The malicious Firefox extension is called FriarFox which is also being used by Chinese hackers to spy on Tibetan activists.
For years, China has been accused of spying on minorities, activities, and journalists but according to researchers, the country’s spying tactics are only getting persistent and sophisticated. In the latest research, researchers have linked a Chinese government-backed hacking group with spying and phishing attacks against Minorities and Tibetan activists.
Chinese State-Sponsored Hackers Spying on Tibetan Activists
Proofpoint researchers have discovered a new campaign in which Chinese Communist party-backed advanced persistent threat (APT) targets Tibetan organizations and activists through a malicious Firefox extension.
The group is tracked as TA413 and has been previously involved in attacks against the Tibetan community. Back then, the group leveraged COVID-themed campaigns to distribute Sepulcher malware. However, even at that time, the primary goal was to conduct civil dissident surveillance and espionage.
COVID-19 Themed TA413 Malicious RTF File (Image source: Proofpoint)
Phishing Campaign Continuing since March 2020
According to the Sunnyvale-based enterprise security firm, low-level phishing campaigns against Tibetans were discovered first in March 2020 and have continued ever since. The threat actors are delivering a customized Firefox browser extension to hijack users’ Gmail accounts.
“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint researchers noted in their report.
The most recent attacks were discovered in Jan and Feb 2021. The malicious extension is dubbed FriarFox.
“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021,” the report explained.
Sepulcher malware links were traced to the Lucky Cat and Exile Rat malware campaigns, which targeted Tibetan organizations.
Malware Delivered via Spear-phishing Emails
Once executed, the malware allows access to the victim’s Gmail account. Once inside the Gmail account, the malware can locate, archive, read, delete, mark as spam, and forward emails.
“Unlike many APT groups, the public disclosure of campaigns, tools, and infrastructure has not led to significant TA413 operational changes. Accordingly, we anticipate continued use of a similar modus operandi targeting members of the Tibetan diaspora in the future,” Proofpoint researchers concluded.
Not for the first time
It is a fact that China has been accused of spying on activists, minorities, and neighboring countries. In 2013, Uyghur and Tibetan activists were targeting using Android malware. Years later in 2018, researchers identified HenBox Android malware that was spying on Xiaomi devices and minority groups in China.
In 2019, a Dutch security researcher revealed that the Chinese government is utilizing facial recognition databases to remotely monitor the Uyghur populace in the Xinjiang region.