Malware campaign that targeted Tibet’s diaspora linked to wider operation

A malware campaign against members of the Tibetan diaspora this year was part of a wider operation that has also targeted governments and industries in the Asia-Pacific region, according to a new report released today by Citizen Lab.
Flag of Tibet. (Casey Hugelfink / Flickr)

A malware campaign earlier this year against members of Tibet’s diaspora was part of a wider operation that also targeted governments and industries in the Asia-Pacific region, according to a new report released Wednesday by Citizen Lab. 

The malware campaign, active from January into March, targeted Tibetan activists and journalists, members of the Tibetan Parliament in exile and the India-based Central Tibetan Administration, according to Citizen Lab.

Relying heavily on low-cost spearphishing techniques, the anonymous attackers disguised malicious PowerPoint and Microsoft Rich Text Format documents as links from human rights NGOs. 

According to the report, the Tibetan malware targets, wary of unsolicited emails, forwarded the messages to Citizen Lab, a University of Toronto-based interdisciplinary laboratory that specializes in human rights and security. 


The attacks are similar to a 2016 malware campaign nicknamed the “Parliamentary Campaign” by Citizen Lab. It also targeted parliamentarians. The number of Tibetans in exile is estimated at more than 100,000. The exodus began after China expanded its control of the region in the 1950s.

Both campaigns also have been connected to a wider operation called “Tropic Trooper.” Named after the Asian region in which its targets are located, Tropic Trooper has been active since at least 2012, and has attacked governments and private sector entities in Taiwan and the Philippines. It was first identified by Trend Micro in May 2015. 

Citizen Lab also included in the report the challenges associated with investigating cyberattacks that originate from closed espionage systems, where “the parties involved (e.g., developers who write the malware, operators who conduct the campaigns, and intelligence customers who incentivize the activity) are difficult to identify and fully segment.”

While incidents that come from these closed systems can be clustered together and the patterns examined, it is often difficult to name any specific culprits. 

Latest Podcasts