Since Facebook is banned in China, the company may seem like an unlikely source of information about Chinese hacking campaigns against the country’s ethnic Uyghur minority. On Wednesday, however, the company announced that it had identified recent spy campaigns targeting the Uyghur community, mainly people living abroad in countries such as Australia, Canada, Kazakhstan, Syria, United States and Turkey. Facebook claims the activity came from Chinese hacking group Evil Eye, which has a roadmap to target Uyghurs.
In mid-2020, Facebook found crumbs of evidence of attacks on its own services: accounts masquerading as students, activists, journalists and members of the global Uyghur community who attempted to contact victims. potentials and share malicious links with them. Facebook researchers followed these crumbs outside the company’s own ecosystem to Evil Eye’s broader efforts to spread malware and track Uyghur activity.
“We saw this as an extremely targeted campaign,” says Mike Dvilyanski, who leads Facebook’s cyber espionage investigations. “They targeted specific minority communities and they carried out checks to ensure that the objectives of this activity match certain criteria, such as geolocation, the languages they speak or the operating systems they use. “
Evil Eye, also known as Earth Empusa and PoisonCarp, is known for its relentless digital assaults on Uyghurs. Its most recent wave of activity began in 2019 and accelerated in early 2020, even as China plunged into lockdowns linked to Covid-19.
Researchers also found impostor Android app stores configured to resemble popular sources of Uyghur-related apps, like community-driven keyboard, dictionary, and prayer apps. Really, these malicious app stores have distributed spyware from two strains of Android malware known as ActionSpy and PluginPhantom, the latter of which circulated in various forms for years.
Facebook’s analysis has pushed the company away from its own platforms. Its cyberespionage investigation team went so far as to trace Android malware used in the Evil Eye campaigns to two development companies: Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd. intelligence firm FireEye helped uncover these connections. WIRED was unable to immediately contact the two companies for comment. Facebook did not formally link Evil Eye to the Chinese government when it announced its findings on Wednesday.
“In this case, we can see clear links to the [malware development] companies, we can see geographic attribution based on activity, but we can’t really prove who is behind the operation, ”says Nathaniel Gleicher, Facebook’s chief security officer. “So what we want to do is give the evidence that we can prove. And then we know there is a larger community that can analyze it and draw the best conclusions based on the patterns and tactics. “
The episode reflects Facebook’s evolving approach to publicizing its research into hacking activity outside of its platforms. The company claims to have seen fewer than 500 targets on its own platforms and performed a small number of account withdrawals and website blocks as a result. Gleicher says that when the company sees evidence of broader malicious activity on its platforms, the cyberespionage investigation team doesn’t just watch. He takes as many actions as he can on Facebook, then works to make activity more difficult for attackers outside of Facebook, by collecting data and activity metrics and collaborating with the broader intelligence community on. threats to share information. Gleicher adds that Facebook only makes information public when it believes it will actually hurt attackers without putting victims at risk.