Facebook takes action against Chinese hackers targeting Uyghurs

Facebook on Wednesday announced that it had taken steps to disrupt efforts of Chinese hacking groups to target and surveil members of the Uyghur community both in China and abroad. 

Two senior Facebook officials noted in a blog post that a Chinese hacking group known as “Evil Eye” or “Earth Empusa” had been targeting journalists, activists and dissidents in the global Uyghur community.

The Chinese government has taken increasingly hostile measures against the minority Muslim community, which mostly lives in the Xinjiang province of China. 

According to Facebook, the hackers had attempted to install malware viruses on the mobile devices of their targets in order to enable surveillance activities. The hackers used Facebook to send links to malicious websites to the victims, who included those living in the United States, Australia, Turkey, Syria, Kazakhstan, Canada and other countries outside of China. 

The malicious links often led to websites meant to look like a popular Uyghur or Turkish news site, with some of these websites containing malicious code that installed the malware on iOS devices. The hackers also allegedly set up fake Android app stores and posed as fake Uyghur journalists, students, or other trusted individuals in order to send links to targets. 

“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Mike Dvilyanski, Facebook’s head of cyber espionage investigations and Nathaniel Gleicher, Facebook’s head of security policy, wrote in the blog post. 

Dvilyanski and Gleicher noted that Facebook had blocked the sharing of malicious domains on their site by the hackers, along with removing the accounts of the attackers and notifying their potential targets. 

The Facebook officials cited work from cybersecurity group FireEye in reaching their conclusions around two Chinese companies being behind some of malware viruses targeting Android devices. 

Ben Read, the director of analysis at FireEye’s Mandiant Threat Intelligence, told The Hill in a statement that the hacking operation had been ongoing since at least 2019, and had enabled the hackers to “gain vast amounts of personal data” on their targets. 

“We believe this operation was conducted in support of the PRC [People’s Republic of China] government, which frequently targets the Uyghur minority through cyber espionage activity,” Read said. “On several occasions, the Chinese cyber espionage actors have leveraged mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists and others believed to be threats to the stability of the regime.”

Other cybersecurity groups have also tracked the efforts by the Chinese hacking group to surveil the Uyghur community over the past few years. 

Trend Micro published research last year finding that Earth Empusa used email phishing attacks to compromise Android and iOS devices of Uyghurs with malware, while Volexity found in 2019 that the same group had been conducting widespread surveillance activity of the Uyghur community.