TibCERT Exposes Chinese Surveillance Attack on Tibetan Leader in Exile

By Tenzin Chokyi

DHARAMSALA, 30 July: In a concerning development, cybersecurity experts have revealed that the People’s Republic of China(PRC) is now using advanced cellular network attacks to monitor and intimidate high-ranking Tibetan leaders in exile. 

According to a recent report by the Tibetan Computer Emergency Readiness Team (TibCERT), a high-level Tibetan official known for vocal opposition to Chinese policies was targeted in a sophisticated cellular network attack. 

The report indicates the attack was orchestrated by the PRC to weaken the Tibetan government in exile and Tibetan civil society by surveilling their communications, tracking their movements, and sowing fear to discourage activism. 

The victim, whose identity remains undisclosed for security reasons, contacted TibCERT on March 24, fourteen days after the Dalai Lama of Tibet released his latest book “Voice for the Voiceless”, which prompted a strong retaliation from the PRC over authority in the reincarnation process.

The official reported receiving multiple “Welcome to China” roaming messages on their mobile phone, despite not having travelled near any Chinese borders recently. These messages were accompanied by unexplained signal loss and call interference.  

According to TibCERT’s cybersecurity experts specialising in Tibetan community digital security, the unusual incident represents part of broader CCP efforts to monitor and intimidate Tibetan leaders in exile. Their report pointed towards a highly advanced cellular network attack, in which the attacker manipulates the mobile network infrastructure itself rather than installing spyware or physical bugs on the device.

The report noted that the attackers might have used the victim’s phone number with advanced cellular network methods, such as an IMSI catcher or using an IPX operator and HLR query to identify the target’s IMSI number.

They then reportedly exploited telecom network protocols like SS7 and DIAMETER to manipulate the phone’s connection, allowing them to track the victim’s location, monitor movements, and intercept calls or messages, all without interacting with the device itself.

The investigation has yet to determine the exact methods and tools employed by the attackers. TibCERT stated it will continue to engage with relevant authorities to further investigate the incident. The organisation indicated that the issue will also be raised with Indian Cellular Network Operators to highlight the risk of such manipulations and the potential threats they pose to the Tibetan community.

Until stronger protections are in place, the report urgently advises Tibetans, especially high-ranking officials and NGOs, to refrain from displaying organisational phone numbers on visiting cards or public websites, as this significantly increases exposure to cellular network attacks.

The report also recommends the following safety measures to protect against cellular network attacks:

1. Use a 4G or 5G phone and turn off 2G/3G in your settings to avoid downgrade-based attacks.
2. Set a strong SIM PIN with your mobile provider to prevent unauthorised SIM swaps or changes.
3. Keep your phone number private; avoid sharing it publicly or using it for sensitive conversations.
4. Keep your phone updated, enable Lockdown Mode (if available), and use tools like SnoopSnitch (Android) to detect suspicious network activity.
5. Don’t use SMS for two-factor authentication. Instead, use app-based options like Google Authenticator or a hardware security key.
6. For secure messaging, use Signal and share only your Signal ID, not your phone number.