Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Official Tibetan Website Compromised in Watering Hole Attack

Central Tibetan Administration Website (Tibet.Net) Compromised In Watering Hole Attack

Central Tibetan Administration Website (Tibet.Net) Compromised In Watering Hole Attack

The website for the Central Tibetan Administration, the official site belonging to the Dalai Lama’s government in exile, was compromised by attackers who injected code that redirected Chinese speaking visitors to a Java exploit that drops a malicious backdoor.

Kaspersky Lab shared details of the attack on Monday and said the attack “strategically compromised” the website, which provides information about the parliament, cabinet, administrative departments and public offices of the Dalai Lama’s government in exile.

Kurt Baumgartner, a researcher at Kaspersky Lab, called the selection of placement for the malicious code “fairly extraordinary”.

“We are a prominent target for attacks by Chinese hackers,” Tashi Phuntsok, a spokesman for the exiled government, told AFP. “I assume they do it to steal our documents, disable our communication systems or spy on people who visit our sites,” he added.

According to Baumgartner, the attack was highly targeted and leveraged an embedded iframe that redirects “xizang-zhiye(dot)org” visitors (the CN-translated version of the site) to a java exploit that maintains a backdoor payload in attempt to infect unsuspecting visitors. Hacked

“The Java exploit being delivered is the 212kb “YPVo.jar” (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well,” Baumgartner noted a blog post on the Kaspersky-run Securelist website. “That file is a 397 kb win32 executable ‘aMCBlHPl.exe’ (a6d7edc77e745a91b1fc6be985994c6a) detected as “Trojan.Win32.Swisyn.cyxf”. Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.”

Advertisement. Scroll to continue reading.

Interestingly, the English and Tibetan versions of the website did not serve up the malicious embedded iframe.

The Java exploit appears to attack CVE-2012-4681, an older vulnerability which Kaspersky Lab says was used by the actor distributing the original CVE-2012-4681 zero-day Gondzz.class and Gondvv.class last August.

“The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java’s built-in AES crypto libraries, but the package is not configured to use that code in this case,” Baumgartner continued. “Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file’s win32 exe resource.”

Baumgartner said the backdoor itself is incorrectly detected by many AV vendors as variants of gaming password stealers.

The related command and control server is located at, a domain that resolves to the IP address, which based on SecurityWeek’s analysis, is located at “New World Telephone” in Hong Kong .

“This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spear phishing campaigns against a variety of targets that include Tibetan groups,” Baumgartner added.

SecurityWeek has previously covered several attacks targeting Tibetan activists, including one that leveraged Twitter, a 2012 attack that targeted Mac OS users, and a March 2013 attack that leveraged Android malware, along with several others.

The Dalai Lama’s official website did not appear to be affected by the attack.

In 1959, the Dalai Lama fled Tibet after a failed uprising against Chinese rule, offered refuge later by India where founded the government in exile in Dharamshala. China accuses the Dalai Lama as being a “separatist” who provokes violence in Tibet, while the Dalai Lama maintains a position that his goal is a peaceful attempt to operate his homeland.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...