Hackers linked to the Chinese government orchestrated two widespread phishing campaigns targeting journalists and opposition activists over a nine-month period.
The report, published by Citizen Lab in collaboration with the International Consortium of Investigative Journalists (ICIJ), discovered more than 100 malicious domains used to carry out the operations. The campaigns primarily focused on journalists and members of diaspora communities from Tibet, Taiwan, Hong Kong, and the Uyghur region.
The goal of the attacks was to steal login credentials and potentially enable cyberespionage in the interests of the Chinese government.
The investigation uncovered two distinct threat actors, dubbed “Glitter Carp” and “Sequin Carp.” The Glitter Carp group leveraged convincing digital impersonation tactics in phishing emails such as posing as trusted individuals and mimicking security alerts from major technology companies. Targets included journalists reporting on China-related issues and activists from affected diaspora groups.
Separate findings from cybersecurity firm Proofpoint indicate that Glitter Carp has also targeted Taiwan’s semiconductor sector.
“We assess that the group behind this activity likely focuses exclusively on initial access to email-based accounts. This tactic may indicate a specific contract within China’s Military-Civil Fusion system that leverages civilian contractors, with other groups perpetuating DTR such as targeted surveillance, device compromise, and coordinated harassment campaigns,” Citizen Lab says.
The Sequin Carp campaign relied on fabricated personas and topical narratives designed to engage journalists covering China. However, researchers noted that this group frequently made operational errors, reducing the effectiveness of its efforts.
Both groups employed a technique involving social engineering to trick victims into granting access to third-party OAuth tokens. This method allows attackers to gain persistent access to email accounts by exploiting legitimate authentication systems, making the intrusion harder to detect.