Facebook Uncovers Chinese Hacking Operation Targeting Uyghurs

Uyghurs Protest
OZAN KOSE/AFP/Getty, file

Facebook on Wednesday announced its discovery of a “sophisticated covert operation” ran by hackers in China to penetrate computers and smartphones owned by Uyghur Muslim activists, journalists, and political dissidents.

Many of the targets lived abroad, including some in the United States.

Voice of America News (VOA) summarized how the scheme worked:

The hackers tried to gain access to the computers and phones by creating fake Facebook accounts for supposed journalists and activists, as well as fake websites and apps intended to appeal to a Uyghur audience. In some cases, the hackers created lookalike websites almost identical to legitimate news sites popular with Uyghurs.

The accounts and sites contained malicious links. If the targets clicked on them, their computers or smartphones would be infected with software allowing the network to spy on the targets’ devices.

The software could obtain such information as victims’ locations, keystrokes and contacts, according to FireEye, a cybersecurity firm that worked on the investigation.

The hacking campaign lasted from 2019 to 2020 and targeted “fewer than 500 people” living in Turkey, Kazakhstan, Syria, Australia, Canada, and other nations, in addition to Uyghurs living in the United States and the Xinjiang province of China, their homeland. Facebook said it shut down the fake accounts used in the attacks and notified the victims.

Facebook identified the hackers as a threat group known to cybersecurity experts as “Evil Eye” or “Earth Empusa.” Another threat group called “PoisonCarp” was responsible for a “separate cluster of activity” detected by investigators. Some analysts believe PoisonCarp is the same group as Evil Eye, a closely allied offshoot.

“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Facebook said, describing malware and tactics similar to previous attacks that served the interests of the Chinese government.

“Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group,” the Facebook security statement said.

While Facebook stopped short of directly accusing the Chinese government of ordering the attack, cybersecurity firm FireEye – which assisted with the investigation – did conclude Beijing was involved.

FireEye director of analysis Ben Read told The Hill on Wednesday:

We believe this operation was conducted in support of the PRC [People’s Republic of China] government, which frequently targets the Uyghur minority through cyber espionage activity. On several occasions, the Chinese cyber espionage actors have leveraged mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists and others believed to be threats to the stability of the regime.

The Hill noted several other cybersecurity firms have discovered hacking campaigns from the Evil Eye/Earth Empusa threat group directed against Uyghurs and activists working on their behalf, including “widespread surveillance of the Uyghur community.”

Wired noted on Wednesday that Evil Eye is “notorious for its unrelenting digital assaults on Uyghurs,” and its attacks did not diminish at the height of the coronavirus epidemic in China. According to Facebook security experts, the newly uncovered hacking campaign was precisely tailored to hit the Uyghur community, with care taken to ensure the targets “fit certain criteria, like geolocation, languages they spoke, or operating systems they used.”

COMMENTS

Please let us know if you're having issues with commenting.