Facebook Disrupts Chinese Hacking Network Targeting Uyghur Community

On Wednesday, Facebook announced the implementation of new measures designed to dismantle a hacking network originating in China. This network was actively exploiting the platform to compromise individuals within the Uyghur community.

Details of the Hacking Group

Security researchers identify the group under several names, including “Earth Empusa,” “Evil Eye,” and “Poison Carp.” Their operations targeted approximately 500 individuals on Facebook.

These targeted individuals were not limited to those residing in China, but included people living in the United States, Turkey, Syria, Australia, and Canada.

Tactics Employed by the Hackers

The hackers created fraudulent Facebook accounts, impersonating activists, journalists, and other individuals perceived as sympathetic. This allowed them to lure targets to websites outside of Facebook that had been compromised.

Facebook’s security and cyberespionage teams first detected this activity in 2020. A decision was made to publicly disclose the threat to maximize disruption, as the group has previously demonstrated sensitivity to public exposure.

Broader Hacking Efforts Extend Beyond Facebook

While acknowledging that activity on their platform represents “a piece of the puzzle,” Facebook clarified that the majority of the hacking group’s efforts occur elsewhere online.

Their strategy centers on gaining access to devices through watering hole attacks and the use of lookalike domains.

This includes a deceptive Android app store offering prayer applications and Uyghur-themed keyboard downloads.

Malware Used in the Attacks

Upon installation, these malicious applications infected devices with two distinct strains of Android malware: ActionSpy and PluginPhantom.

For iOS devices, the hackers utilized malware known as Insomnia.

Impact and Significance

Although the number of targeted users was relatively small compared to typical disinformation campaigns, Facebook emphasized that a carefully selected group can have significant consequences.

Nathaniel Gleicher, Facebook Head of Security Policy, stated that potential outcomes include surveillance and a variety of secondary repercussions.

Context: The Uyghur Community

The Uyghurs are a predominantly Muslim ethnic minority group in China currently facing severe repression from the Chinese government.

This repression includes forced labor within camps located in the Xinjiang province.

Attribution and Further Investigation

Facebook refrained from directly linking the observed activity to the Chinese government.

The company stated it relies on the broader security community to make such determinations when lacking sufficient technical evidence.

However, researchers suggest that these hacking campaigns are likely part of Beijing’s broader efforts to expand surveillance over communities already under its control.