How hackers used a PowerPoint file to spy on Tibet’s government-in-exile

The Tibetan diaspora has been targeted in a series of malware campaigns since 2016.
Flag of Tibet. (Casey Hugelfink / Flickr)

A recently discovered PowerPoint file offers new clues on how hackers are trying to spy on Tibet’s government-in-exile.

The malicious document was emailed to subscribers of a mailing list managed by the Central Tibetan Administration (CTA), the organization representing Tibet’s exiled government, according to Talos, Cisco’s threat intelligence unit. Tibet is officially part of China, but Tibetan leaders have lived in exile in India for decades. The email masqueraded as a file that would appeal to their politics.

The PowerPoint file name – “Tibet-was-never-a-part-of-China.ppsx” – caters to the CTA mailing list, as does the message in the body of the email marking the upcoming 60th anniversary of the exile of Tibetan spiritual leader the Dalai Lama, researchers said.

“Unfortunately, this [is] just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons,” Talos researchers said in a blog published Monday. They did not attribute the malware to a particular nation-state. The Tibetan diaspora has been targeted in a series of malware campaigns since 2016.


The recent espionage operation mimicked online tools that CTA mailing-list members likely would have trusted. For example, the PowerPoint file copied a legitimate PDF available on CTA’s website, Talos found. The attackers also altered the mailing list’s “Reply-to” form to direct responses to a Gmail address they controlled, and registered a domain that closely resembled Gmail, likely to aid their phishing campaigns.

The research shows that the PowerPoint file was the tip of the spear: it let hackers execute multiple JavaScripts to deliver the payload. The attack abused an unpatched Microsoft Office remote-code execution vulnerability.

The PowerPoint document led the researchers through a labyrinth of other malicious infrastructure. From there, they discovered other hacking campaigns that shared similarities with the attack on CTA, including Windows trojans and an updated version of Android malware that monitored Tibetan activists in 2012.

Researchers said the seven-year-old malware underwent a makeover last month to allow it to record audio and steal a user’s location and personal contacts.

While acknowledging that the perpetrators’ determination was concerning, the Talos blog post ended on a positive note. “Having stopped this attack quickly, we hope that the disruption caused by Cisco Talos will ensure the adversary must regroup,” researchers wrote.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts