On September 9 of last year, a Tibetan journalist received an email with what looked like a link to a Google document about a controversial Buddhist sect.
It could have been an interesting document, and it wasn't an attachment, something Tibetans activists and journalists have been specifically trained to avoid. Yet the journalist found it suspicious. Instead of clicking through, the journalist immediately reported the email to a group of researchers who have been tracking cyberattacks against Tibetans for years.
The journalist's instinct not to click and instead flag the email shows that in the years-long fight between Chinese hackers and Tibetans, the embattled group is making significant strides in forcing its attackers to adapt just by being more vigilant. And it might be thanks to the work of a small nonprofit that focuses on teaching Tibetans how to protect themselves online.
Lobsang Gyatso Sither, a Tibetan living in exhile in Dharamsala, India, is at the forefront of this battle. He has been working on the ground among the Tibetan diaspora to train and educate them about cybersecurity as part of the Tibet Action Institute.
Sither said that the journalist didn't click because they had been trained to be "sure rather than sorry"—one of the main lessons of his training.
"If you are not sure who the sender is, always assume the worst," he told Motherboard in an online chat from Dharamsala. (Sither said has saw the email in question, as well as many more similar ones, but declined to identify the journalist to protect her identity.)
"If you are not sure who the sender is, always assume the worst."
As it turned out, the email was indeed an attempt to hack the journalist, a phishing attack part of a larger operation to hack into Tibetans' Google accounts, according to a new report published on Thursday by Citizen Lab, a research group at the University of Toronto's Munk School of Global Affairs.
For years, hackers likely working for the Chinese government have been trying to gather intelligence and track down Tibetans in the diaspora as well as members of pro-Tibet human rights groups. The new report highlights yet another change in tactics in a battle that's been a constant cat-and-mouse game between the hackers and their targets. And while it's hard to tell how successful this espionage campaign has been overall, the fact that the hackers have been forced to shift tactics various times in the last few months could mean that the awareness efforts led by Sither and the Tibet Action Institute are working.
"It's a good sign," Nathan Freitas, the director of technology at the Tibet Action Institute, told Motherboard.
The group has been raising awareness and teaching Tibetans that they themselves can be the best defense against hackers. In Late 2014 the group tried to teach Tibetans not to open attachments with a funny YouTube video called "detach from attachments." Now, they are trying to emphasize the importance of avoiding outdated software with another playful video encouraging Tibetans to keep their computers updated.
While these efforts might seem basic and perhaps even cheesy, they are make cybersecurity approachable and easy to understand. And some evidence shows they might be working.
The Citizen Lab report detailed three different phishing attacks against Tibetans, and linked them to a known hacker group with likely ties with the Chinese government. These recent attacks were all designed to trick the targets into giving up the passwords of their Google accounts, according to the researchers.
Last year, in the months following the "Detach from Attachments" campaign, Citizen Lab showed that the hackers had started moving away from attaching documents laced with malware, and instead started leveraging files uploaded to Google Drive to trick their targets to download files and hack their computers. Now, after exposing the use of Google Drive links, it seems the hackers are again adjusting their methods trying to steal Google credentials rather than infect targets.
Phishing isn't a sophisticated hacking technique per se, but if done well, it can be effective. And if successful, it could allow hackers to infiltrate the lives of Tibetans in the diaspora and inside China, putting them and their contacts in danger.
"The attackers' goal is to simply cause havoc and fear, and disrupt the ability of Tibetan exile groups to organize and communicate on the internet," Freitas said.
The mere fact that these emails ended up in a report shows that at least some Tibetans have been able to avoid some cyberattacks. But these new wave of attacks shows that the hackers aren't giving up either.
"These attackers are patient, responsive, and will adapt," Masashi Crete-Nishihata, the research manager at Citizen Lab, told me. "There is no one step that guarantees security all the time. Defense is a process."
"There is no one step that guarantees security all the time. Defense is a process."
In this case, the hackers reused some of the same infrastructure from past cyberattacks against Tibetans as well as Uyghur, another minority that's been in the crosshairs of the Chinese government. This allowed Citizen Lab researchers to link the phishing attacks to a hacking group previously identified by the security firm Palo Alto Networks and dubbed Scarlet Mimic.
It's unclear who is really behind the group, given its choice of targets and the infrastructure they use, all signs seem to point to China. (The Chinese embassy in Washington D.C. did not answer to a request for comment.)
While they've been able to document part of this cyberespionage campaign, Citizen Lab researchers warned that the hackers are still out there, and are likely using other tactics to target Tibetans. In other words, this is just a glimpse into the larger cyberwar that's not going to stop anytime soon. Both Citizen Lab and the Tibet Action Instutute expect more to come, especially on days like March 10, which marks the anniversary of the 1959 Tibetan uprising, as hackers tend to latch onto current events or significant dates to craft phishing emails.
That's why they're promoting the use of protections such as two-factor authentication, as well as a little known Chrome extension that alerts users when they enter their Google password in a page that doesn't belong to Google.
"The community must remain vigilant," Citizen Lab's Crete-Nishihata said.
Sither, who has been working at the Tibet Action Institute since 2011, has a very buddhist way of looking at this constant cat-and-mouse battle.
"The attacks are not going to stop, but if we can increase the cost of launching these attacks," he told me. "That is a small victory."