top of page

Facebook take action against hackers target activists, journalists among Uyghurs of Xinjiang, China

Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups.


Facebook take action against hackers target activists, journalists among Uyghurs of Xinjiang, China

March 27, Washington D.C.: Mike Dvilyanski, Head of Cyber Espionage Investigations and Nathaniel Gleicher, Head of Security Policy shared as part of these efforts, the teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing the findings publicly and continuing to improve the security of the products.



FB sharing actions that took against a group of hackers in China known in the security industry as Earth Empusa or Evil Eye — to disrupt their ability to use their infrastructure to abuse the platform, distribute malware and hack people’s accounts across the internet. They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries. This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.


This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On the platform, this cyber-espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. Seeing this activity slow down at various times, likely in response to the and other companies’ actions to disrupt their activity.


FB identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:

  • Selective targeting and exploit protection: This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.

  • Compromising and impersonating news websites: This group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised.

  • Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.

  • Using fake third party app stores: FB found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app. These apps were trojanized (contained malware that misled people of its true intent) with two Android malware strains — ActionSpy or PluginPhantom.

  • Outsourcing malware development: FB have observed this group use several distinct Android malware families. Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.

  • Industry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity FB are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity.


FB shared the findings and threat indicators with industry peers so they too can detect and stop this activity. To disrupt this operation, FB blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who believe were targeted by this threat actor.

Read more from the below TAGS


People also reading-

14 views0 comments

Comentarios


Planner 5D- Interior design app

Planner 5D- Interior design app

Flipkart Online Shopping App

Flipkart Online Shopping App

World population to reach 8 billion this year, as the growth rate slows

July 12, 2022 at 6:57:56 AM

15 November 2022 is predicted to be the day that the global population reaches eight billion. The projection is revealed in the UN’s World Population Prospects 2022 report, which also shows that India is on course to surpass China as the world’s most populous country in 2023.

World population to reach 8 billion this year, as the growth rate slows

WHO: Nearly one billion people have a mental disorder

June 22, 2022 at 7:20:50 AM

Nearly one billion people worldwide suffer from some form of mental disorder, according to the latest UN data – a staggering figure that is even more worrying if you consider that it includes around one in seven teenagers.

WHO: Nearly one billion people have a mental disorder

What can the UN do? Check the top 5 questions answered

April 6, 2022 at 10:51:48 AM

The current war in Ukraine, following the Russian invasion, has sparked all sorts of questions about the United Nations, particularly the role of the Security Council, the General Assembly and the Secretary-General.

What can the UN do? Check the top 5 questions answered

Ukraine: UN’s Guterres joins call for Bucha war crimes probe

April 6, 2022 at 8:22:29 AM

UN chief António Guterres on Tuesday added his voice to the growing international calls for a war crimes investigation into the killing of civilians in the Ukrainian town of Bucha.

Ukraine: UN’s Guterres joins call for Bucha war crimes probe

Recent terrorist attacks in Israel undermine ‘prospects for peace’: Guterres

March 31, 2022 at 8:29:57 AM

Secretary-General António Guterres on Tuesday night condemned recent terrorist attacks in Israel that have claimed the lives of at least 11 Israeli citizens.

Recent terrorist attacks in Israel undermine ‘prospects for peace’: Guterres

China's BYD ceases to produce gasoline-powered vehicles

4/4/22, 7:00 AM

Chinese auto manufacturer BYD announced Sunday that it has already ceased the production of traditional gasoline-powered vehicles starting from March.

China's BYD ceases to produce gasoline-powered vehicles

Performance-oriented all-new ŠKODA SLAVIA 1.5 TSI Launched creates a segment of its own

3/27/22, 10:42 AM

All new ŠKODA SLAVIA 1.5 TSI starts at ₹ 16.19 lacs

Performance-oriented all-new ŠKODA SLAVIA 1.5 TSI Launched creates a segment of its own

CARS24 Raises $450 Million, Nearly Doubles Its Valuation To $1.84 Billion

9/25/21, 6:16 AM

CARS24, India’s leading e-commerce platform for pre-owned vehicles, announced today the closing of a $450M round of funding including a $340M Series F equity round alongside $110M debt from diversified financial institutions.

CARS24 Raises $450 Million, Nearly Doubles Its Valuation To $1.84 Billion

Tata Motors launches the ‘XPRES’ brand for fleet customers

7/18/21, 6:13 PM

Tata Motors, one of India’s leading automobile manufacturers, today announced the launch of a new brand ‘XPRES,’ exclusively for fleet customers.

Tata Motors launches the ‘XPRES’ brand for fleet customers

Audi India announces curated ownership plans for Audi e-tron and Audi e-tron Sportback customers

7/18/21, 5:56 PM

Special Service Plans, Extended Warranty and Buyback for a hassle-free ownership experience

Audi India announces curated ownership plans for Audi e-tron and Audi e-tron Sportback customers

TikTok hits 1 billion global active users

9/28/21, 8:56 AM

TikTok mission is to inspire creativity and bring joy.

TikTok hits 1 billion global active users

FACT CHECK: Crypto is increasingly being used for criminal activity and is a haven for illicit finance

6/23/21, 6:11 AM

Because cryptocurrency is still new, we are often asked about the biggest myths surrounding it. It’s common for a new market or product to confuse people until they get familiar with it. Think about Airbnb: the idea of staying in a stranger’s home seemed crazy until it didn’t.

FACT CHECK: Crypto is increasingly being used for criminal activity and is a haven for illicit finance

PUBG: NEW STATE surpasses 17 Million Google play store PRE-REGISTRATIONS following its recent ALPHA TEST

6/19/21, 4:40 AM

KRAFTON, Inc. to open pre-registration for the game on Apple’s App Store in Q3 2021

PUBG: NEW STATE surpasses 17 Million Google play store PRE-REGISTRATIONS following its recent ALPHA TEST
bottom of page