attack on the Tibetans might have escaped their notice.
“There are bound to be more targets that we don’t know about,” said Lobsang Gyatso, secretary of TibCERT. He said that the group would use the report to spread awareness of the tactics and promote better defence.
Google’s watering hole report alarmed human rights workers and security experts because it included an unusual instance of an iPhone flaw being used to target a broad population, instead of being reserved for high-priority individuals.
Once used widely, flaws that can fetch as much as $1 million on the digital arms market are likely to be discovered and rendered obsolete with new patches.
Though Tibetans have been targeted by Chinese hackers for many years, Marczak said the new attempts represented a troubling escalation of effort.
(Reporting by Joseph Menn; editing by Darren Schuettler)