Tibetan organizations Tibet Post and Gyudmed Tantric University had their websites breached by suspected Chinese state-backed threat operation TAG-112 in late May to spread the Cobalt Strike beacon and facilitate further malware compromise, The Associated Press reports.
TAG-112 may be a subgroup of Chinese advanced persistent threat group Evasive Panda, also known as TAG-102 and StormBamboo, due to significant similarities in attack tactics, techniques, and procedures, an analysis from Recorded Future's Insikt Group revealed. "While we do not have visibility into the activity that TAG-112 conducted on compromised devices in this campaign, given their likely cyber espionage remit and the targeting of the Tibetan community, it is almost certain that they were engaged in information collection and/or surveillance rather than destructive attacks," said Insikt Group Senior Director Jon Condra. Meanwhile, such attacks' attribution to China were dismissed by the Chinese Foreign Ministry, which noted not having any knowledge of the website breaches.