Facebook has said its investigations into cyber threats and espionage campaigns found a group of Chinese hackers targeting the Uyghur community living abroad.
“Today we’re sharing actions we took against a group of hackers in China known in the security industry as Earth Empusa or Evil Eye — to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet,” said Facebook in a blog post late Wednesday.
The targeted activists, journalists and dissidents, the Facebook probe found, were predominantly Uyghurs from China’s Xinjiang province living abroad in Turkey, Kazakhstan, the US, Syria, Australia, Canada, and other countries.
The Xinjiang region is home to around 10 million Uighurs. The Turkic Muslim group, which makes up around 45% of Xinjiang’s population, has long accused China's authorities of cultural, religious and, economic discrimination.
Up to 1 million people, or about 7% of the Muslim population in Xinjiang, have been incarcerated in an expanding network of "political re-education" camps, according to US officials and UN experts.
This week both the US and EU imposed sanctions on Chinese officials over the issue, and China quickly retaliated.
Beijing has denied the claims of oppression, accusing Western capitals of using the Uyghur issue as a tool to counter China’s rising influence.
- 'Well-resourced and persistent operation'
“This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance,” the Facebook statement said.
The group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites, the investigation found. “They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices.”
This activity, said the social media giant, “had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it.”
“On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other companies’ actions to disrupt their activity,” it added.
“Our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. [Best Lh] and Dalian 9Rush Technology Co., Ltd. [9Rush], two Chinese companies, are the developers behind some of the Android tooling deployed by this group,” the blog post said. “These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.”
Facebook said it had informed the possible targets of this espionage activity and blocked “malicious domains from being shared on our platform.”
In order to disrupt such operations, Facebook has also shared its probe findings and threat indicators “with industry peers so they too can detect and stop this activity,” it said.