Cyber Incident Victim: Istiqlal TV
Date:
Aug 2019
Location:
China
Summary
Chinese APT groups conducted cyber campaigns targeting the Uyghur diaspora through compromised websites, including the Turkistan Times, deploying surveillance and exploitation tools. Attackers utilized Android device exploits delivering ARM executables, the Scanbox framework for visitor profiling, and doppelganger domains mimicking legitimate services like Google to facilitate credential theft. These operations aimed to harvest sensitive data, including Gmail access via manipulated OAuth flows, as part of broader digital suppression efforts against the minority group. The infrastructure and tactics indicated coordination by multiple threat actors focused on persistent monitoring and intelligence gathering.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, Chinese advanced persistent threat (APT) groups conducted coordinated cyber operations targeting Uyghur diaspora communities and East Turkistan advocacy organizations. Attackers compromised at least 11 Uyghur-related websites, embedding malicious code to enable surveillance and exploitation of visitors. These compromised sites served as strategic platforms for deploying the Scanbox framework, which profiled visitors' systems and browser configurations to identify potential exploitation targets. Attackers simultaneously established doppelganger domains impersonating legitimate entities including Google, the Uyghur Academy, and the Turkistan Times to facilitate credential harvesting and social engineering. Mobile users running Android operating systems were targeted through exploits delivering 64-bit ARM executables, enabling device compromise. The attackers utilized Google OAuth implementations to gain unauthorized access to victims' Gmail accounts, exfiltrating email contents and contact lists. This multi-vector campaign incorporated decimal notation IP addresses in attacker infrastructure to potentially evade detection. Forensic evidence indicated involvement from at least two distinct Chinese APT groups conducting parallel operations against the same demographic.
The operations resulted in widespread digital surveillance of Uyghur activists, dissidents, and diaspora members through compromised devices and accounts. Successful exploitation enabled persistent access to victims' communications, location data, and personal networks via harvested credentials and implanted malware. Compromised websites facilitated both initial intrusion vectors and ongoing intelligence collection through visitor profiling. While specific containment measures weren't detailed in available reporting, security researchers identified malicious infrastructure patterns including strategically placed JavaScript injections and attacker-controlled domains mimicking legitimate services. The campaigns formed part of a broader pattern of Chinese state-sponsored operations targeting Uyghur populations, combining cyber exploitation with physical surveillance and detention programs documented in Xinjiang. Technical artifacts linked these operations to previously observed Chinese APT tradecraft, though specific group attribution remained unconfirmed in public reporting. Impact assessments indicated sustained access to victim systems and accounts across multiple compromised platforms over extended periods.