Chinese Hackers Used Facebook to Hack Uighur Muslims Living Abroad

Cyber Security

Facebook may be banned in China, but the company on Wednesday said it has disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices.

“They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries,” Facebook’s Head of Cyber Espionage Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher, said. “This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.”

The social media giant said the “well-resourced and persistent operation” aligned with a threat actor known as Evil Eye (or Earth Empusa), a China-based collective known for its history of espionage attacks against the Muslim minority in the nation at least since August 2019 via “strategically compromised websites” by exploiting iOS and Android devices as attack surface to gain access to Gmail accounts.

The disclosures come days after the European Union, U.K., U.S., and Canada jointly announced sanctions against several senior officials in China over human rights abuses against Uyghurs in the Chinese province of Xinjiang.

Evil Eye is said to have resorted to a multifaceted approach to stay under and conceal its malicious intent by posing as journalists, students, human rights advocates, or members of the Uyghur community to build trust with targeted victims before drawing them into clicking on malicious links.

Besides social engineering efforts, the collective leveraged a network of malware-infested websites, both legitimately compromised websites and lookalike domains for popular Uyghur and Turkish news sites, that were used as a watering hole to attract and selectively infect iPhone users based on certain technical criteria, including IP address, operating system, browser, country, and language settings.

“Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised,” the company noted. Insomnia comes with capabilities to exfiltrate data from a variety of iOS apps, such as contacts, location, and iMessage, as well as third-party messaging clients from Signal, WhatsApp, Telegram, Gmail, and Hangouts.

Separately, Evil Eye also set up lookalike third-party Android app stores to publish trojanized Uyghur-themed applications such as a keyboard app, prayer app, and dictionary app, which served as a conduit to deploy two Android malware strains ActionSpy and PluginPhantom. Further investigation into the Android malware families linked the attack infrastructure to two Chinese companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

“These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security,” the researchers noted.

In a series of countermeasures, the company said it blocked the malicious domains in question from being shared on its platform, disabled the offending accounts, and notified about 500 people who were targeted by the adversary.

This is not the first time Facebook has outed technology firms that operate as a front for state-sponsored hacking activities. In December 2020, the social network formally linked OceanLotus to an information technology company called CyberOne Group located in Vietnam.