Facebook caught Chinese hackers using fake personas to target Uyghurs abroad

Facebook on Wednesday announced new actions to disrupt a network of China-based hackers leveraging the platform to compromise targets in the Uyghur community.

The group, known to security researchers as “Earth Empusa,” “Evil Eye” or “Poison Carp” targeted around 500 people on Facebook, including individuals living abroad in the United States, Turkey, Syria, Australia and Canada. Through fake accounts on Facebook, the hackers posed as activists, journalists and other sympathetic figures in order to send their targets to compromised websites beyond Facebook.

Facebook’s security and cyberespionage teams began seeing the activity in 2020 and opted to disclose the threat publicly to maximize the impact on the hacking group, which has proven sensitive to public disclosures in the past.

Though Facebook says social engineering efforts on the platform are “a piece of the puzzle,” most of the hacking group’s efforts take place elsewhere online. They focus on attempts to gain access to targets’ devices with watering hole attacks and lookalike domains, including a fake Android app store offering prayer apps and Uyghur-themed keyboard downloads.

When downloaded, those fake apps infected devices using two strains of Android trojan malware, ActionSpy and PluginPhantom. On iOS devices, the hackers leveraged malware known as Insomnia.

While the hackers targeted a small number of users relative to what the company sees in disinformation operations, Facebook stressed that a small, well-chosen group of targets can result in huge impacts. “You can imagine surveillance, you can imagine a range of secondary consequences” Facebook Head of Security Policy Nathaniel Gleicher said.

The Uyghurs are a predominantly Muslim ethnic minority in China that continues to face brutal repression from the Chinese government, including being forced into labor camps in the country’s Xinjiang province.

Facebook declined to link what it observed to the Chinese government, saying that it defers to the broader security community to make those determinations when it lacks the technical indicators to do so itself. Researchers believe that adjacent hacking campaigns are Beijing’s efforts to extend its surveillance of communities it already subjugates within China’s bounds.