Full Report
The digital forensics company known as Meiya Pico won a contract in mid-2023 to build two labs at the Tibet Police College: one on offensive and defensive cyber techniques and the other on electronic evidence collection and analysis.
Analysis Summary
# Threat Actor: Meiya Pico (SDIC Intelligence Xiamen Information Co Ltd)
## Attribution & Identity
* **Attribution:** Chinese state-owned company.
* **Known Aliases:** SDIC Intelligence Xiamen Information Co Ltd (Primary corporate name).
* **Associations:** Has previously been sanctioned by the U.S. Treasury and blacklisted by the Commerce Department for activities related to surveillance of ethnic and religious minorities. Involved in China’s Belt and Road Initiative for conducting cyber training abroad.
## Activity Summary
Meiya Pico has recently secured a contract (mid-2023) with the Tibet Police College to establish two specialized labs: one focused on cyber offensive/defensive techniques, and another for electronic evidence collection and analysis. This suggests a direct hand-off of advanced surveillance and cyber capabilities to local police forces in Tibet, bypassing the typical contractor model seen in other high-profile Chinese hacking operations (e.g., i-Soon leaks). The company conducts cyber training globally as part of the Belt and Road Initiative.
## Tactics, Techniques & Procedures
* **Digital Forensics & Evidence Collection:** Supplying hardware and training for electronic device scanning and evidence storage/analysis.
* **Surveillance Tool Deployment:** Allegedly installing invasive spyware on mobile devices.
* **Cyber Training:** Providing training on offensive and defensive cyber techniques to government/police entities.
* **Information Harvesting (via MFSocket):** Harvesting call logs, messages, and GPS locations from targeted phones.
* **Cyber Range Implementation:** Installing infrastructure for simulation software and cyber range servers for advanced training.
## Targeting
* **Sectors:** Law Enforcement/Police training (customers); Surveillance targets include ethnic and religious minorities (Uyghurs, Tibetans).
* **Geography:** Primarily focused on operations within China (including Tibet); actively conducts training in 30 countries globally.
* **Victims:** Tibetan dissidents (domestic and abroad); ethnic and religious minorities in China (Uyghurs).
## Tools & Infrastructure
* **Malware Families used:** MFSocket (spyware application allegedly installed on target smartphones).
* **Infrastructure:** Servers for cyber range, network switches, intrusion simulation software, forensic workstations, and evidence storage systems (for the Tibet Police College labs).
## Implications
Meiya Pico acts as a critical enabler for the Chinese government's surveillance apparatus, both domestically and internationally. By directly training foreign police forces and local security elements (like those in Tibet) in advanced cyber techniques and providing their proprietary invasive tools, they lower the barrier to entry for sophisticated state-sponsored surveillance. The tools and tactics tested on populations like Tibetans are identified as potential future cyber threats to be deployed globally.
## Mitigations
* **Supply Chain Scrutiny:** Organizations and governments should exercise extreme caution regarding contracts or technology supplied by Meiya Pico or related Chinese state-owned digital forensics entities.
* **Mobile Security Audits:** Increased vigilance against invasive spyware (like MFSocket) on mobile devices, especially for personnel operating in or communicating with regions where these groups are active.
* **International Awareness:** Monitoring training activities conducted by Meiya Pico under the Belt and Road Initiative, as these appear to be vectors for exporting surveillance capabilities.