"This incident caused us a lot of concern not only on the individual level but also on an organizational level. As an activist association, such impersonation and intrusion attempts to our important files and financial accounts will jeopardize the credibility and trustworthiness of our association within our society."

Digital espionage against the community often impersonates known people and groups by sending messages and emails that appear to come from trusted sources. Through these impersonations malware can spread through the community and undermine the credibility of Tibetan groups.

The Tibetan Women’s Association (TWA) is a key group in the Tibet movement that originates in the courageous protests of Tibetan women against the illegal occupation of Tibet by China in 1959. Targeted digital espionage campaigns have impersonated TWA to send malicious messages to other groups for years.

• In December 2018, a malicious email, purportedly from the TWA, circulated within the community. The email included a malicious attachment titled ‘Tibet was never a part of China’. Clicking on the attachment would infect the target’s computer with malware capable of extracting sensitive information.
• Similarly, in 2021, another impersonated email, titled ‘Inside Tibet and from the Tibetan exile community’, targeted institutions like the Library of Tibetan Works and Archive and offices of the Central Tibetan Administration (CTA) abroad. For victims using Firefox browser with Gmail logged in, clicking the malicious link grants near-total access to their Gmail accounts.

These impersonation attacks not only exploit the trust and reputation of Tibetan institutions but also undermine the collective security of the Tibetan community.

Kelsang Dolma, the Vice President of the TWA recounts the impact the incident had on the group.

Responding to the threat, the TWA promptly alerted recipients of the malicious emails to report them and refrain from clicking on any links or attachments. Additionally, TibCERT proactively reached out to organizations that received similar emails, urging them to assess their systems and networks for potential compromise.