Threat Intelligence Tarot
swords · 13
China (MSS - Tibet-focused)
G0062★★★★★
risk 3/5
✦ The Lotus Eye ✦
TA413
LuckyCat · Exile RAT operators
Tibetan government-in-exileTibetan NGOsDalai Lama officesBuddhist organizationsHuman rights groups
Active since ~2012 · Tibetan diaspora surveillance, Dalai Lama office intelligence, Religious community monitoring
The Lotus Eye was not born in a hack. It was born in a political situation - a diaspora government, a religious leader, a movement that Beijing will not tolerate. It has watched the Dalai Lama's inbox for over a decade. Surveillance as policy, conducted by code.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆GhostNet - 1,295 infected computers in 103 countries (2009, linked operations)
- ◆Dalai Lama office compromise and communications monitoring
- ◆COVID-19 themed lures targeting Tibetan organizations (2020)
- ◆Exile government surveillance ongoing since Tibetan exile
Defenses
- ▸Hardened endpoint security for civil society and NGO organizationsAccess Now Digital Security
- ▸Security training for human rights organizations and diaspora groupsNIST SP 800-50 ↗
- ▸Macro and VBA execution controlsCIS Control 2 ↗
- ▸Threat intelligence from Citizen Lab for civil society sectorsNIST CSF: ID.RA ↗
Reversed: Their Weakness
The Tibetan targeting of TA413 is so consistent that Citizen Lab and other civil society-focused security researchers have built deep expertise specifically in this threat actor - the human rights community's security posture has improved dramatically because of sustained attention to this threat.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.