Cyber Incident Victim: Uyghur Academy
Date:
Aug 2019
Location:
China
Summary
Chinese APT groups conducted extensive digital surveillance and exploitation campaigns targeting the Uyghur diaspora, compromising over a dozen websites related to their cause. Attackers deployed malicious frameworks like Scanbox to profile visitors and deliver Android exploits, while creating deceptive domains mimicking legitimate entities including the Uyghur Academy. The campaigns leveraged Google OAuth to hijack Gmail accounts, exfiltrating emails and contact lists. These operations facilitated large-scale monitoring of communications, physical movements, and online activities, aligning with broader efforts to suppress dissent through cyber means. Infrastructure analysis revealed coordination between multiple threat actors employing advanced techniques to maintain persistent access and intelligence gathering against the minority group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber operations targeting the Uyghur diaspora, as documented by Volexity’s September 2019 analysis. These campaigns involved the strategic compromise of at least 11 Uyghur and East Turkistan-related websites, including the Uyghur Academy, to deploy surveillance and exploitation tools. Attackers implanted malicious code on these sites to profile visitors using the Scanbox framework, which harvested system information, installed cookies for tracking, and attempted to deliver exploits. Simultaneously, attackers registered doppelganger domains mimicking legitimate platforms like Google, the Turkistan Times, and the Uyghur Academy to deceive targets into submitting credentials or downloading malware. Mobile users were specifically targeted through a 64-bit ARM executable delivered via an Android exploit chain. The attackers also abused Google OAuth to gain unauthorized access to victims’ Gmail accounts, enabling theft of emails and contact lists. Infrastructure analysis revealed the use of hexadecimal and decimal notation for IP addresses to obscure command-and-control servers.
The operations formed part of a broader digital suppression campaign against Uyghurs, reflecting physical persecution tactics documented in Xinjiang. Two distinct Chinese APT groups orchestrated these activities, leveraging compromised websites as initial intrusion vectors. While technical specifics of victim remediation were not disclosed, Volexity identified network signatures for detection, including patterns in HTTP User-Agent strings and malicious JavaScript linked to Scanbox. The attacks facilitated large-scale monitoring of Uyghur activists, dissidents, and NGOs, with stolen data likely enabling further targeting. No public mitigation efforts by affected organizations were detailed, though the campaigns demonstrated persistent exploitation of both web and mobile platforms to undermine Uyghur digital communications. The incident underscored the integration of cyber operations with China’s systemic oppression of Uyghur communities.