November 22, 2024 at 12:17PM
A China-linked group, TAG-112, compromised Tibetan media and university websites, delivering the Cobalt Strike toolkit via malicious JavaScript. Visitors were tricked into downloading disguised malware, highlighting ongoing cyber-espionage targeting Tibet. Although linked to a more advanced group (TAG-102), TAG-112 exhibits less sophistication in its attacks.
### Meeting Takeaways – Nov 22, 2024
**Topic:** Cyber Espionage / Malware – TAG-112 Group Activity
1. **Group Identification:**
– A China-linked nation-state group identified as TAG-112 has been reported to compromise Tibetan media and university websites as part of a cyber espionage campaign.
2. **Method of Attack:**
– Attackers used malicious JavaScript embedded in websites to create a fake TLS certificate error message, tricking visitors into downloading a disguised security certificate that ultimately executed the Cobalt Strike post-exploitation toolkit.
3. **Targeted Entities:**
– The specifically compromised sites include:
– Tibet Post (tibetpost[.]net)
– Gyudmed Tantric University (gyudmedtantricuniversity[.]org)
4. **Cyber Attack Details:**
– The malicious script utilized a vulnerability in the Joomla content management system.
– It discriminated based on operating system and browser type, only targeting Windows users to enhance effectiveness.
– Downloads included a legitimate signed executable disguised as a security certificate, which sideloaded a Cobalt Strike Beacon payload.
5. **Historical Context:**
– Previous infiltrations of the Tibet Post site were linked to the Evasive Panda group (TAG-102), producing more sophisticated attacks involving backdoors (MgBot and Nightdoor) aimed at Tibetan users.
6. **Comparison of Threat Groups:**
– Recorded Future distinguishes TAG-112 from TAG-102, noting that:
– TAG-112 demonstrates less sophistication and lacks the use of JavaScript obfuscation prevalent in TAG-102.
– Both groups share common intelligence objectives, suggesting strategic overlap.
7. **Conclusion and Next Steps:**
– Increased vigilance is necessary for Tibetan entities and those associated with them to prevent future cyber espionage efforts.
– Ongoing monitoring of TAG-112 activities and potential linkages with TAG-102 is recommended.
### Follow Up
– To stay updated on such topics, consider following relevant social media channels for the latest insights.