BANGKOK — A cybersecurity firm has reported that a hacking group suspected of being backed by the Chinese government has successfully breached two websites affiliated with the Tibetan community. The purpose of this attack seems to be the installation of malware on the computers of users accessing these sites. According to the analysis by Insikt Group, a division of the Massachusetts-based cybersecurity consultant Recorded Future, the affected sites include Tibet Post and Gyudmed Tantric University, and the breach appears aimed at gathering intelligence on users and their activities.

The analysis details how the hackers, referred to as TAG-112, managed to compromise the websites by prompting visitors to download a harmful executable file disguised as a security certificate. When executed, this file installs Cobalt Strike Beacon malware onto the user’s system, which can facilitate keylogging, file transfers, and the download of additional malware.

Insikt Group’s senior director, Jon Condra, commented that, although the specific actions of TAG-112 on the infiltrated devices remain unclear, it is highly likely that their intentions involved cyber espionage—collecting information or conducting surveillance instead of launching destructive attacks. He mentioned that this aligns with the historical targeting pattern of the Tibetan community.

Chinese authorities have continually denied involvement in state-sponsored hacking, claiming that China itself is frequently subject to cyberattacks. In response to the findings reported by Insikt Group, the Chinese Foreign Ministry indicated they were unaware of the breaches affecting the two websites and reiterated their position on cybersecurity in a brief reply, without providing further details.

The Insikt Group’s research indicates that the initial breach occurred in late May. They noted similarities to a previously monitored hacking group known as TAG-102, leading analysts to believe that TAG-112 is potentially a subset of this larger organization, focused on similar intelligence objectives. Condra pointed out overlaps in methods, targeting, tactics, and techniques employed by both groups, suggesting a strong connection between them.

TAG-102, which is also recognized by names such as Evasive Panda and StormBamboo, has reportedly been active since at least 2012 and is believed to be a sophisticated persistent threat tied to Chinese state interests. Their operations often include using custom malware shared among other Chinese APT groups and targeting individuals and organizations that oppose the Chinese government, including human rights advocates, religious groups, ethnic minorities, and pro-democracy movements within China and its territories like Taiwan and Hong Kong.

Both the university and the news outlet, which are based in India, have been alerted to the security breach by Insikt Group. As of the latest updates, the Gyudmed Tantric University, which educates students about Tibetan Buddhism and culture, has reportedly addressed the security issues, while Tibet Post continues to face challenges due to the breach.

Tibet Post has gained recognition for its advocacy for democracy and freedom of speech, as well as its support for Tibetan independence from Chinese rule. The legitimacy of China’s claim over Tibet is contentious; while Chinese authorities argue that Tibet has been part of their territory for centuries, it was only after the Communist Party’s rise to power in 1949 that firm control was established over the region.

Many Tibetans maintain loyalty to the Dalai Lama, their spiritual figure, who has been living in exile in India following a failed uprising against Chinese rule in 1959. There are ongoing accusations against China for human rights violations in Tibet, including recent critiques regarding efforts to forcibly urbanize rural populations and suppress traditional Tibetan culture and language as part of a broader assimilation strategy.