"A number of targeted computer viruses circulating via email throughout the Tibetan Government in Exile and Tibetan support groups and related Non-Government Organizations have been discovered or brought to our attention.

These viruses have appeared in a number of variants, indicating a progressive and sustained development process. For example, some were taking advantage of known security loopholes in Microsoft software in order to automatically run and are always personalized to impersonate departmental emails following previous attempts to collect email address lists. One variant analyzed was found to have been sourced from the Yunnan Province in China, and was designed to collect information of an infected computer and send it via email to an address in Beijing."

One of the earliest documented incidents of digital espionage against the community was reported in September 2003 by Jigme Tsering, a manager of the Tibetan Computer Resource Centre.⁷

Targeted malware delivered as file attachments to email messages is one of the most common digital espionage tactics experienced by the Tibetan community.

Targeted malware operations typically consist of the following process: The targeted user receives an email, possibly appearing to be from someone they know with a message—sometimes specific, sometimes generic—that urges the user to open an attachment, usually a PDF or Microsoft Office document or visit a website.

If the user opens the attachment or link with a vulnerable version of software that has been targeted for exploitation and no security mitigations are in place, their device will likely be compromised. A clean version of the document is typically embedded in the malicious file and is opened upon successful exploitation so as not to arouse suspicion of the recipient. Once the user’s computer is compromised, operators can extract documents, email and other data, and possibly move laterally through the compromised network to target other devices.

Research conducted into the decades of digital espionage against Tibetans has shown that – as a community – Tibetan civil society faces the same level of information security threats as major companies and governments, but with far fewer resources to defend against them. This stark reality was first revealed in 2009, when the Information Warfare Monitor (a collaboration between the Citizen Lab and the Secdev Group) published the report “Tracking GhostNet.”⁸ The investigation started as a probe into key Tibetan organizations to determine if they were compromised by digital espionage. The result was uncovering the GhostNet digital espionage network that compromised the Offices of HHDL and other Tibetan groups, alongside 1,295 computers in 103 countries around the world – 30% of which can be labeled as “high value” targets such as Ministries of Foreign Affairs and Embassies. The investigation traced the command and control servers used to issue commands to compromised machines back to locations in China. However, the researchers were unable to conclusively determine the potential role of the government. What was evident is that this network was performing politically motivated espionage targeting both civil society and governments. From the perspective of the Tibetan community the culprit was clear, it was the government of China.

When the GhostNet report was released, there were almost no public reports on digital espionage. In subsequent years public reporting from the Threat Intelligence industry grew considerably and served as marketing material for companies. In general these reports focus on threats to governments and the private sector which represent the customer base of the industry. Civil society is seldom the focus of these reports with an important exception, the Tibetan community.

In the accompanying report “Cyber Espionage Against Tibetans: An Analysis of Over Two Decades of Publicly Available Data"⁹, TibCERT systematically reviewed threat intelligence reports from 2009 to 2022 and found 63 reports¹⁰ which documented digital espionage against the Tibetan community. These reports are primarily focused on technical analysis of the malware threats and do not address how they affect the targeted individuals and organizations. Although there is a significant amount of publicly available reports of targeted espionage campaigns against the Tibetan community, we believe that this volume of public reports may not be the only reports available as it is likely plausible that threat intelligence companies may have a lot more internal reports that are not shared publicly.

The malware used in these campaigns often mirrors digital espionage activities originating from China that target governments and the private sector. Therefore, reporting on cyber threats against Tibetans do provide threat intelligence companies a way to publicly disclose details about the modus operandi behind these cyber attack campaigns without having to disclose any sensitive incidents or customer data. This phenomenon has amplified the coverage of cyber threats against the Tibetan diaspora community from threat intelligence companies among other civil society movements and oppressed minorities. These reports provide useful technical information and serve as evidence of decades of targeted espionage. However, typically these private sector reports are done without involvement of the Tibetan community and rarely provide any notifications or incident response support to targeted individuals and groups.¹¹ Therefore, while the reports provide value to companies, the Tibetan community does not receive any direct support.