Facebook said it has disrupted a cyberespionage operation orchestrated by China-backed hackers that has been targeting activists, journalists and dissidents predominantly among Uyghurs living abroad.
The threat actor behind this campaign is believed to be a hacker group known as Earth Empusa or Evil Eye. The malicious actor used Facebook to distribute links to malicious websites hosting malware.
According to Facebook’s Mike Dvilyanski and Nathaniel Gleicher, the hackers used various tactics and techniques to achieve their goals like setting up malicious websites disguised as popular Uyghur and Turkish news sites and using hacked legitimate websites to deliver iOS malware known as INSOMNIA.
The group also used fake accounts on Facebook posing as journalists, students, human rights advocates or members of the Uyghur community to trick people they targeted into clicking on malicious links, and created websites masquerading as third-party Android app stores there they published malicious Uyghur-themed applications designed to infect devices with the ActionSpy or PluginPhantom Android spyware.
“Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity,” according to a blog post.
Facebook said it blocked malicious domains from being shared on its platform, removed the group’s accounts and notified people it believes were targeted by this threat actor.