Facebook revealed on Wednesday (24) that it has taken steps to curb the actions of Chinese hackers who tried to attack journalists, dissidents and Uighur-born activists on the social network.
Social network identified malicious links, fake websites and spy apps for Android and iOS.
Facebook services were used to create fake profiles on behalf of journalists and dissidents with interests similar to those of the victims. The profiles served to gain the confidence of the targets and send the malicious links that contaminated the cell phone with spy programs.
Less than 500 people were victims of the operation, and malicious websites were programmed to only infect devices that met certain criteria. The sophistication of the techniques and the direction of the attacks are indications that the operation had resources and long-term objectives – which usually indicates sponsorship from some government.
Facebook did not attribute the attack directly to the Chinese government, but said it identified technical similarities with a group of hackers that experts call “Earth Empusa” or “Evil Eye”.
The Evil Eye is known for attacking Uighurs in the Xinjiang region, especially those who have friction with the Chinese Communist Party for defending the region’s independence.
According to Amnesty International, Uighurs suffer “widespread discrimination” in China, with restrictions on access to education, housing and religious freedom.
In the operation dismantled by Facebook, the targets were mostly Uighurs from the Xinjiang region who were living in countries like Turkey, Kazakhstan, the United States, Syria, Australia and Canada – that is, outside China.
On Monday (22), the European Union imposed sanctions on China, accusing the country of violating human rights in the Xinjiang region.
China has always denied involvement in any digital espionage action. The country also denies that there are any human rights abuses in Xinjiang, claiming that the “re-education” camps are places of vocational training and are necessary for the fight against extremism.
Fake sites and stores
Facebook shared some technical details of the operation to help other experts identify attacks and detect the presence of the spy program. The social network also highlighted some of the methods employed by spies.
To contaminate victims’ smartphones with spy programs, fake websites were created that passed for app stores with programs linked to Uighur culture, such as dictionaries and prayers.
News sites of interest to the victims were attacked and modified with codes that attempted to break into visitors’ devices – an attack technique known as a “watering hole” that has already been used in other operations against Uighurs.
While app stores were used to install apps that spy on Android users with the “ActionSpy” and “PluginPhantom” programs, attacks on websites also hit iPhone phones with the “Insomnia” spy program.
Also according to Facebook, the programs used by the hackers brought evidence of the involvement of two technology companies in China. The social network believes that this may indicate that the development of these attack programs has been outsourced.