Facebook removed accounts used by a China-sponsored hacking group to deploy surveillance malware on devices used by Uyghur activists, journalists, and dissidents living outside China.
According to Facebook’s Head of Cyber Espionage Investigations Mike Dvilyanski and Head of Security Policy Nathaniel Gleicher, the hackers targeted activists, journalists, and dissidents, predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada, and other countries.
The hacking group dubbed as Earth Empusa or Evil Eye used various techniques to identify its targets and infect their devices with malware to enable surveillance.
The group used Facebook accounts to send links that redirected their targets to malicious websites under their control in watering hole attacks.
They infected Uyghur targets’ iOS devices with spyware known as PoisonCarp or INSOMNIA in some cases.
However, these accounts have been blocked by Facebook now. Before interrupting the hacking operation, the Chinese state hackers were employing several tactics, techniques, and procedures (TTPs) in attacks targeting Uyghur activists living abroad.
These included compromising and impersonating news websites popular among Uyghurs, and using fake Facebook accounts in social engineering attacks while posing as Uyghur community members such as students, journalists, and human rights advocates.
The threat actors also created fake third-party Android app stores to host trojanized apps that infected Uyghur targets with ActionSpy or PluginPhantom malware.
Facebook has linked the malware strains to two Chinese companies, Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).
The hacking group partially outsourced the development of the Android tooling used in their attacks to the two companies.
The researchers added that these China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.