Toronto, September 24, 2019 – Researchers at the Citizen Lab, University of Toronto, have discovered the first documented case of one-click mobile exploits used to target groups in the Tibetan diaspora, reflecting an escalation in the sophistication of digital espionage threats targeting this community. The campaign has technical overlaps with two mobile spying campaigns against the Uyghur community recently reported by Google Project Zero and Volexity.

Between November 2018 and May 2019 senior members of Tibetan groups—including the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups—received malicious links in individually tailored WhatsApp text exchanges sent from contacts posing as NGO workers, journalists, and other fake personas. The links led to code designed to automatically exploit and install spyware on unpatched iOS and Android devices.

The campaign, carried out by what appears to be a single operator that we call POISON CARP, sourced some exploits from working exploit code posted publicly by security researchers on bug trackers and GitHub pages. The Android exploits, which targeted Facebook’s in-app browser, installed a hidden payload inside the Facebook app, which used the app’s existing permissions to steal SMS text messages, address books, and call logs, and spy on the target through their phone’s camera, microphone, and GPS.

The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups: the iOS exploit and spyware we observed was used in watering hole attacks reported by Google Project Zero, and a website used to serve exploits by POISON CARP was also observed in a campaign called “Evil Eye” reported by Volexity.

Compared to the usual phishing emails or malicious attachments that Tibetans receive, attacks that can break into mobile phones at the tap of a link require enormous investment to design and execute. While Tibetan organizations are no strangers to digital spying, POISON CARP represents a major escalation in efforts to penetrate and sabotage these groups. – Bill Marczak (Research fellow, Citizen Lab)

Citizen Lab was first alerted to the suspicious WhatsApp messages by the Tibetan Computer Emergency Readiness Team ( TibCERT ), a coalition of Tibetan organisations to improve digital security through incident response collaboration and data sharing.

The highly targeted nature of these attacks presents a huge challenge for security and safety of Tibetans. The only way to mitigate these threats is through collaborative sharing and awareness. TibCERT is the way forward to protect the Tibetan Community . – Lobsang Gyatso Sither (Secretary, TibCERT)

POISON CARP is another example of mobile threats against civil society that are becoming a growing global trend. From an adversary perspective what makes mobile an attractive spying target is obvious. It’s on mobile devices that we consolidate our online lives and for civil society that also means organizing and mobilizing social movements that a government may view as threatening. A view inside a phone can give a view inside these movements.

For Media Inquiries
Miles Kenyon
Communications Specialist, The Citizen Lab

Guide on Citing in Media
Title: MISSING LINK: Tibetan Groups Targeted with Mobile Exploits
Authors: Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert
Published by: The Citizen Lab, Munk School of Global Affairs & Public Policy, University of
Toronto Publication Date: Tuesday September 24, 2019 (subject to change)