AidInfoSec Report an attack

Attack Database /

Attack detail

Attack Date Location
January 2018 Unknown
Target organisation Attack category
Tibetan human rights group (Name unknown) Active attack
Surface Type
iOS and Android devices

Additional notes on attack

Watering hole attack. "The campaign, carried out by what appears to be a single operator that we call POISON CARP, sourced some exploits from working exploit code posted publicly by security researchers on bug trackers and GitHub pages. The Android exploits, which targeted Facebook’s in-app browser, installed a hidden payload inside the Facebook app, which used the app’s existing permissions to steal SMS text messages, address books, and call logs, and spy on the target through their phone’s camera, microphone, and GPS. The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups: the iOS exploit and spyware we observed was used in watering hole attacks reported by Google Project Zero, and a website used to serve exploits by POISON CARP was also observed in a campaign called “Evil Eye” reported by Volexity."

Harm Notes
Unknown Harms liked to surveillance of individuals and organisations unknown
Actor type
State Actor
Attacker agenda
State Activity

Additional information

"Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP. We observed POISON CARP employing a total of eight Android browser exploits and one Android spyware kit, as well as one iOS exploit chain and iOS spyware. None of the exploits that we observed were zero days. POISON CARP overlaps with two recently reported campaigns against the Uyghur community. The iOS exploit and spyware we observed was used in watering hole attacks reported by Google Project Zero, and a website used to serve exploits by POISON CARP was also observed in a campaign called “Evil Eye” reported by Volexity. The Android malware used in the campaign is a fully featured spyware kit that has not been previously documented. POISON CARP appears to have used Android browser exploits from a variety of sources. In one case, POISON CARP used a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was fixed in source, but whose patch had not yet been distributed to Chrome users. In other cases, POISON CARP used lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Qihoo 360’s Vulcan Team, a member of Tencent’s Xuanwu Lab, and by a Google Project Zero member on the Chrome Bug Tracker."

Source Source name
Organization disclosure Citizen Lab, University of Toronto
Source URLs Further information

Citizen Lab was first alerted to the suspicious WhatsApp messages by the Tibetan Computer Emergency Readiness Team ( TibCERT ), a coalition of Tibetan organisations to improve digital security through incident response collaboration and data sharing.