Cyber Incident Victim: Uighur Times
Date:
Jan 2013
Location:
China
Summary
Chinese state-linked APT groups conducted extensive cyber espionage campaigns targeting a persecuted ethnic minority through compromised diaspora websites and malicious infrastructure. Attackers deployed Android exploits, the Scanbox framework, and fraudulent domains mimicking legitimate services like Google and Turkistan-related outlets to profile victims, deliver malware, and hijack Gmail accounts via OAuth. The operations enabled broad surveillance and data theft against mobile users and activists, leveraging multiple exploitation vectors to monitor physical movements and online activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involved sustained cyber campaigns targeting the Uyghur diaspora and affiliated organizations, conducted by at least two Chinese advanced persistent threat (APT) groups. Attackers compromised a minimum of 11 Uyghur and East Turkistan-related websites between 2013 and 2019, injecting unauthorized code to enable surveillance and exploitation. These compromised sites served as strategic platforms for deploying the Scanbox framework, which profiled visitors through browser fingerprinting and vulnerability scanning to identify potential exploitation targets. Simultaneously, attackers employed doppelganger domains impersonating legitimate entities including Google, the Turkistan Times, and the Uyghur Academy to facilitate credential harvesting and social engineering. Mobile device users running Android OS were targeted through exploits delivering 64-bit ARM executables, while attackers also leveraged Google OAuth to gain unauthorized access to victims' Gmail accounts and contact lists. Infrastructure analysis revealed the use of IP addresses encoded in decimal notation for operational security.
The campaigns enabled wide-ranging digital surveillance aligned with physical suppression efforts against Uyghurs in China's Xinjiang region. Technical evidence indicated possible connections to previously observed iPhone exploitation attempts, though attribution specifics weren't fully confirmed. Volexity's investigation identified attacker infrastructure patterns and network signatures associated with the malicious activity, documenting systematic exploitation of web platforms frequented by the Uyghur diaspora. No remediation actions by affected organizations were detailed in the reporting. The operations formed part of a broader pattern of cyber-enabled monitoring and harassment against Uyghur communities, with compromised websites serving dual purposes as intelligence collection points and attack launchpads. Digital surveillance mechanisms complemented physical tracking methods reported in Xinjiang, extending monitoring capabilities beyond China's borders.