Facebook may have been banned in China, but the company said on Wednesday that it had disrupted a network of evil actors using its platform to target the Uyghur community and entice them to download malicious software that would allow surveillance of their devices.

“They mainly targeted activists, journalists and dissidents among Xyjiang’s Uyghurs in China who live abroad mainly in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries,” Facebook Head of Cyber ​​Spying Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher, said. “This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.”

The social media giant said the “ongoing and well-resourced operation” coincided with a threat actor called Evil Eye (or Earth Empusa), a Chinese group known for its history of spying attacks against the minority Muslim in the nation at least. since August 2019 through “strategically threatened websites” by exploiting iOS and Android devices as an attack surface to access Gmail accounts.

The revelations come days after the European Union, the U.K., the United States, and Canada jointly announced sanctions against several senior officials in China over human rights abuses against Uyghurs in the Chinese state of Xinjiang.

Evil Eye is said to have resorted to a multilateral approach to remain undercover and conceal its malicious intent by asking journalists, students, human rights advocates, or members of the Uyghur community to build trust with targeted victims before pulling them into a click on malicious links. .

Apart from social engineering efforts, the joint managed to leverage a network of malware-plagued websites, legally threatened websites and look-out zones for popular Uyghur and Turkey news websites, used as a watering hole to attract and infect iPhone users in selective based on specific technical criteria, including IP address, operating system, browser, country, and language settings.

“Some of these web pages contained a malicious javascript code similar to previously reported exploits, which installed malicious iOS software called INSOMNIA on people’s devices after they were compromised,” the company noted. Insomnia comes with capabilities to expel data from a variety of iOS apps, such as contacts, location, and iMessage, as well as third-party messaging clients from Signal, WhatsApp, Telegram, Gmail, and Hangouts.

Separately, Evil Eye also established lookalike third-party Android app stores to publish Uyghur-themed applications such as a keyboard app, prayer app, and dictionary app, which were instrumental in using two malicious Android software strands ActionSpy and PluginPhantom. Further investigation into the malicious Android software families of the attack infrastructure contacted two Chinese companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

“These companies in China are likely to be part of a dispersed network of vendors, with varying degrees of operational security,” the researchers noted.

In a series of countermeasures, the company said it was blocking the malicious domains in question from sharing on its platform, disabling the crime accounts, and notifying about 500 people targeted by the adversary.

This is not the first time Facebook has excluded technology companies that act as a front for state-sponsored hacking activities. In December 2020, the social network OceanLotus formally partnered with an information technology company called CyberOne Group in Vietnam.


Please enter your comment!
Please enter your name here