MUMBAI:

Seven months ago, Tenzin Dalha, a research fellow at the Tibet Policy Institute in Dharamshala received a WhatsApp message from a person who claimed to be a journalist working with the Sing Tao Daily in Hong Kong. The person wanted Dalha to answer a few questions about himself and Tibet as part of a survey. Dhala, who is part of an experienced group of cyber security researchers, however knew the message was malware used to spy on activists and sympathisers of Tibet groups who were anti-China.“I found myself under surveillance as I received random messages and links from numbers either associated from China or registered in Tibet,” Dalha toldin a phone interview. “The malware received were mostly in WhatsApp and the Chinese social messaging app WeChat,” he added.Dalha told ET that WhatsApp had not reached out to him or other Tibetan activists who were victims of the malware.Since attackers quickly change their methods, which are often designed to target a large number of victims at once, researchers like him follow simple techniques to ward off these attacks, such as not clicking on unknown links and reporting them to tech experts, Dalha said. Dahla said he got to know of the breach through Citizen Lab , the research organisation under the University of Toronto. WhatsApp itself had alerted some other activists last year about the Pegasus malware, allegedly developed by Israel-based NSO Group As reports emerged last week that WhatsApp had sued the firm, accusing it of hacking nearly 1,400 users including several journalists, activists and diplomats (also in India), conversations with a few Tibetan activists revealed that WhatsApp had been exposed to snooping by surveillance companies based out of China.Citizen Lab published a report in September saying senior members of Tibetan groups had received malicious links in individually tailored WhatsApp text exchanges between November 2018 and May 2019, with operators posing as workers of non-governmental organisations, journalists, and using other fake identities.The links led to code designed to exploit web browser vulnerabilities to install spyware on Apple iOS and Android devices. The campaign, which Citizen Lab termed POISON CARP, is believed to have been carried out by a single operator.