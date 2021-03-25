Left Menu

Facebook takes action against Chinese hackers targeting Uyghurs living abroad

The Facebook analysis found that two Chinese companies were the developers behind some of the Android tooling deployed by this group. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security, Facebook said.

Updated: 25-03-2021 08:36 IST
Representative image Image Credit: ANI

Facebook on Wednesday said it has taken action against a group of Chinese hackers - known as Earth Empusa or Evil Eye - using various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.

The group targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries.

Facebook's threat intelligence analysts and security experts identified the tactics, techniques and procedures (TTPs) used by this group. These include-

  • Selective targeting and exploit protection - The group only infected people with iOS malware when they passed certain technical checks
  • Compromising and impersonating news websites - They set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. They used watering hole attack - a security exploit in which hackers infect websites frequently visited by intended targets to compromise their devices. Some of these web pages contained malicious javascript code that installed iOS malware called INSOMNIA on devices once they were compromised
  • Social engineering: The hackers posed as journalists, students, human rights advocates or members of the Uyghur community on Facebook to build trust and trick their target into clicking on malicious links
  • Fake third-party Android app stores: The group designed fake websites mimicking third-party Android app stores where they published trojanized Uyghur-themed applications, including a keyboard app, prayer app, and a dictionary app.

To disrupt their activity, Facebook blocked malicious domains from being shared on its platform, took down the group's accounts and notified users targeted by this group.

