Facebook revealed on March 25 that it had blocked Chinese hackers from using the social media platform to track Uyghur activists living abroad.
The tech giant said two hacking syndicates in China, Earth Empusa and Evil Eye, were responsible for the attacks and exploited various means to distribute malware onto the activists’ computers and smartphones, and carry out surveillance.
Facebook said Uyghur journalists, activists, and dissidents living across the United States, Australia, Canada, Syria, Turkey, and Kazakhstan were targeted.
“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and Nathaniel Gleicher, head of security policy, wrote in a statement.
“On our platform, this cyber-espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself.”
“We shared our findings and threat indicators with industry peers so they too can detect and stop this activity.”
One example of malicious activities included impersonating news websites visited by Uyghur activists, or infecting popular websites, and then compromising the users’ devices. These are known as “watering hole attacks.”
In another instance, the hackers created fake Facebook accounts posing as Uyghurs, journalists, students, and human rights advocates. They would then befriend the target and trick them into clicking on a malicious link.
Fake app stores were also developed and let users download apps, including a keyboard app, prayer, and dictionary app. The apps were “trojanized” and contained malware.
The malware used to infect the devices was developed by two Chinese companies, Beijing Best United Technology Co. and Dalian 9Rush Technology Co.
Matt Warren, professor of cybersecurity at the Royal Melbourne Institute of Technology, said the activities fit into Beijing’s “global operational approach,” which was to track the activities of overseas dissident groups.
“The Chinese Communist Party (CCP) wants to track the activities of anti-Chinese groups, harvest their information, and develop insight into an individual’s personal and professional network,” he told The Epoch Times.
“The CCP hacking network is global,” he said.
“It’s a mixture of directly government-supported groups, for example, PLA Unit 61398. Or hacking groups associated with the government, including Comment Crew, which focuses on corporate espionage, and Deep Panda, which attacks the U.S. government in the name of patriotically defending China’s interest.”
The CCP has a multi-faceted cyber warfare strategy underpinned by its “unrestricted warfare” doctrine. The doctrine mandates the CCP to engage its geopolitical rivals (namely the United States and democratic allies) through a variety of means outside of traditional warfare.
In June, Australian Prime Minister Scott Morrison and Defence Minister Linda Reynolds warned that government and private institutions were under sustained attack from a “sophisticated state-based cyber actor.”
While the prime minister refused to reveal which country was the culprit, experts believe the most likely suspect was the CCP.
“When you look at the culmination of capability and intent, the list narrows to the most likely suspect being the Chinese state,” Michael Shoebridge of the Australian Strategic Policy Institute previously told The Epoch Times.