Facebook disrupts Beijing's Uyghur hacking campaign

Facebook said its security team discovered and took down a network of Facebook accounts that were being used by Chinese state-sponsored operatives to hack and compromise the devices of the Chinese Uyghur minority, but also Uyghurs living abroad.

"They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," said Mike Dvilyanski, Head of Cyber Espionage Investigations, and Nathaniel Gleicher, Head of Security Policy.

Chinese hackers used fake Facebook accounts

Facebook said the Chinese hackers created fake accounts on Facebook, posing as journalists, students, human rights advocates, or members of the Uyghur community.

After gaining their targets' trust, they lured users on clicking links to malicious sites, usually impersonating news portals, where they executed a watering hole attack to install malware on their devices.

Facebook said its security teams linked the threat actors behind these fake accounts to a well-known Chinese cyber-espionage group known to cybersecurity firms as Earth Empusa and Evil Eye.

The hacking campaign aimed at the Chinese Uyghur community described in Facebook's report today isn't new. It first came to light in August 2019, initially exposed by Google, and later also documented in reports from Volexity and Trend Micro.

Previous reporting confirms the group's heavy usage of watering hole attacks on websites popular with the Uyghur community.

The reports also revealed that not all users were targeted in these attacks, but only those accessing the sites from certain IP ranges and with certain types of devices, known to be vulnerable to certain types of attacks and zero-days, with the Chinese hackers filtering out potential non-Uyghur targets.

While Google discovered the attacks due to a string of iOS zero-days, Volexity later confirmed that both Android and Windows users were targeted alike, in one of the largest surveillance operations observed in recent times.

Facebook uncovers frontend companies behind attack infrastructure

But Facebook today also said that the Chinese hackers didn't limit themselves to watering hole attacks via news sites, and they also created third-party Android app stores that spread Android apps laced with spyware, such as ActionSpy or PluginPhantom.

Facebook's security team said that during its investigation, together with US security firm FireEye, it was able to link these Android spyware strains and attack infrastructure to two Chinese companies that appeared to have developed the attack tooling for the Beijing government's broad Uyghur surveillance efforts.

According to Facebook, the two companies are Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

"These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security," Dvilyanski and Gleicher said today.

This is the second time that the social network ousts a state-sponsored hacking operation. In December 2020, the social network exposed Vietnamese company CyberOne Group as a contractor for the Hanoi government and the entity behind the APT32 cyber-espionage group.

Facebook's revelations today come one day after the US and some of its allies announced sanctions against the Chinese government for its human rights abuses against the Uyghur population, such as the detention of millions of Uyghurs in forced labor and reeducation camps.