Facebook has taken on a group of hackers in China that target the Uyghur ethnic group with cyber-espionage activity.
They took down numerous fake profiles aimed at spreading espionage malware.
The hacking group, known as Earth Empusa or Evil Eye, was targeting activists, dissidents & journalists involved in the Uyghur community, primarily those living abroad in Australia, Canada, Kazakhstan, Syria, Turkey & the US, among other countries, by using fake Facebook accounts for phoney people sympathetic to the Uyghur community.
Malicious Links
Facebook said Wed. that the group was sending malicious links in Facebook messages that, if clicked, led to espionage-focused malware infections.
The malicious links led to look-alike domains for popular Uyghur & Turkish news sites, according to Facebook, as well as to compromised legitimate websites.
JavaScript Code
“Some of these webpages contained malicious JavaScript code that resembled previously reported exploits, which installed iOS malware known as Insomnia on people’s devices once they were compromised,” stated Mike Dvilyanski, Head of Cyber-Espionage investigations & Nathaniel Gleicher, Head of Security Policy, writing in a joint Facebook posting.
This was done with selective targeting, according to the post: “This group took steps to conceal their activity & protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, & country & language settings.”
Malware Attacks
Facebook took down the fake profiles, but it also found websites set up by the group that impersonate 3rd-party Android app stores, where they published Uyghur-themed applications. These included a keyboard app, a prayer app & a dictionary app, states the posting, which were trojanised with 2 Android malware strains — ActionSpy or PluginPhantom.
The Uyghurs, a Turkic minority ethnic group affiliated with Central & East Asia, have previously been targeted in other mobile spyware attacks, including by an ActionSpy campaign seen as recently as June.
Beijing Best United Technology
Analysis on the latest Android malware found that Beijing Best United Technology Co. & Dalian 9Rush Technology Co. are the developers behind some of the weapons deployed by Earth Empusa, according to Facebook.
“These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security,” the 2 wrote, adding that FireEye lend threat intelligence insight that informed Facebook’s assessment.
Malicious Mobile Applications
“FireEye uncovered an operation targeting the Uyghur community & other Chinese speakers through malicious mobile applications that were designed to collect extensive personal information from victims including GPS location, SMS, contacts lists, screenshots, audio & keystrokes,” commented Ben Read, Director of Analysis at Mandiant Threat Intelligence.
“This operation has been active since at least 2019 & is designed for long term persistence on victim phones, enabling the operators to gather vast amounts of personal data.”
He outlined that FireEye believes the activity is state-sponsored. “On several occasions, the Chinese cyber-espionage actors have used mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists & others believed to be threats to the stability of the regime,” he concluded.