The culprits behind an iPhone hacking campaign that targeted the Uighur Muslim community may have also tried to spy on smartphones used by Tibetans working for the Dalai Lama.
Senior members of several Tibetan groups received WhatsApp text messages last November that contained links to download spyware, Citizen Lab, a watchdog group at the University of Toronto, revealed in a Tuesday report.
The spyware is similar to the hacking campaign against the Uighur Muslim community, which Google’s security researchers disclosed last month, Citizen Lab said. Specifically, the Tibetans were hit with the same “iOS exploit chain” (an attack exploiting a series of vulnerabilities), and an earlier version of a spyware implant Google described in its own report on the attacks.
The iOS exploit served to the Tibetans also came from the domain “msap[.]services,” the same domain used to secretly deliver spyware to those visiting a Uighur-focused website.
“Based on these similarities, it is likely the campaigns were conducted by the same operator, or a coordinated group of operators, who have an interest in the activities of ethnic minority groups that are considered sensitive in the context of China’s security interests,” Citizen Lab said in its report, which stops short of naming the Chinese government.
The iPhone hacks on the Uighur community raised alarms last month when the scammers exploited previously unknown vulnerabilities in iOS to deliver spyware via at least 11 different Uighur-focused websites. The attacks were unleashed as soon as an iPhone visited the rigged websites, which were getting thousands of visitors per week, according to Google.
Although Apple patched the flaws in February and is telling the public the iPhone remains secure, there’s still lingering concern the culprits will strike again with other iOS-based hacks.
Those who targeted the Tibetans used both iOS- and Android-based spyware. However, none of the attacks leveraged previously unknown “zero-day” vulnerabilities in the operating systems, Citizen Lab said.
The recovered spyware samples came from TibCERT, a group that’s focused on helping the Tibetan community fend off IT security threats. According to TibCERT, the attackers initially sent 15 malicious WhatsApp text messages last November to members of The Private Office of his Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. Two other messages were sent this April and May.
The messages pretended to come from human rights workers and journalists based in Hong Kong, including a reporter named “Lucy Leung,” who was purportedly from The New York Times. Clicking on the malicious link in the messages would’ve exploited older flaws in both iOS and Android to deliver spyware to the phone.
“Overall, the ruse was persuasive: in eight of the 15 intrusion attempts, the targeted persons recall clicking the exploit link,” Citizen Lab said. “Fortunately, all of these individuals were running non-vulnerable versions of iOS or Android, and were not infected.”
During the investigation, Citizen Lab also managed to recover a sample of the iOS spyware the attackers were attempting to deliver in November. It’s capable of stealing messages from Gmail, Twitter, WhatsApp, in addition to the Chinese product QQMail. The lab also analyzed a separate Android-based spyware from the attackers, which can be used to monitor a phone’s location, track phone calls and SMS messages sent to the device, and access the camera to take pictures.
According to Citizen Lab, over the past 10 years, Tibetans have been routinely targeted with Windows-based malware coming from email attachments. Now the hackers are changing up their tactics and trying to target the Tibetans’ mobile phones. It’s a reminder of the benefits of updating operating systems to the latest version: it can potentially protect you from a serious hack.