Cyber-espionage campaign found targeting exiled Uyghurs

Senior members of an international organization for exiled members of China’s Uyghur ethnic minority were targeted in March with a spearphishing campaign designed to install Windows-based malware allowing them to be remotely surveilled.

The campaign, which began last May or potentially even earlier, involved a file mimicking an authentic Uyghur-language open source word processing and spellcheck tool, according to the Citizen Lab, a University of Toronto-based research institute specializing in digital repression and forensics.

The Chinese government has a history of using malware and other digital means to spy on Uyghurs, a mostly Muslim minority who have been historically repressed and sent to “reeducation” camps. 

The group targeted in the spearphishing campaign was the World Uyghur Congress, which has offices in Germany and London. The word processing and spell checking tool was “originally built by a developer known and trusted by” the targets, the Citizen Lab said.

The malware was not sophisticated, but the delivery mechanism was very tailored to the targets, the researchers said. The exiles became aware of the campaign after receiving Google threat notifications and turned to the Citizen Lab to research the attacks.

“The ruse employed by the attackers replicates a typical pattern: threat actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities,” the Citizen Lab said in a blog post detailing its findings.

The Citizen Lab investigation surfaced email messages with Google Drive links that installed a password-protected RAR archive when clicked, the blog post said. 

The malware then delivered information to a remote server, where it could load “additional malicious plugins,” the blog post said.