Facebook’s in-house cyber security team has disrupted a China-backed advanced persistent threat (APT) group dubbed Earth Empusa or Evil Eye, which was targeting activists, journalists and dissidents connected to the Uighur Muslim community of Xinjiang, western China, which is being relentlessly persecuted by the Chinese government.
During a long-running, well-resourced and persistent campaign, the group targeted people located in Australia, Canada, Kazakhstan, Syria, Turkey and the US, using various cyber espionage tactics to identify targets and compromise their smartphone devices with spyware.
“Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups,” wrote Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and Nathaniel Gleicher, head of security policy, in a disclosure notice.
“As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products,” they added.
Earth Empusa exploited Facebook to distribute links to malicious websites from where targets were induced to download the spyware, rather than directly sharing it, they said. The group’s preferred tactics seemed to be to impersonate news websites with lookalike domains for popular Uighur and Turkish news sites.
The group also used sock-puppet Facebook accounts to build fictitious personas posing as journalists, students, human rights activists and so on, in order to build trust among their targets and trick them into visiting the malicious sites.
They also compromised some legitimate websites frequented by their targets in watering-hole attacks – some of the sites found during the investigation contained malicious JavaScript code that installed the Apple iOS malware known as Insomnia on target devices.
The group took multiple steps to conceal their activity and protect their malicious tools, including only infecting people with Insomnia once they had passed technical checks, including the IP address, operating system, browser, and country and language settings.
Earth Empusa also targeted Android users through fake third-party app stores, where they distributed trojanised applications – including a keyboard app, a call to prayer app and a dictionary app – with the ActionSpy and PluginPhantom malwares, probably developed by outsourced software builders.
Facebook has now shared its findings, including information on indicators of compromise (IoCs), with the security community, and its full report can be read here.
FireEye Mandiant Threat Intelligence analysis director Ben Read, who helped in the takedown, commented: “FireEye uncovered an operation targeting the Uyghur community and other Chinese speakers through malicious mobile applications that were designed to collect extensive personal information from victims, including GPS location, SMS, contacts lists, screenshots, audio and keystrokes.
“This operation has been active since at least 2019 and is designed for long-term persistence on victim phones, enabling the operators to gather vast amounts of personal data. We believe this operation was conducted in support of the [Chinese] government, which frequently targets the Uyghur minority through cyber espionage activity.
“On several occasions, the Chinese cyber espionage actors have leveraged mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists and others believed to be threats to the stability of the regime.”