China may have been one of the first countries to lock down over the first months of 2020, as Covid-19 began its global spread. But that didn't stop suspected Chinese spies from carrying out a new smartphone-hacking campaign aimed at one of their favorite targets: the country's Uighur ethnic minority.
From as early as December of last year and continuing through March, Chinese hackers used so-called "watering hole" attacks to plant malware on the iPhones of Uighurs, according to new findings from the security firm Volexity. To do so, a hacker group that Volexity calls Evil Eye compromised popular Uighur websites, including the news and education site Uyghur Academy and the Uighur Times news outlet. Visiting those sites on an iPhone would automatically infect the device with sophisticated spyware designed to gain access to its data, particularly messaging applications.
That indiscriminate web-based hacking campaign is remarkable not just because it occurred during the peak of China's novel coronavirus crisis, but also because it began just months after Volexity and Google publicly revealed that the same Evil Eye group was hacking smartphones via those same websites, using a rare collection of previously unknown iOS software vulnerabilities—also known as zero-day vulnerabilities—that shocked the cybersecurity world. The security research group Citizen Lab found that the same zero-day vulnerabilities were also being used to target Tibetan victims, which Volexity sees as a suggestion that the hackers were likely carrying out domestic surveillance on behalf of the Chinese government. The country has faced international criticism over its treatment of both ethnic groups, with a growing focus in recent years on the reported suppression of Uighurs in the Xinjiang region of western China.
The fact that the hackers so quickly retooled and launched a new spy campaign in late 2019 and early 2020 seems to suggest just how determined China's state-sponsored hackers are to keep tabs on Uighurs' communications, says Volexity founder Steven Adair. "To put this many resources and effort into developing implants and exploits clearly shows that Uighurs are a high priority target," says Adair, using the term "exploit" to refer to a hacking technique and "implant" to mean the malware it installs on a target machine. "They’re up there enough that, even in the time of coronavirus and even after this group was publicly outed and exposed, it didn't deter them from continuing to operate."
Last fall, Google’s Project Zero research team revealed that a group of hackers had used no fewer than 14 zero-day vulnerabilities in web-based watering hole attacks, which Volexity subsequently tied to an ongoing hacking campaign targeting Chinese Uighurs. The more recent attacks, by contrast, didn't use any zero-day vulnerabilities, but instead targeted phones missing the most recent iOS patches previous to July of 2019, including iOS versions 12.3, 12.3.1, and 12.3.2. (In separate news, security firm ZecOps today revealed that a zero-day hacking technique had been used against iPhones in the wild, and only patched in a beta update for iOS last week. Update your iPhone to protect against both attacks.)
According to Volexity, the hackers used vulnerabilities in Webkit, which serves as the foundation of iOS browsers, to hack website visitors with malicious iframes planted on the targeted sites. Volexity's Adair says the exploit would have been almost impossible for a user to detect, and didn't discriminate among victims, simply infecting every visitor to compromised sites. "For someone on the phone, there’s zero indication this happened," Adair says. "They just cast the widest net, pulled in the catch, and then went through the results."
The hackers used their watering-hole hacking to plant a piece of malware that Volexity calls INSOMNIA, a revamped version of the spyware used to target Uighurs in the attacks last fall. That spyware was previously designed to grab messages from services like Viber, Gmail, Twitter, WhatsApp, Skype, Facebook, and WeChat. The newer version now targets messages from the encrypted communications app Signal and encrypted email service Protonmail, as well, Volexity says.
In another sign of evolution, the hackers used an open-source exploit delivery tool called IRONSQUIRREL to plant their implant, designed to make their hacking technique more difficult to analyze. They also added both SSL encryption and a certificate check to their malware to make its communications harder to intercept.
While China's surveillance of Uighurs has reportedly been increasing for years, the emergence of a new hacking campaign targeting the ethnic group just months after the same hackers were outed in a high-profile discovery is still noteworthy, says Mona Wang, a technologist with the Electronic Frontier Foundation who has tracked China's use of cyberespionage. "The thing that surprised me is that they doubled down," Wang says. "They updated the malware to collect more info, they created what's likely a very expensive new exploit chain, and they did it on sites they probably knew were being watched by Volexity and Google's Project Zero. They totally perceive these attacks to be worth the risk."
Wang says that China is likely targeting its Uighur population in Xinjiang in an attempt to intercept their communications with the Uighur diaspora in countries like Turkey and the US, in order to head off the sort of political successes achieved by the Tibetan diaspora. And that's a priority that seems not to have shifted even as the country was thrown into a nationwide public health crisis. "They're seeing a lot of backlash against their policies in Xinjiang, and they’re desperate to expand their measures of control," Wang says. "But it’s crazy to me that it’s such a high priority, even in these times."