China is facing criticism for its treatment of the predominantly Muslim Uighurs community in Xinjiang in China. The U.S. has also accused China of committing genocide against the community.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Facebook Inc said on Wednesday it has detected a group of hackers in China that used the platform to hack accounts and distribute malware. They targeted activists, journalists, and dissidents among the Uighurs from Xinjiang, living abroad in several countries including Turkey, Kazakhstan, Syria and the U.S., the company said in a statement.
The hackers, known in the security industry as ‘Earth Empusa’ or ‘Evil Eye’, used various cyber espionage tactics to identify vulnerable targets and infect their devices with malware to enable surveillance, according to Facebook.
“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Facebook’s security team stated.
The hacker group concealed their activity and malicious tools by only infecting people with iOS malware to surpass technical checks like IP address, operating system, browser and language settings.
It also set up lookalike domains of popular Uighur and Turkish news websites to enable a ‘watering hole attack’. A watering hole attack is when hackers infect websites frequently visited by intended to compromise their devices. It also create fictitious accounts of journalists, students, human rights advocates or members of the Uighur community to build trust with people they targeted and trick them into clicking on their malicious links, Facebook explained.
The group used several mimic third-party Android app stores to publish Uighur-themed applications, including a keyboard app and prayer app. These apps were trojanised with Android malware.
The group used the Android tooling developed by two Chinese companies, Beijing Best United Technology and Dalian 9Rush Technology. These firms are likely part of a sprawling network of vendors, with varying degrees of operational security, Facebook warned.