Son of Ghostnet: the mobile malware that targets Tibetans abroad


Citizen Lab (previously) is one of the world's top research institutions documenting cyber-attacks against citizen groups, human rights activists, journalists and others; ten years ago, they made their reputation by breaking a giant story about "Ghostnet," malicious software that the Chinese state used to convert the computers of the world's Tibetan embassies into spying devices.


A decade later, Citizen Lab has published a new report that painstakingly documents the new ways in which a hacking group Citizen Lab calls "Poison Carp" (presumably, Chinese state hackers or contractors) have targeted Tibetan activists and the Tibetan government in exile.

The new attacks, dubbed "Missing Link," are "one-click mobile exploits" — Whatsapp chat URLs that are targets are tricked into clicking, which then take over the targets' mobile devices, turning them into roving bugs that expose the targets to the intimate, pervasive, continuous surveillance.


The exploits used by Poison Carp are the same zero-days that were deployed in "watering hole attacks" on Uyghur Muslims in China's Xinjiang province.


To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018, TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups, TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and install spyware on iPhone and Android devices. The campaign appears to be carried out by a single operator that we call POISON CARP. The campaign is the first documented case of one-click mobile exploits used to target Tibetan groups. It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community.

Between November 2018 and September 2019, we collected one iOS exploit chain, one iOS spyware implant, eight distinct Android exploits, and an Android spyware package. The iOS exploit chain only affects iOS versions between 11.0 and 11.4, and was not a zero-day exploit when we observed it. The Android exploits include a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was patched, but whose patch had not yet been distributed to Chrome users. Other exploits include what appears to be lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Tencent's Xuanwu Lab (CVE-2016-1646), a member of Qihoo 360's Vulcan Team (CVE-2018-17480), and by a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).

The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups. In August 2019, Google Project Zero reported on a digital espionage campaign identified by Google's Threat Analysis Group that used compromised websites to serve iOS exploits (including a zero-day in one case) to visitors for the purpose of infecting their iPhones with spyware. Subsequent media reporting cited anonymous sources who stated that the campaign targeted the Uyghur community and that the same websites were being used to serve Android and Windows malware.1 Following these reports, Volexity published details of a digital espionage campaign against Uyghurs that used compromised websites to infect targets with Android malware. While Volexity did not provide any technical indicators that overlap with Google's report, they speculated that the operator may be the same in both cases. Our report provides these missing links.

Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits [By Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert/Citizen Lab]