Cyber Incident Victim: East Turkestan Cultural Center

The incident involved sustained cyber espionage campaigns targeting Uyghur diaspora communities and affiliated organizations, including entities such as the East Turkestan Cultural Center. Since at least 2019, attackers compromised at least 11 Uyghur and East Turkistan-related websites to deploy surveillance and exploitation tools against visitors. These websites were injected with unauthorized JavaScript code that enabled the profiling of visitors through the Scanbox framework, which collected system information, installed software details, and captured keystrokes. Mobile users running Android OS were specifically targeted via exploits delivering 64-bit ARM executables, while attackers also attempted to hijack Gmail accounts by abusing Google OAuth through malicious applications. Attacker infrastructure included doppelganger domains impersonating Google, the Turkistan Times, and the Uyghur Academy to facilitate credential theft and malware distribution.

The campaigns employed multiple attack vectors, including the Evil Eye surveillance framework and network traffic obfuscation techniques like IP address decimal notation conversion. Two distinct Chinese advanced persistent threat (APT) groups orchestrated these operations, leveraging compromised websites as strategic distribution points. Impacts included unauthorized access to sensitive communications, contact lists from compromised email accounts, and persistent surveillance of Uyghur activists’ online activities. Volexity’s analysis identified attacker infrastructure patterns and network signatures tied to these operations but did not observe specific containment measures by victim organizations. The operations formed part of a broader digital suppression effort against Uyghur communities, complementing physical surveillance and detention campaigns documented in Xinjiang.