Attackers from a group dubbed Poison Carp used one-click exploits and convincing social engineering to target iOS and Android phones belonging to Tibetan groups in a six-month campaign, researchers said. The attacks used mobile platforms to achieve a major escalation of the decade-long espionage hacks threatening the embattled religious community, researchers said.

The report was published on Tuesday by Citizen Lab, a group at the University of Toronto's Munk School that researches hacks on activists, ethnic groups, and others. The report said the attackers posed as New York Times journalists, Amnesty International researchers, and others to engage in conversations over the WhatsApp messenger with individuals from the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. In the course of the conversation, the attackers would include links to websites that hosted "one-click" exploits—meaning they required only a single click to infect vulnerable phones.

Focused and persistent

None of the attacks Citizen Lab observed was successful, because the vulnerabilities exploited had already been patched on the iOS and Android devices that were attacked. Still, the attackers succeeded in getting eight of the 15 people they targeted to open malicious links, and bit.ly-shortened attack pages targeting iPhone users were clicked on 140 times. The research and coordination that went into bringing so many targeted people to the brink of exploitation suggest that the attackers behind the campaign—which ran from November 2018 to last May—were skilled and well-organized.

In an email, Citizen Lab Research Fellow Bill Marczak wrote:

It was a focused and persistent attempt to compromise the mobile devices of senior members of the Tibetan community. Careful attention was made to the selection of targets and the social engineering. The operators created multiple fake personas and engaged targeted individuals in extensive conversations before sending exploit links. Overall, the ruse was persuasive: in eight of the 15 infection attempts, the targeted persons recall clicking the exploit link. Fortunately, all of these individuals were running non-vulnerable versions of iOS or Android, and were not infected.

The attacks observed by Citizen Lab overlap with those reported three weeks ago by Google Project Zero . The Project Zero post documented in-the-wild attacks exploiting 14 separate iOS vulnerabilities that were used over two years in an attempt to steal photos, emails, log-in credentials, and more from iPhones and iPads.

Researchers with security firm Volexity later reported finding 11 websites serving the interests of Uighur Muslims that the researchers believed were tied to the attacks Project Zero identified. Those sites, Volexity said, targeted both iOS and Android phones.

Significant escalation

Tuesday's report said the same attackers used some of the same malware families—including iOS exploits that required only a single click to infect vulnerable phones—against individuals from Tibetan human rights groups.

"The campaign is the first documented case of one-click mobile exploits used to target Tibetan groups," Citizen Lab researchers wrote. "It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community."

Of the 17 intrusion attempts Citizen Lab observed, 12 of them linked to pages hosting an attack chain that combined multiple iOS exploits. All but one of those links were sent over a three-day span in November, and the last one came on April 22. The exploit chain appeared to target iOS versions 11 through 11.4 on seven iPhone models ranging from 6 to X. It appears to correspond to this attack chain documented by Project Zero. By November, the vulnerabilities had already been patched for four months. All of the people targeted were running iPhones that had been patched, Citizen Lab said, and as a result, none of them were infected.

Exploits and encryption

While the exploits were delivered in the clear over HTTP connections, the exploits were also encrypted using an ECC Diffie-Hellman key exchange established by the targeted Web browser and the Poison Carp control server. The encryption would prevent any network intrusion detection systems from detecting malicious code. It would also make analysis of the attacks harder since analysts couldn't reconstruct the malicious code from a network traffic capture alone.

The iOS spyware payload the attackers tried to deliver was similar but not identical to the one from earlier this year described by Project Zero.

"Based on the technical details provided in the Google report, we believe the two implants represent the same spyware program in different stages of development," Citizen Lab researchers wrote. "The November 2018 version we obtained appears to represent a rudimentary stage of development: seemingly important methods that are unused, and the command and control (C2) implementation lacks even the most basic capabilities."

The implant analyzed by Project Zero, by contrast, provided a much fuller suite of capabilities.

The Android exploits, meanwhile, also failed to infect targets. Rather than develop the attacks on their own, Poison Carp members appear to have cribbed from proof-of-concept exploits posted by white hat researchers. One of the Poison Carp attacks used a working exploit published by security firm Exodus Intelligence for a Chrome browser bug that was fixed in source code—but the Exodus patch had not yet been distributed to Chrome users.

Other attacks included what appeared to be modified versions of Chrome exploit code published by two culprits. One appeared on the personal GitHub pages of a member of Tencent's Xuanwu Lab (tracked as CVE-2016-1646), who was also a member of Qihoo 360's Vulcan Team (CVE-2018-17480). The other came from a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).

Never-before-seen Android spyware

Unlike the iOS-based spyware, the spyware implant for Android was full-featured and robust. The spyware was delivered in stages that started with "Moonshine," the name given to the implant's initial binary. To ensure that Moonshine achieves stealthy and rootless operation, it obtains persistence by overwriting a seldom-touched shared library that's used by one of the apps installed on an infected phone. When a target opens the app after being exploited, the app loads the maliciously modified library into memory. The code in later stages of the implant shows that the mechanism works with four apps—Facebook, Facebook Messenger, WeChat, and QQ—but the exploit site Citizen Lab analyzed only delivered exploits for the first two of those apps.

The final stage is a modular Java application that uses a WebSocket connection to establish two-way communications with its control server. After it has downloaded additional plugins, the code has a full range of spying capabilities that include:



uploading SMS text messages, address books, and call logs

spying on the target through the phone's camera, microphone, and GPS tracker

tracking calls received

taking screenshots

executing shell commands

"We believe that the discovery of this Android exploit and spyware kit we dubbed Moonshine represents a previously undocumented espionage tool. Its multi-stage installation approach along with its persistence via shared object library hijacking both suggest a high degree of operational security awareness and skilled development."

Other innovations of the campaign included persuading targets to install a malicious app that used the OAuth open standard to access the target's Gmail account. The ruse appeared to be designed to bypass two-factor authentication protections that require a one-time password or physical security key in addition to a password.

In a statement, Apple representatives wrote: "Our customers' data security is one of Apple's highest priorities, and we greatly value our collaboration with security researchers like Citizen Lab. The iOS issue detailed in the report had already been discovered and patched by the security team at Apple. We always encourage customers to download the latest version of iOS for the best and most current security enhancements."

For their part, Google representatives wrote: "We collaborated with Citizen Lab on this research and appreciate their efforts to improve security across all platforms. As noted in the report, these issues were patched, and no longer pose a risk to users with up-to-date software."

Game changer

While the exploits are among the least impressive parts of the operation observed by Citizen Lab, Poison Carp has proven itself adept at targeting both Tibetans and Uighurs, who, over the past decade, have come to expect being on the receiving end of espionage hacking campaigns. The report said the campaigns are a "game changer" for their ability to use mobile phones to revive the threat.

Tuesday's report added: