Cyber Incident Victim: Uyghurtimes

Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and related organizations. These operations escalated around August 2019, with attackers compromising at least 11 websites associated with Uyghur and East Turkistan causes. The compromised sites hosted unauthorized JavaScript code that enabled redirection to attacker-controlled infrastructure and deployment of surveillance tools. Attackers utilized the Scanbox framework to profile website visitors by harvesting system information, installed software, and browsing behavior. This reconnaissance facilitated selective targeting of high-value individuals through follow-on exploitation.

The campaigns employed multiple technical vectors to establish persistent surveillance. Android mobile users were targeted via exploits delivering a 64-bit ARM executable, while attackers abused Google OAuth implementations to gain unauthorized access to victims' Gmail accounts, including emails and contact lists. Doppelganger domains mimicking legitimate services like Google, the Turkistan Times, and the Uyghur Academy were created to host phishing content and malicious payloads. Volexity's investigation revealed at least two distinct Chinese APT groups orchestrating these activities, though specific group identifiers weren't disclosed. The attackers maintained an extensive infrastructure network using IP addresses encoded in decimal notation for obfuscation. Consequences included widespread monitoring of Uyghur activists' communications, extraction of sensitive personal data from mobile devices, and potential compromise of organizational networks through stolen email credentials. Volexity documented network signatures and attacker tactics to aid detection but didn't report containment measures by victims.