Join our Mailing List

"As long as human rights are violated, there can be no foundation for peace. How can peace grow where speaking the truth is itself a crime?"

Hack Tibet: Welcome to Dharamsala, ground zero in China's cyberwar.

December 9, 2013

By Jonathan Kaiman

December 4, 2013 — Lobsang Gyatso Sither sits at the front of a Tibetan school auditorium, the bright rectangle of his PowerPoint presentation dimly illuminating the first few rows of students before him. "Never open attachments unless you are expecting them," Sither says. The students nod. A portrait of the Dalai Lama hangs above the stage, framed by flickering electronic candles; a stray dog ambles behind the crowd. "Never give anyone else your passwords," Sither says, clicking to a new slide, which explains the dangers of using an unfamiliar thumb drive. "The Chinese government or others could take control of your computer."

 

Welcome to Dharamsala, population 20,000 and one of the most hacked places in the world. This small city in India's lush Himalayan foothills is home to the Dalai Lama, the exiled Tibetan spiritual leader; the Central Tibetan Administration, or CTA (formerly called the Tibetan government in exile); and a host of Tibetan media outlets and nongovernmental organizations, some of which the Chinese government classifies as terrorist groups. The Dalai Lama fled here in 1959 after communist troops violently suppressed an uprising in Lhasa, now the capital of western China's Tibetan Autonomous Region. India embraced the Dalai Lama as a token of religious diversity, and tens of thousands of refugees followed suit. About 130,000 Tibetans live in exile, according to a 2009 census; Dharamsala is the closest thing they have to a political capital.

 

The city has an ancient feel. Homes cling to precipitous mountain roads that weave through dense cedar forests; macaque monkeys prance among the rooftops. Yet it is changing, moving cautiously into the future. Computers have become ubiquitous. Roadside cafes offer double espressos and wireless Internet (common passwords include "FreeTibet" and "Independence"). Young Tibetans are snapping up iPhones, which, unlike competing devices, offer the option of a Tibetan-language keyboard.

 

Communication between the city's Tibetan community and Tibet itself is easier than it has ever been. Yet the risk of dialing home has never been greater. "If we don't use secure lines of communication, Tibetans in Tibet could be prosecuted" for sending sensitive information abroad, says Sither, a field coordinator for the Tibet Action Institute, a New York-based nonprofit that sponsors education initiatives and trains activists on secure communications systems.

The Chinese government is everywhere and nowhere in Dharamsala, planting malware and intercepting messages in ways that are nearly undetectable and difficult to trace. The CTA's Chinese-language website was hacked in August. Everyone within the Tibetan community is a target, from the Dalai Lama's advisors to any smartphone-wielding refugee.

 

In early November, Tibet's Communist Party chief, Chen Quanguo, proposed a raft of measures to stamp out the Dalai Lama's voice in Tibet, including clamping down on online communications. "Work hard to ensure … that the voice and image of the enemy forces and the Dalai clique are neither seen nor heard," he wrote in Qiushi, a leading party journal.

 

A brutal, centuries-old form of protest has caught fire in Tibet, and Beijing is resorting to tactics both heavy-handed and high-tech to quell the unrest. Since February 2009, at least 120 Tibetans in the Himalayan region have self-immolated to protest Chinese rule -- men and women, old and young, monks and lay people. Chinese authorities have responded violently, deploying troops, cutting phone lines, and forcing monks to undergo draconian "patriotic education" programs. They blame "hostile foreign forces" for inciting the immolations -- mainly from Dharamsala, where advocacy groups gather information about the fiery protests and distribute that information abroad. Experts say that the hacks may be part of an elaborate campaign to identify possible protests and preempt them.

 

Few cyberattacks on Dharamsala are strategically tailored to monitor or control the city's network infrastructure, say experts. The most common attacks are spearphishing attempts: Tibetans, especially those working for the CTA or pro-independence organizations, say they frequently receive strange emails purporting to be from friends or associates. They often contain attachments that, once downloaded, infect the user's computer with malware, allowing a hacker to operate the system remotely. The computer essentially becomes shared; keystrokes are recorded, passwords saved, contacts downloaded. Everything is compromised.

 

Kelsang Aukatsang, a former advisor to the Tibetan prime minister in exile, remembers the shock of realizing that he'd been hacked. In July 2012, Aukatsang sent an email to a U.S. senator to arrange a meeting for the prime minister, Lobsang Sangay. The following morning, the senator received a surprise call from the Chinese Embassy in Washington, urging her not to attend. The meeting ultimately proceeded as planned. "But the bigger point is that they knew -- that exchange got intercepted," Aukatsang said. "You wonder what more you can do to feel safe. There's a real sense of being at risk, of being watched."

 

MORE THAN HALF THE CTA'S COMPUTERS contain some sort of malware, estimates the government in exile's press officer, Tsering Wangchuk. "Most of the key computers in our city, in Dharamsala, are in some way compromised," he says. The administration's technical staff of 13 spends much of its time simply trawling through hard disks, finding and eliminating malicious code. "They go after us all the time, diligently," said another administration employee who requested anonymity. "If with every 100,000 attempts they have one success, they use that one success to exploit everything that they can."

 

Cybersecurity experts call this "advanced persistent threat" (APT) -- a constant onslaught of targeted attacks requiring resources that are normally unavailable to individual hackers. "Dharamsala is ground zero for advanced persistent threat, really," says Greg Walton, a doctoral candidate at Oxford University's Center for Doctoral Training in Cyber Security. Walton traveled to Dharamsala in 2008 to help the Dalai Lama's private office better understand what, and who, had been compromising its systems. His team discovered that the most likely culprit was a shadowy hacker group responsible for a series of network intrusions that American investigators had dubbed "Byzantine Hades." The group, according to U.S. State Department cables released by WikiLeaks, had ties to a unit of the People's Liberation Army, China's military, based in the southwestern Chinese city of Chengdu.

 

Many Dharamsala-based Tibetan NGOs, Walton says, have been attacked by groups that are better known for infiltrating Western corporations, military contractors, and government agencies. One, dubbed "APT1" by cybersecurity firm Mandiant, is an elite cyber-espionage outfit affiliated with the Chinese military. Another group is a corporate espionage unit that allegedly stole secret documents and formulas from major global chemical companies in 2011 in an attack campaign dubbed "Nitro" by computer security firm Symantec. "In the most pessimistic light, there's very little that the Tibetans can do in exile, because they're so under-resourced," says Walton. "If you have a situation where the State Department or the Pentagon is being compromised by the same groups, what hope do refugees in the foothills of the Himalayas have to deal with that problem?" He describes China's APT strategy as gathering "a thousand grains of sand," hoping that some piece of information, no matter how small, will bear strategic value.

CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665   ctcoffice@tibet.ca
Developed by plank