Threat intelligence analysts from Facebook disrupted cyber espionage campaigns by Chinese state-sponsored cybercriminal groups. Tracked as “Earth Empusa” or “Evil Eye,” the criminal group is allegedly abusing the Facebook platform to target the Uyghur community in China by tricking them into downloading malware that would allow hackers to snoop on their devices. The group reportedly targeted activists, journalists, and dissidents of the Uyghur community living across different countries in Turkey, the U.S., Kazakhstan, Syria, Australia, and Canada.
Why Uyghurs?
Evil Eye’s TTPs The threat group leveraged well-resourced and persistent hacking operations to distribute malicious software and links to compromise targeted devices. The different tactics, techniques, and procedures (TTPs) used by the threat actors include:
- Selective targeting and exploit protection
- Compromising and impersonating news websites
- Social-engineering attacks
- Using fake third-party app stores
- Outsourcing malware development
How capable are Evil Eye operators?
Evil Eye threat actors are responsible for targeting users with Android and iOS exploits and malware for many years. The most recent series of cyberattacks against the Uyghur diaspora include:
- A wide-ranging series of digital surveillance and exploitation campaigns identified via multiple strategically compromised websites.
- Mobile device users running Android OS are targeted via an exploit that will deliver a 64-bit ARM executable.
- Website visitors tracked and targeted via Scanbox profiling and exploitation framework.
- Attacker’s arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via OAuth.
- Doppelganger domains emulating Google, the Turkistan Times, and the Uyghur Academy leveraged by attackers.
Facebook Analysts Say…
The threat intelligence experts at Facebook stated that they’ve disrupted the cyber operations of Evil Eye by blocking their malicious domains from being shared on the platform. The social media giant also notified the suspected users targeted by this threat group.
“This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country, and language settings. They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. Some of these web pages contained malicious JavaScript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised,” Facebook said.
The disruption of hackers’ activities come days after the Western countries including European Union, the U.K., the U.S., and Canada imposed sanctions on officials in China over human rights abuses against the Uyghur minority group.
