{ "id": "36b6c7f3-206a-4d6c-b9ae-6f8651f1f1b5", "created_at": "2026-04-06T00:14:38.262842Z", "updated_at": "2026-04-10T03:36:59.961694Z", "deleted_at": null, "sha1_hash": "8927452401e1c3047362e47bedc0ac41038fdf54", "title": "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8187471, "plain_text": "Spying on a Budget: Inside a Phishing Operation with Targets in the\r\nTibetan Community\r\nArchived: 2026-04-05 17:35:14 UTC\r\nLearn how to protect your online accounts at Net Alert and Security Planner\r\nKey Findings\r\nThis report analyzes an extensive phishing operation with targets in the Tibetan community. Our analysis indicates\r\nother possible targets among ethnic minorities, social movements, a media group, and government agencies in South\r\nand Southeast Asia.\r\nThe operation was simplistic and inexpensive, yet achieved some successes. We estimate the infrastructure used in\r\nthe operation cost slightly over 1,000 USD to setup and required only basic system administration and web\r\ndevelopment skills to maintain.\r\nThe operation illustrates that the continued low adoption rates for digital security features, such as two factor\r\nauthentication, contribute to the low bar to entry for digital espionage through basic phishing.\r\nSummary\r\nCivil society groups around the world are persistently targeted by digital espionage operations designed to collect sensitive\r\ninformation on their communications and activities. Activists, humanitarians, and journalists often work in distributed\r\ngroups and rely on the same consumer platforms as average users. Phishing is a technically simple and relatively low cost\r\ntactic to gain access to accounts on these platforms and compromise individuals and organizations. Recent research has\r\ndocumented phishing operations targeting civil society groups across Asia, South America, and the Middle East.\r\nIn this report, we provide an in-depth view into a phishing operation that ran for 19 months, and which targeted the Tibetan\r\ncommunity, and potentially other groups including ethnic minorities, social movements related to China, a media group, and\r\ngovernment agencies in South and Southeast Asia. The targeting themes have general geographic and contextual\r\ncommonalities, but it is unclear who the sponsor of the operation is and how information collected by it may be used.\r\nThe operation used a range of phishing tactics including pages impersonating popular email provider logins, custom\r\nwebmail login pages to target specific providers and organizations, and malicious OAuth applications for harvesting Google\r\ncredentials.\r\nThe Tibetan community has been persistently targeted by digital espionage operations for over a decade. Historically,\r\nmalware sent as email attachments was the most common threat Tibetan groups experienced. Recently, we have observed an\r\nincrease in phishing operations targeting the community suggesting a possible shift in adversary tactics. This latest operation\r\nis another example of this trend.\r\nThe phishing tactics used in the operation could have been blunted if targets used security features like two factor\r\nauthentication, which requires a second ‘factor’ to access an account.1 Unfortunately, two factor authentication is not\r\nenabled by default on most popular platforms, and there are a number of  hurdles to ensuring widespread adoption among\r\ncivil society groups such as lack of awareness, potential usability issues, and the general challenge of shifting user behaviour\r\nacross a community. Adoption rates for two factor authentication across user populations are very limited. For example,\r\naccording to a recent presentation by a Google employee less than 10% of Gmail users have enabled two factor\r\nauthentication.\r\nAs long as two factor adoption rates remain low, the entry cost for engaging in credential theft will be low as well. Major\r\nplatforms can help shift the balance by undertaking efforts to encourage or move their users towards widespread use of two\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 1 of 40\n\nfactor authentication.\r\nThis report proceeds in three parts:\r\nPart 1: Uncovering a Persistent Phishing Operation\r\nThis section outlines how we first became aware of the phishing activity and our subsequent infrastructure tracking and\r\nanalysis that revealed the wider operation.\r\nPart 2: Targeting\r\nThis section describes our analysis of the targets and tactics of the operation, including phishing that targeted Tibetan groups\r\nand decoy documents that show potential targets beyond the Tibetan community.\r\nPart 3: Discussion and Conclusion\r\nThis section discusses the implications of our analysis.\r\nPart 1: Uncovering a Persistent Phishing Operation\r\nThis section outlines how we first became aware of the phishing activity and subsequent infrastructure tracking and analysis\r\nthat led to discovery of the wider operation.\r\nMimics and Decoys\r\nWe first encountered the phishing operation in December 2016 when a Tibetan activist received an email that appeared to\r\ncome from a member of the Central Tibetan Administration (CTA, the Tibetan Government in Exile). The message was\r\ndesigned to trick the activist into visiting a fake Google login page and entering their credentials. We observed similar tactics\r\nin a 2015 phishing campaign targeting Tibetan activists and journalists.\r\nA Representative Phishing Email\r\nThe email, which is representative of the general social engineering tactics used in the operation, included several elements\r\ndesigned to increase the credibility of the message and subsequently disguise from the target that their credentials had been\r\nphished.\r\nThe sender appeared to work for the Narthang Press, a division of the CTA responsible for printing official materials. The\r\nemail included logos of the Umaylam website2 and a message that claimed the files had been approved by the Tibetan Prime\r\nMinister (referred to as the Sikyong in Tibetan). In the screenshot of the email shown in Figure 1, Gmail has flagged the\r\nemail as suspicious giving the recipient an indication that something is not right.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 2 of 40\n\nThe Phishing Page\r\nWhile the email appeared to send attachments, the files were actually links to a domain that was made to look like a Google\r\nDrive domain: drive-google[.]ml . Clicking on the link sends the user to what appears to be a Google login page (See\r\nFigure 2).\r\nWhile at first glance the page may look legitimate, it is actually copying an outdated version of the authentic Google login\r\npage. The phishing page includes both username and password prompts on the same page. Google has been using a two-prompt process for authentication since May 2015 (see Figure 3).\r\nThe Decoy Document\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 3 of 40\n\nIf the user enters credentials into this page, the form sends their login and password to the local page verification.php ,\r\nwhich redirects to the page loading.php . The loading.php page finally redirects the user to decoy content on Google\r\nDrive, in this case the Umaylam logo described in the email. This decoy content supports the deception by providing a\r\ncredible looking file legitimately hosted by Google (See Figure 4).\r\nFigure 4: Entering credentials results in the target being redirected to a benign document hosted on Google\r\nDrive.\r\nRevealing a Wider Operation\r\nFollowing the first phishing email we received, we collected further samples sent to staff members of two Tibetan human\r\nrights groups. We then examined passive DNS data and domain registration information from phishing pages that were\r\nlinked in the emails and found related domains and server infrastructure. We then used these indicators to search email\r\naccounts of individuals and groups in the Tibetan community. Through this search, we identified an additional 24 phishing\r\nemails sent between March 21 2016 and February 21 2017 (We explore the targeting of the Tibetan community in depth in\r\nPart 2: Targeting).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 4 of 40\n\nFurther analysis of the domains and servers used to host phishing pages and decoy documents revealed that the\r\ninfrastructure was active as early as January 11, 2016. However we do not have phishing emails from this earlier period. The\r\noperation used a range of phishing tactics including pages impersonating popular email provider logins (e.g., Gmail, Yahoo,\r\nMicrosoft Live, etc.), custom webmail login pages to target smaller providers and specific organizations, and malicious\r\nOAuth apps for harvesting Google credentials.\r\nCost and Labour of Phishing\r\nThe operation was prolific and used some clever social engineering tricks, but was technically simplistic and inexpensive to\r\nsetup and maintain. Based on the services used in the operation, we estimate that the infrastructure could be run for a little\r\nover 1,000 USD.3\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 5 of 40\n\nThe greater cost associated with the operation is human effort. Running the infrastructure and phishing campaigns would\r\nrequire only basic system administration and web development skills. However, maintaining and administering the operation\r\nis a time commitment. Tracking the operators’ activities provides a look into this process from setting up domains, preparing\r\nphishing emails and decoy documents to compromising targets and harvesting information. Based on our analysis of the\r\nworkflow there is little evidence of any automation — suggesting that the process was likely a largely manual effort.\r\nRegistering the 172 domains used in the operation took up the bulk of infrastructure setup. The operators never reused\r\ndomains and registered them in batches. Reviewing available domain registration shows that in active periods between one\r\nto five domains were registered a day with an average of 1.3 domains registered per day (see Figure 7). The most active day\r\nwas December 27 2016 when the operators registered five domains. The operators often reused registrant information (i.e.,\r\nnames, phone numbers, and emails) to register the domains. In total, 39 unique identity indicators were used to register the\r\n172 domains (17 names, 12 phone numbers, 10 emails). Registration information often included misspellings (e.g., London”\r\nas ‘“lodon”) and filler text, such as using a registrant street address of “chan youshd hjsksasddsdfs dgfs”. The cycle of\r\nregistrations, reuse of registrant information, and misspelled fields suggest this process was done manually.\r\nBased on the phishing emails collected from Tibetan groups it appears that, once registered, the operators quickly used new\r\ndomains for phishing pages. The majority of emails were sent on the same day, or a day after a new phishing domain was\r\ncreated (the average time between domain registration and the domain being used in a phishing email was 1.2 days).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 6 of 40\n\nThe majority of decoy content we collected (96%) was hosted on Google Drive. Different Gmail addresses were used to\r\nupload each decoy file. In some cases we found mismatches between the messages in the phishing emails and the decoy\r\ncontent suggesting the operators had made an error.\r\nIn one example a phishing email sent to a Tibetan activist appeared to come from Jasper Tsang Yok-sing who was the second\r\npresident of the Legislative Council of Hong Kong and the founding chairman of the largest pro-Beijing political party in\r\nHong Kong. The phishing email was sent from tsangyoksings@gmail.com, which closely resembles the actual email of\r\nTsang  (tsangyoksing@gmail.com) with the addition of an extra “s”. The email content was sparse referencing only an\r\nimage file (DSC_6430) with a link to a Google login phishing page. If credentials are entered the user is redirected to an\r\nimage with the same filename on Google Drive that shows delegates at a Tibetan meeting (see Figure 8).\r\nThe operators clearly put effort into creating a believable spoof of Tsang’s email and the message, while terse, matches the\r\ndecoy content that is served. However there is no clear contextual link between the email sender and content. Moreover, an\r\nemail from a pro-Beijing Hong Kong politician is unlikely to resonate with Tibetan activists. It is possible that the spoofed\r\nemail may have been used in other targeting and was inadvertently used in this attempt.\r\nThe final task for the operators is monitoring for successful compromises and collecting information from the accounts. We\r\nhave evidence of at least two compromised accounts that show the operators using contact information likely collected from\r\nthe accounts to send out more phishing emails. We suspect the operators had further success based on decoy documents we\r\ncollected that appear to be private files, which may have been collected from compromised accounts.\r\nInfrastructure Analysis\r\nThe operators demonstrated poor operational security using a small pool of emails and phone numbers to register domains\r\nand relying on a limited set of servers that were used one at a time, which helped us map and track their activities.\r\nWe conducted daily probing of the infrastructure from February 23 to July 5, 2017 when the infrastructure and campaign\r\nbecame inactive. Tracking consisted of daily visits to the IPs, documenting changes in WHOIS and domain information, and\r\nsaving copies of identified phishing pages and decoy documents.\r\nA misconfiguration of one of the servers used by the operators gave us further visibility into the domains. The operators\r\npointed their web server HTTPS root to the correct subdirectories while leaving the HTTP root pointed to the default top\r\nlevel directory. This mistake allowed us to track any new domains that pointed to the server over the month of February\r\n2017.\r\nWe were able to download the decoy documents that would be returned if users had entered credentials into the phishing\r\npages (the majority of these decoy documents were hosted on Google Drive). Collection of decoy documents was done\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 7 of 40\n\nwithout actually providing credentials as the phishing pages returned decoys when accessing URL endpoints such as\r\n/verification.php or /loading.php .\r\nOn July 5, 2017, the server infrastructure used by the operators was shut down. All content was removed from the web\r\nserver and we did not observe any further domain registrations by the WHOIS registrants we were tracking, nor any\r\nevidence that the operators moved to new infrastructure.\r\nTargeted Email Services\r\nThe majority of domains registered during the operation had names that mimicked popular web services, predominantly\r\nthose offered by Google (e.g., account-gooogle[.]info ). Other domains used generic names including the word “email”\r\nor “mailbox” (e.g., accounts-mailbox[.]space ), or targeted mail services of specific organizations (e.g.,\r\ndalailama[.]space ). Figure 9 shows an overview of domain themes.\r\nServer Infrastructure\r\nIn contrast with the high number of domains, only three servers were used in the operation (see Table 1). Through Passive\r\nDNS records we confirmed the operators first setup infrastructure on the hosting provider Choopa. Based on historical\r\ninformation provided by Censys (a database of networks and hosts in the IPv4 address space), we found that on June 27,\r\n2016 the operators moved to a different server on the same provider running Ubuntu. In February 2017, the operators moved\r\nto a new hosting provider, Forewin, and switched the server operating system to Windows 7. The change from Linux to\r\nWindows may reflect a change in the team administering the infrastructure to an individual more familiar with Windows\r\nadministration than Linux.\r\nIP Address Start Date End Date OS Provider Location\r\n104.207.132[.]165\r\nBetween December\r\n2015 and February\r\n2016\r\nJune 20,\r\n2016\r\nUbuntu Choopa USA\r\n45.63.0[.]49 June 27 2016\r\nFebruary 7\r\n2017\r\nUbuntu Choopa USA\r\n115.126.39 [.]107 February 23 2017 July 5 2017\r\nWindows 7\r\nSP1\r\nForewin\r\nHong\r\nKong\r\nTable 1\r\nList of IP addresses used in the operation\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 8 of 40\n\nThe shift to a new server and operating system in February 2017 is also correlated with an increase in number of registered\r\ndomains4 and HTTPS certificates created (See Figure 10). During this period we observed decoy documents and domain\r\nnames that suggest targeting beyond the Tibetan community (See Part 2: Targeting for details).\r\nValid HTTPS Certificates\r\nWe identified a total of 43 different valid HTTPS certificates created by the operators. Four of these certificates were created\r\nin September 2016 using Let’s Encrypt, a free, automated, and open certificate authority. Thirty-nine certificates were made\r\nusing Comodo. Our analysis found that for the HTTPS certificates made with Comodo the operators leveraged a bug on a\r\nplatform from hosting provider UK2, which allowed free registration of certificates. Figure 11 shows certificate details for\r\nthe domain drive-accounts-goog1e[.]cf which hosted a phishing page used in the campaign and had a valid Let’s\r\nEncrypt certificate installed on its server from September 21 to December 20, 2016.\r\nIn February 2017, the operators began to use valid Comodo HTTPS certificates for the majority of domains (see an example\r\nin Figure 12). The change to Comodo certificates is correlated with the infrastructure moving from an Ubuntu server to a\r\nWindows 7 server ( 115.126.39[.]107 ) in February 2017. The operators may have moved from Let’s Encrypt to Comodo,\r\nbecause Certbot (the most common tool used to deploy Let’s Encrypt certificates) is not available on Windows systems.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 9 of 40\n\nExploiting a Certificate Registration Bug\r\nAnalysis of the domains shows that the operators leveraged a bug in hosting provider, UK2 that enabled them to generate\r\nfree certificates that were only intended for genuine UK2 customers.\r\nUK2 has given free certificates to their customers since 2007, which are provided by Comodo. However, a bug in their\r\nplatform could be exploited to get free certificates without being a UK2 customer. The bug relied on how the UK2 platform\r\nconfirms that users are customers. The platform runs user verification by checking that the domain provided by the user\r\nredirects to an IP in UK2 range. As domain owners have full control of IP resolution, it is trivial to configure the domain to\r\nresolve to a UK2 IP, obtain a free certificate, and then change the IP resolution to the real IP used by the domain. This bug\r\nhas been documented on Chinese IT blogs since at least June 2015 (e.g., 1, 2).\r\nWe found that five domains used by the operators with Comodo certificates temporarily resolved to IPs in the UK2 address\r\nspace, but we did not observe UK2 servers being used to host phishing pages. We confirmed the bug and disclosed it to UK2\r\nin October 2017, but did not receive acknowledgement of our report from the company. In November 2017, the public URL\r\nallowing users to request certificates was updated to only allow requests from UK2 authenticated users, fixing this issue.\r\nPhishing Tactics\r\nThe operation used a range of phishing tactics including pages impersonating popular email provider logins (e.g., Gmail,\r\nYahoo, Microsoft Live, etc), custom webmail login pages to target specific providers and organizations, and malicious\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 10 of 40\n\nOAuth applications for harvesting Google credentials.\r\nPhishing Kits\r\nThe most common tactic used in the operation was phishing pages that impersonated popular email providers including:\r\nGmail (English and Chinese login pages), Yahoo (English and Chinese login pages), Microsoft Live, Microsoft Outlook, and\r\nAOL. The majority of phishing pages targeted Google services.\r\nOur tests on the fake Google login pages confirmed that when credentials are entered, the form sends username and\r\npassword information to the local page verification.php , which redirects to the page loading.php . This last page\r\nfinally redirects the user to a Google Drive hosted image corresponding to the topic in the email. Figure 13 shows examples\r\nof the phishing kit redirection process.\r\nOther fake login pages had a different process. Similar to the fake Google login pages, fake Yahoo login pages used an\r\noutdated one-page prompt process. Since 2016, Yahoo switched to two-page prompt authentication (see Figure 14).\r\nHowever, if users enter credentials into this page no request was made to the loading.php page. Instead from the request\r\nto verification.php the user is redirected to the real Yahoo login page.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 11 of 40\n\nThe operators also created domains and custom login pages to mimic specific organizations. For example, Table 2 shows a\r\nseries of domains the operators registered that are designed to look like the official website for His Holiness the Dalai Lama\r\n(dalailama.com).\r\nDomain Registration date Registrar\r\nwebmail-dalailama[.]space 2017-05-27 GoDaddy\r\nwebmail-dalailama[.]com 2017-04-06 GoDaddy\r\ndalailama[.]space 2017-04-02 Go Daddy\r\nTable 2\r\nRegistration information for fake domains mimicking the official website of His Holiness the Dalai Lama\r\nThese domains hosted a fake Zimbra mail login that copies the webmail login page from the real website\r\n(https://webmail.dalailama.com/). Zimbra is an e-mail server suite that is typically self-hosted.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 12 of 40\n\nOther customized login pages included mimics of the webmail page for Epoch Times (a multilingual media organization\r\nstarted by Chinese-American Falun Gong supporters), and military and government agencies including the Sri Lanka\r\nDefence Department (see Figure 16) and the government of Punjab in Pakistan (we explore these targeting themes in detail\r\nin Part 2: Targeting).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 13 of 40\n\nOAuth Phishing\r\nOpen Authentication (OAuth) is a protocol designed for access delegation and has become a popular way for major\r\nplatforms (e.g., Facebook, Google, Twitter, etc.) to permit sharing of account information with third party applications.\r\nMalicious OAuth applications have been used in phishing attacks both in targeted operations and generic cyber crime.\r\nThreat actors, including APT28 (a group with a suspected Russian nexus), and OceanLotus (a group with a suspected\r\nVietnam nexus), have used OAuth phishing in recent digital espionage operations.\r\nOn May 8 2017, we found a malicious OAuth app hosted on the domain: mail-modular[.]space . At that time, a web\r\nrequest to this domain would redirect to a Google server asking for access to an OAuth application called “Mail AntiSpam”.\r\nThe application requests permission to read, send, delete, and manage emails in the user’s Gmail account (see Figure 17).\r\nAfter successful authentication the user is redirected to mail-modular[.]space://auth2callback.php .\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 14 of 40\n\nOn May 18, we found another OAuth app called “My Drvie files” [sic] hosted on mail-extend[.]space . This application\r\nonly requested access rights to insert emails in the account’s inbox (see Figure 18).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 15 of 40\n\nTable 3 summarizes the two malicious Google OAuth apps.\r\nApp ID\r\nApp\r\nName\r\nEmail Address\r\nFi\r\nSe\r\n374922381928-\r\nobjdv07ir15t9n2sfhqvcg0abub6ahog.apps.googleusercontent.com\r\nMail\r\nAntiSpam\r\nmailantispamcenter[@]gmail.com\r\nM\r\n8\r\n20\r\n894999984303-\r\nl97vu17uvco2h982uk4tuh4106i2qrst.apps.googleusercontent.com\r\nMy Drvie\r\nFiles\r\nmyfiledrives[@]gmail.com\r\nM\r\n18\r\n20\r\nTable 3\r\nSummary of malicious OAuth Applications\r\nMalware Connected to Infrastructure\r\nIn addition to the phishing activity, we identified a malware sample on VirusTotal that used one of the domains in the\r\noperation’s infrastructure ( phpinfo[.]pw ) as a command and control server. The domain was registered with the same\r\nWHOIS information used to register other domains in this operation and resolved to 104.207.132[.]165 between March\r\n2016 and March 2017. We did not find any use of this malware in the wild. The malware appears to be custom developed,\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 16 of 40\n\nbut of low technical sophistication. It is designed to find files with specific keywords in their name or path, and send them to\r\nthe C2 server. A full analysis of the sample is provided in Appendix A.\r\nPart 2: Targeting\r\nThis section describes the targets and tactics of the operation including tracking phishing campaigns targeting Tibetan\r\ngroups and analysis of decoy documents with targeting themes beyond the Tibetan community.\r\nTargeting the Tibetan Community\r\nBetween March 21, 2016 to February 21, 2017 we collected 24 phishing emails sent to Tibetan human rights groups and\r\nemail addresses associated with the CTA. We cluster these emails into four distinct phases based on time, social engineering\r\ntactics, and infrastructure. Figure 19 shows a timeline of the phishing operation divided into the four phases. We detail each\r\nphase in the sections below.\r\nPhase 1: First Signs of Activity\r\nIn the first phase, on March 21 and March 29 2016, two phishing emails were sent to a Tibetan human rights group. The\r\nphishing pages were not live during the period that we collected the emails. However, we retrieved decoy content that show\r\nthese phishing attempts follow the general social engineering we see throughout the operation.\r\nSocial Engineering\r\nOn March 21 2016, a staff member of the group received a phishing email appearing to be from an individual with a Tibetan\r\nname “Tenzin Pema (བསྟན་འཛིན་པདྨ།)” with the subject “Tibetan Demographic Survey Report_1998”, a message in Hindi\r\nexpressing “Important information , Make sure to care!”, and a link to a domain made to resemble Gmail (See Figure 20).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 17 of 40\n\nThe 1998 Tibetan Demographic Survey Report was the first census released on the Tibetan community in exile, and was\r\nupdated in 2009. The decoy document is a copy of the report (See Figure 21). The reference to an outdated document and\r\nuse of Hindi makes for unconvincing social engineering for the targeted groups.\r\nOn March 29, the same staff member received an email that appeared to be sent from a representative of the CTA that shared\r\na Google lookalike link to a webcast of an event commemorating the anniversary of Tibetan Uprising Day (See Figure 22).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 18 of 40\n\nThe phishing page this link would lead to was not active when we received the email, but the decoy content was a video of\r\nthe event the email described hosted on YouTube (See Figure 23).\r\nInfrastructure\r\nThe domain gmail-profile[.]com resolved to the first server used in the operation: 104.207.132[.]165 . No domain\r\nresolution information was available for the other fake domain ( www.google-sign[.]tk )\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 19 of 40\n\nThe whois information for gmail-profile[.]com is as follows:\r\nName: dalin si\r\nEmail: styloveyou@163.com\r\nPhone number: 8613973212343\r\nCreation date: 15-mar-2016\r\nPhase 2: Google Mail Verification\r\nWe collected six phishing emails sent to two Tibetan human rights groups between April 21 and May 31, 2016, which all\r\nused a common template made to appear to be a security notification from Google.\r\nSocial Engineering\r\nEach email swaps out the email address referred to in the line: “We have received your request to be added to your [EMAIL]\r\n「Google Account」 requirements”. In each attempt the email referenced was a Yahoo account that did not match the\r\nrecipients’ emails, which were all Gmail accounts (see Figure 24).\r\nIn total five Yahoo emails were referenced. The majority of these emails used Tibetan names or references to Tibetan groups.\r\nHowever, some were not related to the Tibetan community such as “chinesepen@yahoo.com” which may be a reference to\r\nthe Independent Chinese PEN Center which is a member of International PEN, a global association of writers and artists\r\nconcerned with freedom of expression and human rights. The mismatch between the referenced Yahoo email addresses and\r\nthe template designed for Google credential phishing may be a mistake made by the operators suggesting they are also\r\ntargeting Yahoo accounts in other campaigns that may include groups outside of the Tibetan community.\r\nInfrastructure\r\nThe phishing domains used were made to look like Google services, but none of the phishing pages were live at the time of\r\ncollection.\r\nPassive DNS records were not available for the majority of the domains with the exception of google-secure[.]gq which\r\nresolved to 104.207.132[.]165, the same IP that the domain used in Phase 1 resolved to (see Figure 25).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 20 of 40\n\nPhase 3: Improved Targeting\r\nIn Phase 3, four emails were sent to the two Tibetan groups between June 13 and July 15, 2016.\r\nSocial Engineering\r\nThe social engineering used in the phishing emails in this phase return to Tibetan themes and are made to appear to come\r\nfrom Tibetan groups or individuals and included what appeared to be links to image files (see Figure 26).\r\nIf a target entered credentials into the linked phishing page an image file hosted on Google Drive would be presented such as\r\nthe photograph of Mount Everest shown in Figure 27.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 21 of 40\n\nInfrastructure\r\nThe domains used in Phase 3 were hosted on the second server used in the operation (see Table 4).\r\nDomain Passive DNS\r\ndrive-google[.]me 45.63.0[.]49\r\ndrive-google[.]cf 45.63.0[.]49\r\naccounts-google[.]cc 45.63.0[.]49\r\nTable 4\r\nSummary of domains used in Phase 3.\r\nDomain registration information provides connections between this infrastructure and the other phases. The email\r\n(styloveyou[@]163.com) was used to register domains in Phase 1 and a domain from Phase 3 ( accounts-google[.]cc ).\r\nAnother Yahoo lookalike domain ( yahoo-protect[.]com ) was registered with the same phone number (8618860147601)\r\nwhich registered drive-google[.]me and which pointed to the IP address used in phase 1 ( 104.207.132[.]165 ). Figure\r\n28 shows infrastructure connections between Phases 1, 2, and 3.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 22 of 40\n\nPhase 4: Chain of Compromise\r\nThe fourth phase consisted of 12 emails sent between Nov 1, 2016 and February 21, 2017 with the majority of emails sent in\r\nlate December. During this phase we see wider targeting in the Tibetan community, including the CTA, and compromised\r\naccounts sending phishing emails to large lists of recipients, which were likely harvested from the contact list of the account.\r\nSocial Engineering\r\nThe social engineering used in this phase included messages with relevant content and senders that appeared legitimate (and\r\nin some cases were sent from compromised accounts). We suspect that the improvements to targeting in this phase were due\r\nto the operators leveraging information collected from compromised accounts.\r\nOn December 30, 2016, a phishing email was sent from a @tibet.net email address, (tibet.net is a domain used by the\r\nCentral Tibetan Administration for its official website and email services), to a list of 241 recipients. Analysis of the email\r\nheaders show the email sender was legitimate suggesting that the account had been compromised.\r\nThe email purported to send a picture which linked to a fake Google domain:\r\nhxxp://drive-mail-google[.]cf/?a/tibet.net/file/d/0B-M7IOLyhAvNZzRjQlNaUVV4ODA/view?usp=drive_web\r\nWe observed two other phishing emails sent from a Gmail address included in the recipient list four hours before and 15\r\nhours after the message from the @tibet.net address. These emails also purported to contain an image which linked to a fake\r\nGoogle domain. We suspect this address was also compromised. This series of emails shows how the operators harvest\r\ncontacts and other information from compromised accounts and feed it into further targeting.\r\nInfrastructure\r\nTable 5 lists the nine domains that were used during Phase 4, which were all hosted on the same server as Phase 3.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 23 of 40\n\nDomain Passive DNS\r\nhttpsaccounts-google.cf 45.63.0[.]49\r\ndrive-accounts-google.ga 45.63.0[.]49\r\ndrive-google.ml 45.63.0[.]49\r\ndrive-mail-google.cf 45.63.0[.]49\r\nmyaccounts-google.online 45.63.0[.]49\r\nmydrive-google.online 45.63.0[.]49\r\nmydrive-google.asia 45.63.0[.]49\r\nhttpsdrive-google.net 45.63.0[.]49\r\nhttpsdrive-google.space 45.63.0[.]49\r\nTable 5\r\nSummary of domains used in Phase 4\r\nFigure 29 shows the infrastructure connections between the four phases.\r\nTargeting Beyond Tibetan Groups\r\nThe phishing emails we collected from Tibetan groups provide our best visibility into the social engineering and targeting\r\ntactics used in the operation, but represent only a small piece of the overall activity. In addition to the phishing emails\r\ntargeting Tibetan groups we found decoy documents with a range of themes suggesting other potential targeting.\r\nBeginning on February 23, 2017 we began to systematically download decoy documents served from the phishing pages,\r\ncollecting a total of 58 files. Tibetan politics and culture was the most consistent theme across the files accounting for 41\r\ndecoy documents, but we also found reference to ten other themes based on the content of documents, phishing pages, and\r\ndomain names.\r\nThese other themes included social movements and groups in China such as ethnic minorities (Uyghurs), Falun Gong-related media (Epoch Times), and a group working on rights issues in China. Themes also included reference to South Asian\r\nand Southeast Asian governmental agencies such as the Pakistan Army, the Sri Lanka Ministry of Defence, and the Thailand\r\nMinistry of Justice. Other decoy content referenced Hong Kong-based companies and a mail provider operated by a\r\nBurmese Internet Service Provider. The operators also registered a domain that referenced Guo Wengui, a Chinese\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 24 of 40\n\nbillionaire who gained notoriety after voicing allegations that high ranking officials in the Communist Party of China are\r\nengaged in corruption (however, we never saw this domain used for any activities and it never resolved to an IP address).\r\nWe also found a phishing page mimicking Chinese used car websites, which may be evidence of the operators using the\r\ninfrastructure for general cyber crime activities.\r\nFigure 30 shows the breakdown of non-Tibetan themes by the type of content used. Appendix B provides detailed examples\r\nof each targeting theme.\r\nFigure 31 provides a timeline of themes based on when we found the first evidence of a decoy document, phishing page, or\r\ndomain, and the general period of activity for each theme.\r\nBased on the content and metadata of files we determined if the document was publicly available online or potentially a\r\nprivate file. We grouped the files into three categories — private, public and unknown — based on our estimation of their\r\npublicity. Private files included grant contracts and meeting minutes for a human rights group working on issues in China\r\nand legal documents and policy materials from the Central Tibetan Administration. We suspect these documents were\r\ncollected from accounts compromised during the operation. Table 6 shows the distribution of file types and themes.\r\nTheme Type Number of Documents\r\nTibet PRIVATE 11\r\nPUBLIC 16\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 25 of 40\n\nTheme Type Number of Documents\r\nUNKNOWN 14\r\nHong Kong\r\nPUBLIC 1\r\nUNKNOWN 3\r\nChina Rights Group PRIVATE 3\r\nBurma PUBLIC 2\r\nPakistan PUBLIC 1\r\nUyghur PUBLIC 1\r\nMisc\r\nPUBLIC 2\r\nUNKNOWN 4\r\nTable 6\r\nDecoy documents organized by type and theme.\r\nThe diversity of themes suggests the operators were interested in a wider group of targets outside of the Tibetan community.\r\nA commonality across these themes is that they are all of political interest to the government of China. Social movements,\r\nreligious groups, and ethnic minorities are sensitive political issues in China. Uyghurs, Falun Gong supporters, and Tibetan\r\ngroups are well documented targets of digital espionage operations that are often suspected to be carried out by operators\r\ndirectly sponsored or tacitly supported by Chinese government agents. Government agencies in South Asia and South-East\r\nAsia are also within the geopolitical interests of China and are frequently targeted by digital espionage. Despite these\r\ncommonalities, it is unclear how the operators selected targets. Nor is it clear if the operators had a specific sponsor and/or\r\nwho was the ultimate consumer of data collected.\r\nPart 3: Discussion and Conclusion\r\nThis section discusses the implications of our analysis.\r\nThis report shows that effective digital spying operations do not require deep pockets or sophisticated technical skills to be\r\neffective at accessing sensitive information. While digital threats against civil society range widely in sophistication and\r\ntechnique it is evident that there is a gap between the state of the threat, and the ability of civil society groups to protect\r\nthemselves. Efforts undertaken within civil society, like behavioural change programs and awareness efforts, and steps taken\r\nby companies can all contribute to closing the gap. Unfortunately, some of the most important security tools provided by\r\ncompanies are not being effectively promoted and mainstreamed to their user bases.\r\nLow Entry Costs for Digital Spying\r\nThe operators in this case demonstrated only basic technical skills and committed a number of errors and operational\r\nsecurity mistakes that made it easier to track their activities. This profile suggests the operator may be a low level contractor\r\nservicing multiple clients or a single client with multiple targeting interests. The sloppiness on the part of the operators may\r\nalso show they are working in an environment without any effective deterrent to their activities, and possibly even some\r\nkind of informal high-level support. Finally, the targeting of second hand selling car websites also suggests that the operators\r\nmay be engaged in conventional cyber crime.\r\nThe report adds to previous investigations that have repeatedly shown that many threat actors, including those with access to\r\nmore sophisticated capabilities, persist in using phishing and other forms of basic social engineering to target civil society.\r\nPrevious work has tracked phishing campaigns targeting Egyptian civil society, journalists in Latin America, Syrian\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 26 of 40\n\nopposition groups, Iranian pro-democracy organizations, and many others. The relatively low cost, scalability, and\r\nadaptability of phishing make it an attractive option that we expect will continue to be an active threat for civil society.\r\nBehaviour Change Is Slow, but Attackers Adapt Quickly\r\nFor the Tibetan community in particular, this operation is another example of a shift from targeted malware to phishing\r\noperations. Previous research has shown that in the past the most common digital espionage threat used against the Tibetan\r\ncommunity was document-based malware sent as email attachments. Some Tibetan groups reacted to this threat by\r\npromoting the use of cloud platforms to share documents, such as Google Drive and Dropbox, as an alternative to email\r\nattachments. While this behavioural change is a potentially effective mitigation against malware sent as attachments, shifting\r\npractices in a community can take a long time to achieve. Operators on the other hand can adapt on a much shorter\r\ntimescale. For example, as Tibetan groups started to avoid attachments and use cloud alternatives we saw operators pivot to\r\nsending malware through Google Drive. We simultaneously observed a drop in malware campaigns against Tibetan groups\r\nand a rise in phishing operations.\r\nCommunity security education efforts and behaviour change programs can lead to the adoption of more secure behaviours\r\nand are an important step in mitigating these threats. However, the long timescale of these efforts, combined with often-limited feedback about their success, is little match for the rapid iteration available to operators. For example, we observed\r\nthe operators in this case experimenting with OAuth apps to steal account credentials. It is unclear who the operators\r\ntargeted with the malicious OAuth apps, but their use could be a means to bypass users with two factor authentication on\r\ntheir Google accounts. The abuse of OAuth shows that operators will continue to adapt and innovate when necessary and\r\napply just enough technical sophistication and tricks to achieve their objectives.\r\nRaising the Cost of Digital Spying and Protecting Users\r\nEfforts to increase security awareness are important, despite their limitations, but are not the only tools available to mitigate\r\nthe harm caused by phishing. Much of the threat posed by this operation could have been blunted by security features like\r\ntwo factor authentication, which are available on widely-used consumer platforms like Gmail. Unfortunately, user adoption\r\nrates for two factor authentication are extremely low, although many companies avoid providing public figures that could\r\nillustrate just how dire the situation is. Indeed, even users who have experienced a breach are unlikely to enable these\r\nsecurity features (roughly 3.1% according to a recent study). In other words, security features are unlikely to be enabled,\r\neven when the stakes are very high. These low rates likely reflect a range of user variables, such as awareness, motivation,\r\nand technical literacy, as well as the difficulty and time required to follow the multi-step process to enable them.\r\nThe low adoption rates for two factor authentication raises the question of what other steps companies can take to make\r\nsecurity features mainstream for all users. These steps might include enabling a form of two factor authentication as default-on when a new account is created, or developing better behavioural nudges to increase adoption rates. Unfortunately,\r\ncompanies may be avoiding these efforts out of concerns of losing users by adding friction to account use and recovery, or\r\nincurring additional costs for customer service.\r\nCivil society groups, like many organizations and businesses, rely on popular consumer platforms to disseminate\r\ninformation, gain public visibility, and communicate. Some widely-used platforms have clearly taken notice of the unique\r\nthreats faced by these populations and added security options tailored to them, such as an “advanced security program”\r\n(Google) which implement multiple U2F security tokens, and other account security features.\r\nWhile these programs are interesting (and too new to properly evaluate), our experience suggests that the same behavioural\r\nhurdles will apply to them, and that adoption rates will not match the size of the user population that is likely to be targeted.\r\nThere is a clear and urgent imperative to shift users to a more secure authentication process. This change can only happen\r\nwhen companies develop a clear intention to fix this problem, and commit to a goal of achieving a specific adoption rate for\r\nthese security features in a limited timeframe.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 27 of 40\n\nAddressing this problem goes beyond helping civil society. A combination of  security education and wider adoption of\r\nsecurity features like two factor authentication can help raise the low bar by making digital spying more expensive and\r\nimmediately benefit high risk users. Paying attention to the security challenges that plague civil society on popular platforms\r\ncan in turn confer greater security to the wider user population.\r\nAcknowledgements\r\nAuthors in alphabetical order.\r\nSpecial thanks to Lobsang Gyatso, Tibet Action Institute, and the participating Tibetan organizations. We are grateful to Ron\r\nDeibert for guidance and supervision, to Adam Senft and Miles Kenyon for copy editing, and to TNG.\r\nFigures 5 and 6 include icons created by Genius Icons (URL), Ralf Schmitzer (server), Creative Outlet (clock), Xinh Studio\r\n(clock) Pro Symbols (certificate), Andrew Doane (money stack), Milky Digital Innovation (target) licensed under CC BY\r\n3.0 from the Noun Project.\r\nIndicators of Compromise\r\nIndicators of compromise are available on GitHub in multiple formats.\r\nAppendix A: Malware Analysis\r\nMalware Sample Information\r\nSHA-256:  654e952324bddf09ca7b014bfdf79103c643d21d648182f911a65d7c907803b8\r\nFile Name:  Wextract\r\nCommand and Control Server:  phpinfo[.]pw\r\nDomain WHOIS\r\nEmail:  styloveyou[@]163.com\r\nPhone number  8613973212343\r\nSummary\r\nThe sample is a self-extracting program, which drops both a legitimate Windows Media Player binary\r\n(e04ffd291915cd0db9c3ae8743f68c8c) and malicious file called playlib.exe (0963bee29e797ea7481be5f18f354029).\r\nThe malicious file ( playlib.exe ) was developed in C++ using the Qt library packaged using Enigma Virtual Box to be\r\nportable. Its main objective is to search the infected hard drive for files with specific keywords to identify Microsoft Office\r\ndocuments, passwords and keyfiles and send these files to the C2 server.\r\nInstallation and persistence\r\nWhen running for the first time, the program copies itself in an AppData folder ( C:Users[USERNAME]AppDataLocal on\r\nwindows 7) as spoolsv.exe and creates a Run key VC_APP in\r\nHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionrun . It then reads the configuration and creates an ini file\r\nupload_Log.ini in the same folder including the configuration in a section called section1 .\r\nPersistence Key\r\nSearch for files\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 28 of 40\n\nWhen the program is launched, it first checks if the ini file exists and if it contains a list of files (checking the filecount\r\nparameter). If the filecount parameter is 0, it then starts enumerating files on the disk and write name, path and last\r\nmodification date of every file containing one of the key words in its path.\r\nExample of upload_Log.ini (first 10 lines)\r\nOnce the enumeration is done, the program reads every file listed in the .ini file and sends it to the C2 server with its\r\nfilename. On a second execution, the malware confirms that the enumeration was already done by checking the .ini file.\r\nIt then checks the last modification time of every file listed, and sends any files that were modified since the previous\r\nexecution.\r\nConfiguration\r\nThe configuration file is stored in the 200 extra-bytes at the end of the PE file (C2 address at END-200 and the list of key\r\nwords at END-100).\r\nHex dump of the configuration file\r\nThis configuration includes keyword targeting files made in Microsoft Office, passwords, and key files with the following\r\nfile extensions:\r\n.doc\r\n.docx\r\n.xls\r\n.xlsx\r\n.ppt\r\n.pptx\r\n.pdf\r\n.pass\r\n.key\r\nGBK codes\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 29 of 40\n\nThe program uses GBK Qt codec as encoding type when reading or writing files. The GBK codec is for Chinese language.\r\nAppendix B: Targeting Theme Examples\r\nTibet\r\nTimeline\r\nMarch 2016 to July 2017\r\nNumber of decoy documents 41\r\nNumber of domains 5\r\nNumber of customized phishing pages 3\r\nTibetan themed domains and decoy content was the most consistent theme across the operation including domains that\r\nmimicked Tibetan organizations such as the official website of His Holiness the Dalai Lama and the Central Tibetan\r\nAdministration website. The operators also designed fake login pages to spoof mail services on the Dalai Lama’s website.\r\nDomain Registration Date Registrant Registrar\r\nwebmail-dalailama[.]com 2017-04-06 deepcliff[@]sina.com Go Daddy\r\nwebmail.dalailama[.]space 2017-04-02 deepcliff[@]sina.com Go Daddy\r\nt1bet[.]net 2016-04-03 styloveyou[@]163.com HK DNS\r\ntibet-office[.]net 2016-11-22 leungguodong[@]outlook.com Go Daddy\r\nwebmail-dalailama[.]space 2017-05-27 deepcliff[@]sina.com Go Daddy\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 30 of 40\n\nFake Zimbra login hosted on webmail-dalailama[.]space (June 2017)\r\nWe collected a total of 41 Tibetan related documents used as decoy content and estimate that at least 11 of them are private\r\ndocuments.\r\nExample of Tibet themed decoy content (April 2017)\r\nChina Rights Group\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 31 of 40\n\nTimeline May and June 2017\r\nNumber of decoy documents 3\r\nNumber of domains 0\r\nNumber of phishing pages 0\r\nIn May and June 2017, we identified three Google Drive documents used as decoys for generic phishing domains and\r\nGoogle lookalike domains (e.g., mail-gooog1e[.]info ). The documents appear to be files related to an NGO working on\r\nhuman rights issues in China including grant documentation and meeting minutes. The nature of the documents indicate they\r\nare likely private files.\r\nUyghur\r\nTimeline March 2017\r\nNumber of decoy documents 1\r\nNumber of domains 0\r\nNumber of phishing pages 0\r\nOn March 10, 2017 we identified a fake Google login page on the domain drive-mail[.]info . If credentials were into the\r\npage the user would be redirected to a document in the Uyghur language on Google Drive. This document is publicly\r\navailable from the World Uyghur Congress website. Google Drive metadata on the document shows that it was uploaded on\r\nMarch 8, two days before it was used as a decoy.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 32 of 40\n\nUyghur themed decoy document hosted on Google Drive.\r\nEpoch Times\r\nTimeline April 2017\r\nNumber of decoy documents 0\r\nNumber of domains 2\r\nNumber of phishing pages 1\r\nIn April 2017, we identified two domains mimicking Epoch Times, a multilingual media organization started by Chinese-American Falun Gong supporters. The domain was registered with the same email addresses that was seen in other domains\r\nin this campaign.\r\nDomain Registration Date Registrant Registrar\r\nmail-epochtimes[.]space 2017-04-11 deepcliff[@]sina.com GoDaddy\r\nepochtimes[.]space 2017-04-19 evalliang[@]163.com GoDaddy\r\nWe identified a phishing page on the domain mail-epochtimes[.]space (hosted on 115.126.39[.]107 at that time),\r\nwhich is a copy of the Epoch Time webmail login page.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 33 of 40\n\nScreenshot of fake login page presented on mail-epochtimes[.]space (April 2017)\r\nGuo Wengui\r\nTimeline May 2017\r\nNumber of decoy documents 0\r\nNumber of domains 1\r\nNumber of phishing pages 0\r\nGuo Wengui is a Chinese billionaire who gained notoriety after voicing allegations that high ranking officials in the\r\nCommunist Party of China are engaged in corruption. Guo has been seeking asylum in the US following a request from\r\nChina to Interpol to issue a global warrant for his arrest\r\nOn May 2 2017, the operators registered a domain that referenced Guo’s name. We have not seen any resolution for this\r\ndomain, or any other utilization of it.\r\nDomain Registration Date Registrant Registrar\r\nwengiguowengui[.]space 2017-05-02 deepcliff[@]sina.com Go Daddy\r\nHong Kong\r\nTimeline\r\nJune 2016, March to July 2017\r\nNumber of decoy documents 4\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 34 of 40\n\nTimeline\r\nJune 2016, March to July 2017\r\nNumber of domains 1\r\nNumber of phishing pages 1\r\nBetween March and June 2017, we identified four decoy images hosted on Google Drive that included pictures of Hong\r\nKong companies, an image of text in Chinese referencing political issues in Hong Kong, and an image of a running trail in\r\nthe city.\r\nOn July 1 2017, only a few days before the last day of activity in the operation we observed a domain and phishing page\r\ndesigned to mimic email services provided by Netvigator is the largest residential Internet service provider in Hong Kong.\r\nDomain Registration Date Registrant Registrar\r\nemail-netvigator[.]info June 27 2017 deepcliff[@]yahoo.com  \r\nScreenshot of fake Netvigator login page (July 2017)\r\nSri Lanka Ministry of Defense\r\nTimeline May and June 2017\r\nNumber of decoy documents 0\r\nNumber of domains 3\r\nNumber of phishing pages 1\r\nIn June 2017, we identified several domains mimicking the Sri Lanka Ministry of Defense webmail subdomain\r\n(mail.defence.lk).\r\nDomain Registration Date Registrant Registrar\r\nmail-defense[.]space May 13 2017 deepcliff[@]sina.com Go Daddy\r\nmail-defend[.]space May 31 2017 deepcliff[@]sina.com Go Daddy\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 35 of 40\n\nDomain Registration Date Registrant Registrar\r\nmail-defense[.]tk Unknown Unknown Unknown\r\nIn June 2017, a fake webmail login was installed on on mail-defense[.]tk that copied the legitimate login page. If\r\ncredentials were entered into this page users were redirected to a file hosted on Google Drive. This file was no longer\r\navailable when we found the login page.\r\nScreenshot of fake login page hosted on mail-defense[.]tk (June 2017)\r\nPakistan\r\nTimeline March 2017\r\nNumber of decoy documents 1\r\nNumber of domains 0\r\nNumber of phishing pages 1\r\nIn March 2017, we found a fake Outlook login page hosted on the domain: login-live[.]us . This page was copied from\r\nthe website of the Punjab government in Pakistan (https://mail.punjab.gov.pk/owa).\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 36 of 40\n\nFake Outlook login page hosted on login-live[.]us (March 2017)\r\nOn March 21, if credentials were entered into the fake login page the user would be redirected to the webmail page for the\r\nGovernment of Punjab in Pakistan (http://mail.punjab.gov.pk/ ). On March 22, if credentials were entered the user would be\r\nredirected to decoy content on Google that showed an image from the Pakistani Army that is available on the Pakistani\r\ngovernment website.\r\nDecoy document redirected from login-live[.]us (March 2017)\r\nBurma\r\nTimeline February, April and May 2017\r\nNumber of decoy documents 2\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 37 of 40\n\nTimeline February, April and May 2017\r\nNumber of domains 1\r\nNumber of phishing pages 2\r\nWe first identified Burma-related pages in February 2017, the domain webmail.postmailsecret[.]com hosted a fake\r\nZimbra login that was a copy of the Myanmar Post and Telecommunications (MPT) webmail. MPT is a major state owned\r\ntelecommunications company in Burma.\r\nScreenshot of the fake Zimbra login hosted on webmail.postmailsecret[.]com (Feb 2017).\r\nWhen we tested it however, we found that submitting credentials to this form redirected us to a Tibetan related decoy\r\ndocument. In late April, we found Burma-related decoy documents, redirecting from a fake Google login page hosted on the\r\ndomain: www.mail-attachment-usercontent[.]space . This picture is a photo of hot-air balloons over Bagan that is widely\r\navailable online.\r\nDecoy image used by the domain www.mail-attachment-usercontent[.]space (April 2017)\r\nIn May we identified a domain mimicking the webmail of MPT, but did not observe any utilization of it.\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 38 of 40\n\nDomain Registration Date Registrant Registrar\r\nwebmail.mpt[.]space 2017-04-19 evalliang[@]163.com Go Daddy\r\nMinistry of Justice of Thailand\r\nTimeline June 2017\r\nNumber of decoy documents 0\r\nNumber of domains 1\r\nNumber of phishing pages 0\r\nIn July 2017, we identified a domain mimicking the Thailand Department of Special Investigation (DSI) website. The\r\ndomain mail.dsi.go.th is the official page of DSI and is part of the Thai Ministry of Justice. We have not seen any evidence\r\nof utilization of this domain.\r\nDomain Registration Date Registrant Registrar\r\nmail-dsi-go[.]space 2017-06-26 deepcliff[@]sina.com GoDaddy\r\nUsed Car Seller\r\nTimeline April and May 2017\r\nNumber of decoy documents 0\r\nNumber of domains 3\r\nNumber of phishing pages 2\r\nIn April and May 2017, we identified several domains mimicking two popular Chinese used car selling websites: Youxinpai\r\nand Guazi.\r\nDomain Registration Date Registrant Registrar\r\nmail-youxinpai[.]com 2017-04-17 deepcliff[@]sina.com Go Daddy\r\nmail-guazi[.]space 2017-05-01 deepcliff[@]sina.com Go Daddy\r\nmail-guazi[.]com 2017-04-19 evalliang[@]163.com Go Daddy\r\nFake login pages were hosted on mail-youxinpai[.]com (April 2017) and mail-guazi[.]space (May 2017). In both\r\ncases, the login page redirected to the real webmail address directly. We have not seen any activity related to mail-guazi[.]com .\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 39 of 40\n\nScreenshot of fake webmail login hosted on mail-youxinpai[.]com (April 2017).\r\nScreenshot of fake webmail login hosted on mail-guazi[.]space (May 2017)\r\nSource: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nhttps://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\r\nPage 40 of 40\n\nIn February 2017, in Figure 12). the operators began The change to Comodo to use valid Comodo certificates is correlated HTTPS certificates with the infrastructure for the majority moving from of domains (see an Ubuntu server an example to a\nWindows 7 server ( 115.126.39[.]107 ) in February 2017. The operators may have moved from Let’s Encrypt to Comodo,\nbecause Certbot (the most common tool used to deploy Let’s Encrypt certificates) is not available on Windows systems.\n Page 9 of 40 \n\ncollection. Passive DNS records were not available for the majority of the domains with the exception of google-secure[.]gq which \nresolved to 104.207.132[.]165, the same IP that the domain used in Phase 1 resolved to (see Figure 25).\n Page 20 of 40 \n\n https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/ \nScreenshot of fake webmail login hosted on mail-youxinpai[.]com (April 2017).\nScreenshot of fake webmail login hosted on mail-guazi[.]space (May 2017)\nSource: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/ \n Page 40 of 40", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/" ], "report_names": [ "spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83", "created_at": "2023-01-06T13:46:38.775762Z", "updated_at": "2026-04-10T02:00:03.096032Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "MISPGALAXY:RedAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa", "created_at": "2022-10-25T16:07:24.107066Z", "updated_at": "2026-04-10T02:00:04.868213Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "ETDA:RedAlpha", "tools": [ "AngryRebel", "Bladabindi", "FF-RAT", "Farfli", "FormerFirstRAT", "Gh0st RAT", "Ghost RAT", "Jorik", "Moudour", "Mydoor", "NetHelp Infostealer", "NetHelp Striker", "PCRat", "RedAlpha", "ffrat", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434478, "ts_updated_at": 1775792219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8927452401e1c3047362e47bedc0ac41038fdf54.pdf", "text": "https://archive.orkl.eu/8927452401e1c3047362e47bedc0ac41038fdf54.txt", "img": "https://archive.orkl.eu/8927452401e1c3047362e47bedc0ac41038fdf54.jpg" } }