Facebook took action against China-linked APT targeting Uyghur activists

Facebook has closed accounts used by a China-linked APT to distribute malware to spy on Uyghurs activists, journalists, and dissidents living outside China.

Facebook has taken action against a series of accounts used by a China-linked cyber-espionage group, tracked as Earth Empusa or Evil Eye, to deploy surveillance malware on devices used by Uyghurs activists, journalists, and dissidents living outside China.

“Today, we’re sharing actions we took against a group of hackers in China known in the security industry as Earth Empusa or Evil Eye — to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet.” reads the press release published by Facebook “They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries. This group used various cyber-espionage tactics to identify its targets and infect their devices with malware to enable surveillance.”

The group used the now terminated accounts to send links to the victims that point to malicious websites set up to conduct watering hole attacks.

Facebook researchers also reported that attackers also targeted iOS devices belonging to Uyghur targets with spyware like PoisonCarp or INSOMNIA.

The experts observed that the activity slowing down at various times, likely due to the response of other companies. 

Facebook identified the following tactics, techniques and procedures (TTPs) used by this APT group:

• Selective targeting and exploit protection;
• Compromising and impersonating news websites;
• Social engineering;
• Using fake third party app stores;
• Outsourcing malware development;
• Industry tracking.

In some cases, websites set up by the attackers group were mimicking third-party Android app stores where they published Uyghur-themed applications distributing multiple malware, such as ActionSpy or PluginPhantom malware.

The analysis of the samples employed in the attacks revealed that developers behind some of the Android apps used by the group are the Chinese companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

“To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.” concludes the report.

Facebook also provided Indicators of Compromise for this campaign.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]