Given that Facebook is banned in China, the company may seem like an unlikely source of information about Chinese hacking campaigns against the country's Uyghur ethnic minority. On Wednesday, though, the company announced that it had identified recent espionage campaigns targeted at the Uyghur community, primarily people living abroad in countries like Australia, Canada, Kazakhstan, Syria, the United States, and Turkey. Facebook says the activity came from the known Chinese hacking group Evil Eye, which has a track record of targeting Uyghurs.
In mid-2020, Facebook found crumbs of evidence about the attacks on its own services: accounts pretending to be students, activists, journalists, and members of the global Uyghur community that attempted to contact potential victims and share malicious links with them. Facebook researchers followed these crumbs outside the company's own ecosystem to Evil Eye's broader efforts to spread malware and track Uyghurs' activity.
“We saw this as an extremely targeted campaign,” says Mike Dvilyanski, who heads Facebook’s cyber espionage investigations. “They targeted specific minority communities and they performed checks to make sure that the targets of that activity fit certain criteria, like geolocation, languages they spoke, or operating systems they used.”
Evil Eye, also known as Earth Empusa and PoisonCarp, is notorious for its unrelenting digital assaults on Uyghurs. Its most recent wave of activity began in 2019 and ramped up in early 2020, even as China plunged into Covid-19-related lockdowns.
The researchers also found imposter Android app stores set up to look like popular sources of Uyghur-related apps, like community-focused keyboard, dictionary, and prayer apps. Really, these malicious app stores distributed spyware from two Android malware strains known as ActionSpy and PluginPhantom, the latter of which has circulated in various forms for years.
Facebook's analysis took the company far off of its own platforms. Its cyber espionage investigations team went so far as to trace the Android malware used in the Evil Eye campaigns to two development firms: Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd. Facebook says that research from the threat intelligence firm FireEye contributed to its discovery of these connections. WIRED could not immediately reach the two firms for comment. Facebook did not formally draw a connection between Evil Eye and the Chinese government when it announced its findings on Wednesday.
“In this case we can see clear links to the [malware development] firms, we can see geographic attribution based on the activity, but we can’t actually prove who’s behind the operation,” says Nathaniel Gleicher, Facebook's head of security policy. “So what we want to do is give the evidence that we can prove. And then we know that there’s a broader community that can analyze it and come to the best conclusions based on the patterns and tactics.”
Ben Read, director of analysis at FireEye’s Mandiant Threat Intelligence, said in a statement on Wednesday that, “We believe this operation was conducted in support of the PRC government, which frequently targets the Uyghur minority through cyber espionage activity.” He added that the same hackers are also known to target other groups that the Chinese government perceives as a threat to its regime, like Tibetans and democracy activists in Hong Kong.
The episode reflects Facebook's evolving approach to going public with its research into hacking activity outside its platforms. The company says it saw fewer than 500 targets on its own platforms and did a small number of account takedowns and website blocks as a result. Gleicher says that when the company sees evidence on its platforms of broader malicious activity, the cyber espionage investigations team doesn't just watch. It takes as much action as possible on Facebook and then works to make the activity more difficult for attackers off Facebook, as well, by collecting data and activity indicators and collaborating with the broader threat intelligence community to share information. Gleicher adds that Facebook only goes public with the information when it thinks that will actually hurt attackers without endangering victims.
Though the Evil Eye targeting Facebook looked at was extensive, the researchers emphasize that the group was careful to conceal its activity as much as possible and in some cases went to great lengths to evaluate potential targets before actually infecting their devices with spyware. When it came to distributing the iOS malware, for example, the attackers did a technical evaluation on all potential targets, including looking at their IP addresses, browsers, operating systems, and device settings about region and language in an attempt to ensure that a target was really a member of the Uyghur community.
“Like a lot of espionage campaigns this was super targeted,” Gleicher says. “They actually wanted to make sure they hit that community."
Updated 3-24-2021, 4:01 pm EST: This story has been updated to include a statement from Ben Read.