Spyware as Service: What the i-Soon Files Reveal About China’s Targeting of the Tibetan Diaspora

Data from the i-Soon leak has been linked to previous Advanced Persistent Threats (APT) campaigns targeting the Central Tibetan Administration (CTA), the Private Office of the Dalai Lama, and Tibetan and Uyghur civil society networks. Palo Alto’s Unit 42 were the first to report, with a high degree of confidence, that i-Soon is connected to an APT group known as Poison Carp.1 This attribution is based on forensic evidence surfaced in the i-Soon dump linking the company to targeting infrastructure attributed by Citizen Lab to Poison Carp2, a Chinese threat group hitherto principally known for targeting the mobile phones of Tibetan3 and Uyghur4 social movement networks.

The targeting of the mobile phones of CTA officials from 2018 onwards represents a significant shift in the tactics used by threat actors, signaling an adaptation to modern communication methods and an understanding of the increasing reliance on mobile devices for both personal and professional activities. i-Soon’s compromise of mobile devices would facilitate the collection of large amounts of highly sensitive information about civil servants, which would put them, and those in their social network, at significant risk.

A key white paper found in the i-Soon data delineating its product’s capabilities utilizes the compromised email inboxes of exiled Tibetan individuals as a case study, demonstrating the product’s ability to manage and analyse “massive” data collections on a “terabyte-scale.” This capability is tailored to satisfy the extensive demand of China’s intelligence agencies, domestic- and foreign-facing (i-Soon’s clients) to mine through substantial volumes of intercepted email data and to intricately map the social networks of targeted individuals.

The use of novel intelligence tactics against diaspora populations before global deployment also suggests an approach to cyber operations in which vulnerable populations serve almost as laboratories for China to refine its espionage capabilities. When applied to operations directed at Dharamsala, such testing could not only yield intelligence about Tibetan exiles, but also enhance the sophistication of China’s cyber arsenal, reducing the risk of detection and attribution in global operations against better resourced defenses.

The analysis of the interpersonal relationships of target networks of Tibetans in exile deployed by i-Soon mirrors the oppressive securitization methods used in Tibet. As i-Soon’s customers include the Public Security Bureau of the Tibet Autonomous Region, it is feasible that the web of personal and professional connections surfaced from compromised inboxes of senior Tibetan civil servants in India could have been later ingested into a known big data policing platform. This platform is instrumental in a campaign that criminalizes even moderate cultural, religious expressions, language rights advocacy, and crucially, surfaces links to exile Tibetan networks.

The Central Tibetan Administration and the Dalai Lama’s personal office have been under digital threat for twenty five years, with the GhostNet operation that infected computers in the Dalai Lama’s office making global headlines in 2009. The first public recognition of these security challenges in the early 2000s predated warnings from Western intelligence services about such intrusions. Today’s threats, however, are defined by their complexity and stealth, exploiting both known and unknown vulnerabilities in networked systems.

i-Soon data files offer a glimpse, perhaps for the first time in the public domain, of the upstream APT analytics capabilities of the Party state, offering a new understanding of the processing and utilization of data exfiltrated by APT groups for i-Soon’s Chinese intelligence and military customers. This also highlights the involvement of commercial enterprises in cyber espionage activities including significant insight into Beijing’s use of complex AI-driven surveillance systems5 to enforce political controls over PRC ethnic minority populations, not just within its own borders, but also internationally, in the diaspora(s). Demonstrating sophisticated technologies on vulnerable peripheral communities like Tibetans and Uyghurs appears to be a strategic move for corporate entities like i-Soon to advance their corporate interests.

The i-Soon leak highlights the cybersecurity threats faced by the Tibetan administration in exile, which not only emphasize the imperative for cybersecurity but also the profound consequences of cyber espionage on vulnerable populations. They accentuate the need for heightened vigilance and international cooperation to fortify the digital defenses of those at risk.

Digital transnational repression targeting the Tibetan and Uyghur diaspora serves as a “canary in the digital coalmine” for democracies. Early warning capacity built into these digital diasporas could have surfaced these threats and led to a coordinated response in the West much sooner. Reports by Tibetan and Uyghur sources detailing digital threats from Beijing predated by several years Western intelligence’s public warnings of China’s cyber espionage targeting the corporate sector.