Digital espionage campaigns often take advantage of targeted communities when they are the most vulnerable such as periods of emergency. The COVID pandemic provided a perfect environment for digital espionage operators to spread a different type of infection.

Like the rest of the world the COVID pandemic hit the Tibetan community in early 2020. Tibetans in India were particularly vulnerable due to the lack of access to health services and equipment. Furthermore, the close proximity of the community made self isolation difficult. While dealing with the daily challenges of the pandemic, Tibetans also found themselves under attack from digital espionage campaigns that leveraged concerns over COVID to spread malicious emails.

Emails posing as Tibetan human rights groups included PowerPoint files claiming to offer tips on China's effective management of the COVID-19 outbreak, but these files were actually embedded with malware.

A few months later another espionage email campaign started that spoofed the account of Delek Hospital, one of the main healthcare institutions for the community. The emails included a document with information on “Public Protection against Covid-19”. However, again this was a trick and the document was malware designed to spy on the community.

Another COVID-19 theme based email attack was observed where the attackers presented themselves as “DIIR INFO Secretary''. Although the content of the email was presented to look like a general public awareness message on Covid-19 from the World Health Organisation (WHO), the interesting fact here is that the email sender information is depicted as the Department of Information and International Relations (DIIR), an executive branch under the CTA. This guidance document was initially published on March 7, 2020, while the weaponized attachment was delivered by threat actors on March 16, 2020. This malicious attachment was later found to exploit a microsoft vulnerability and the malware was later dubbed as ‘Sepulcher’ by Proofpoint, an american cybersecurity company. They also attributed the Chinese APT group TA413 as the threat actor behind the malicious campaign.¹⁷