Facebook Blocks Chinese Hackers Who Spied on Uighurs Abroad

Facebook has blocked a group of Chinese hackers who infected the devices of Uighur Muslims living outside the country with surveillance malware in order to spy on them.

Demonstration for the rights of the Uyghurs in Berlin 2020. (Source: Wikimedia Commons)Demonstration for the rights of the Uyghurs in Berlin 2020. (Source: Wikimedia Commons)The social network company’s threat intelligence analysts have attributed the attack to a China-based group of hackers known in the security industry as Earth Empusa or Evil Eye.

“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” the company said in a statement. “On our platform, this cyber-espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself,” analysts Mike Dvilyanski and Nathaniel Gleicher said in the statement. 

China has been accused of crimes against humanity or genocide for its continuous persecution of Uighur Muslims in the far western Xinjiang region since in 2017. The goal of the campaign is believed to be the extermination of the minority group.

Facebook explained that hackers abused the platform and selectively targeted activists, journalists and dissidents predominantly among Uighurs living in the United States, Turkey, Kazakhstan, Canada and other countries.

The group set up malicious websites mimicking popular Uighur and Turkish news outlets. They also appeared to have compromised legitimate sites targeting these audiences as part of watering hole attacks, which hackers use to infect websites their targets visit. 

To trick their targets into clicking on malicious links, the hackers approached them via fake Facebook accounts pretending to be journalists, human rights advocates or members of the Uighur community. 

They also imitated third-party Android app stores where they advertised fake keyboard, prayer or dictionary apps that contained malware.

Facebook said that the group’s tactics, techniques and procedures align with the activity that  Earth Empusa or Evil Eye has driven in the past, using multiple Android malware families. 

The tech giant did not mention if these attacks were related in any way to the Chinese government.

“To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor,” the statement said.

Even though this is the first time that Facebook reports this group’s activity, researchers believe Chinese hackers have been using these tactics to target ethnic minorities since 2018. 

Research from the University of Toronto's Citizen Lab found that the group used Whatsapp in the past to approach Tibetans and Uighurs and implemented the same techniques to trick their victims.