A Beijing-based Internet company has been implicated in creating a program specifically designed to spy on computers of Tibetan Government-in-Exile and Tibet Support Groups.

The attempt to spy has been done through sending innocuous-looking messages, purportedly from officials of the Tibetan Government-in-Exile (TGIE) and members of Tibet Support Groups (TSG), with subject matters listing current developments, including the recently held Fourth International Tibet Support Group Conference in Prague.

Once attachments to such emails are opened they plant a trojan horse on the computer, which make its content accessible to the internet group in China.

Since the middle of October 2003, officials of TGIE and Tibet supporters have received “emails” from the main website of the Prague conference as well as officials of the Tibetan Department of Information and International Relations, Department of Finance and organizations like the Australia Tibet Council, International Campaign for Tibet, and the Free Tibet Campaign.

These emails come from a Chinese IP and contain attachments that execute “a malicious java script containing JS.Exception.Exploit virus, which is a Trojan Horse that can potentially do anything,” according to one Tibet supporter.

The IP address of the sender was 61.51.129.45, based in Beijing. The attachment was an MDB (database) file.

The site is registered with CNCGROUP Beijing province network:

China Network Communications Group CorporationNo.156,Fu-Xing-Men-Nei Street,Beijing 100031

The technical contact was listed assun ying (suny@publicf.bta.net.cn)Beijing Telecommunication AdministrationTaiPingHu DongLi 18, Xicheng DistrictBeijing 100031Phone: +86-10-66198941Fax: +86-10-68511003

A virus expert has said that the program seems to have been specifically designed to target the Tibet movement, saying it has been not seen anywhere else.

On October 23, 2003, some Tibet supporters received emails from info@tsg2003.org (which is the official website of the Prague Conference) with the subject line “New coordinator to you.”

On October 24, 2003, they received another email supposedly from finance@gov.tibet.net that was, in reality, from an email on etang.com site with the title “coordinators’ details.” The text was about the Prague Conference. Etang.com is a Chinese server. The attachment was also a MDB file.

On October 25, 2003, individuals received emails supposedly from “Sonam N. Dagpo” (diir@diir.gov.tibet.net), who is a senior official of the TGIE, with the title “Draft Press Release.” These emails, too, came from an IP in Beijing. The text was about Prague. Attachment was also an MDB file.

On October 16, 2003, some Tibet supporters received emails supposedly from freetibet@freetibet.org (address of the London-based Free Tibet Campaign) that were also from an email on etang.com. The attachment was an executable (EXE) file.

These are not classic viruses like those that many of us receive daily but messages sent intentionally and specifically, according to a virus expert.

On October 23, 2003, a number of individuals received emails supposedly from tibetcouncil@atc.org.au, which is the site of the Australia Tibet Council.

On October 27, 2003, some TGIE officials and Tibet supporters received emails supposedly from the International Campaign for Tibet “containing” confidential attachments. These were, in fact, similar to the other emails.

This is not the first time that organizations in China have tried to penetrate into the network system of TGIE. Jigme Tsering of the Dharamsala-based Tibetan Computer Resource Centre (TCRC), which administers the computer system of the TGIE, has revealed that there have been repeated attempts in the past to infect TGIE computers with virus in order to obtain information. In an interview to the the UK internet news site The Register in September 2002, Tsering warned that Tibet supporters are being targeted by an unnamed virus, which is designed to fool the unwary by posing as an email from the Dalai Lama’s office.

Responding to Tsering’s charges, the spokesman of the Chinese Foreign Ministry was quoted by AP as saying on September 25, 2002, that she had no details on the accusation and added, “the Chinese government always opposes the activities of hackers.”

On September 27, 2002, Tsering issued a statement detailing Chinese attempts to infiltrate computers of TGIE saying, “A number of targeted computer viruses circulating via email throughout the Tibetan Government-in-exile and Tibetan support groups and related NGOs have been discovered or brought to our attention. These viruses have appeared in a number of variants, indicating a progressive and sustained development process. For example some were taking advantage of known security loopholes in Microsoft software in order to automatically run and are always personalized to impersonate departmental emails following previous attempts to collect email address lists. One variant analyzed was found to have been sourced from the Yunnan Province in China, and was designed to collect information off an infected computer and send it via email to an address in Beijing.”

Following is the full text of the Register article:

China implicated in Dalai Lama hack plot

John Leyden
April 29 2002

China has repeatedly attempted to crack into the Dalai Lama’s computer network, according to its administrators.

Over the last month there have been repeated attempts to infect systems used by the exiled spiritual leader. This takes the form of a computer virus which attempts to send information back to China, Jigme Tsering, manager of the Tibetan Computer Resource Centre told AP.

The centre runs Internet services and administers the computer systems of the spiritual leader’s government-in-exile, located in Dharmsala, India.

Tsering also alleges that Tibetan lobby groups were also targeted by the unnamed virus, which is designed to fool the unwary by posing as an email from the Dalai Lama’s office. Chinese crackers also attempted to break into Tibetan systems in 1999 and 2001, Tsering also believes.

The latest virus-infected emails, capable of lifting confidential files from PCs used by the Centre, were traced back to six different addresses in China, used by government and educational institutions.

This evidence, such as it is, falls short of convincing proof and could be explained by innocent infection of Chinese machines by SirCam, or the like.

AV experts, however, suggest it is possible that China could have developed bespoke malware in an attempt to obtain confidential emails or documents from the Tibetans. Such cyber nasties would have a greater chance of evading detection than well known viruses.

Graham Cluley, senior technology consultant at Sophos AV, said it was more likely that the reports referred to a piece of malicious spyware or Trojan horse than a conventional virus.

Given the political strains between China and Tibet its not surprising that Tsering has drawn the worst possible inference about a darker purpose behind the virus infected emails.

The allegations come at a time of particular political sensitivity. A Tibetan government in exile was established by the Dalai Lama in 1959, following China’s occupation of the mountainous country. AP reports that a delegation of exiled Tibetans is visiting Tibet this month for the first time since 1985.

China has yet to comment publicly on the allegations.