Facebook moves against ‘evil eye’ hackers targeting Uyghurs

Since Facebook is banned in China, the company may seem like an unlikely source of information about Chinese hacking campaigns against the country’s ethnic Uyghur minority. On Wednesday, however, the company announced that it had identified recent spy campaigns targeting the Uyghur community, mainly people living abroad in countries like Australia, Canada, Kazakhstan, Syria, United States and Turkey. Facebook claims the activity came from Chinese hacking group Evil Eye, which has a roadmap to target Uyghurs.

In mid-2020, Facebook found crumbs of evidence of attacks on its own services: accounts masquerading as students, activists, journalists and members of the global Uyghur community who attempted to contact victims. potentials and share malicious links with them. Facebook researchers followed these crumbs outside the company’s own ecosystem to Evil Eye’s broader efforts to spread malware and track Uyghur activity.

“We saw this as an extremely targeted campaign,” says Mike Dvilyanski, who leads Facebook’s cyber espionage investigations. “They targeted specific minority communities and they carried out checks to ensure that the objectives of this activity match certain criteria, such as geolocation, the languages ​​they speak or the operating systems they use. “

Evil Eye, also known as Earth Empusa and PoisonCarp, is known for its relentless digital assaults on Uyghurs. Its most recent wave of activity began in 2019 and accelerated in early 2020, even as China plunged into lockdowns linked to Covid-19.

Facebook discovered many approaches that Evil Eye took to achieve his goals. The group created fake websites that looked like popular Uyghur and Turkish media and distributed malware through them. It has also compromised some legitimate websites trusted by Uyghurs living abroad and used these popular sites to spread malware. Chinese hackers have already used the technique, known as the “waterhole attack,” in their mass efforts to monitor the Uyghurs. Some websites contaminated by attackers were used previously discovered JavaScript exploits to install iOS malware known as Insomnia on target devices.

Researchers also found impostor Android app stores configured to look like popular sources of Uyghur-related apps, such as community-driven keyboard, dictionary, and prayer apps. In fact, these malicious app stores distributed spyware from two strains of Android malware known as ActionSpy and PluginPhantom, the latter of which circulated in various forms for years.

Facebook’s analysis has pushed the company away from its own platforms. Its cyberespionage investigation team went so far as to trace Android malware used in the Evil Eye campaigns to two development companies: Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd. intelligence firm FireEye helped uncover these connections. WIRED was unable to immediately contact the two companies for comment. Facebook did not formally link Evil Eye to the Chinese government when it announced its findings on Wednesday.

“In this case, we can see clear links to the [malware development] companies, we can see geographic attribution based on activity, but we can’t really prove who is behind the operation, ”says Nathaniel Gleicher, Facebook’s chief security officer. “So what we want to do is give the evidence that we can prove. And then we know there is a larger community that can analyze it and draw the best conclusions based on the patterns and tactics. “

Ben Read, director of analysis at Mandiant Threat Intelligence at FireEye, said in a statement Wednesday: “We believe this operation was carried out in support of the government of the PRC, which frequently targets the Uyghur minority through military activities. cyber espionage. ” He added that the same hackers are also known to target other groups that the Chinese government perceives as a threat to its regime, such as Tibetans and democracy activists in Hong Kong.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *