Cyber Incident Victim: Istiqlal TV
Date:
Jan 2013
Location:
China
Summary
Chinese APT groups conducted extensive cyber operations against a minority ethnic group, employing compromised websites to deploy surveillance tools and exploitation frameworks. Attackers targeted mobile users via Android exploits, utilized Scanbox for visitor profiling, and abused Google OAuth to harvest Gmail data. Infrastructure included doppelganger domains mimicking legitimate services, facilitating unauthorized access and data exfiltration. Campaigns involved multiple threat actors focusing on digital tracking, malware deployment, and credential theft to monitor and suppress the diaspora community.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and affiliated organizations. Attackers compromised at least 11 Uyghur and East Turkistan-related websites, embedding malicious code to facilitate visitor tracking and exploitation. These websites served as strategic platforms for deploying the Scanbox framework, which profiled visitors' systems and browser configurations to enable targeted attacks. Simultaneously, attackers employed doppelganger domains mimicking legitimate entities including Google, the Turkistan Times, and the Uyghur Academy to deceive targets into interacting with malicious infrastructure. Mobile device users running Android OS were targeted through exploits delivering 64-bit ARM executables, while evidence suggested possible parallel targeting of Apple iPhone users. Attackers utilized Google OAuth integrations to gain unauthorized access to victims' Gmail accounts, enabling theft of emails and contact lists for intelligence gathering and further targeting.
Volexity's investigation revealed two distinct Chinese APT groups orchestrating these campaigns, which formed part of a broader digital suppression strategy against Uyghur populations. The attackers maintained persistent access to compromised websites, using them to deploy multiple exploitation frameworks including Evil Eye malware. Infrastructure analysis showed adversaries employed IP addresses encoded in decimal notation for operational security. These campaigns enabled systematic monitoring of Uyghur activists, dissidents, and human rights defenders through cyber espionage and data exfiltration. Volexity documented the attackers' network signatures and infrastructure patterns, confirming the campaigns' operational continuity. The technical evidence correlated with physical persecution documented in Xinjiang, demonstrating integration between digital surveillance and real-world suppression tactics. No victim remediation efforts or containment actions were described in the reporting.