Facebook disables cyber espionage operation from Chinese group against Uyghur activists
Facebook regularly discloses methodologies that it is utilizing to secure its platform from cyberattacks and other malicious activities. Now, the company has announced that its security teams have disabled operations against Uyghur activists. These were being carried out by a group in China known as “Evil Eye” or “Earth Empusa”.
According to Facebook, these attacks were being predominantly carried out against journalists and activists from the Uyghurs of Xinjiang in China, who are currently living abroad in countries such as the United States, Australia, and Turkey.
The cyber espionage model primarily revolved around infecting target devices with malware so they could then be utilized for surveillance. Facebook noted that this was accomplished by distributing links to targets on Facebook. These links would either direct users to lookalike domains for known Uyghur news outlets or to actual websites infected with malicious JavaScript code, which would then infect iOS devices. The company notes that this was a highly targeted activity which only infected devices after they had passed certain checks for IP addresses and browser settings, among other things.
In terms of who actually distributed these problematic URLs, Facebook says that malicious actors would pose as Uyghur activists, establish trust with their targets, and then share the links. They also targeted Android users by setting up third-party app stores containing malware-infected apps for Uyghur-themed keyboards, prayers, and the Holy Quran. Facebook went on to say that:
We’ve observed this group use several distinct Android malware families. Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.
[…] Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity.
Actions that Facebook has taken to disable this operation include blocking malicious domains from being shared on its platform, informing affected users, and sharing threat indicators such as hashes and domain names publicly.