Cyber Incident Victim: Uighur Times
Date:
Aug 2019
Location:
China
Summary
Chinese APT groups conducted extensive cyber operations targeting the Uyghur diaspora through compromised websites and malicious infrastructure. Attackers deployed surveillance tools including the Scanbox framework to profile visitors, exploited Android devices via 64-bit ARM executables, and leveraged Google OAuth to illicitly access victims' Gmail accounts and contacts. Doppelganger domains impersonating legitimate platforms like Google and Uyghur-focused media outlets facilitated credential theft and further exploitation. These campaigns enabled persistent monitoring of the minority group's digital activities, aligning with broader physical suppression efforts. Multiple compromised Uyghur-related websites served as vectors for deploying malicious code and tracking individuals across the diaspora.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber operations targeting the Uyghur diaspora and affiliated organizations. These campaigns intensified around 2019, with attackers compromising at least 11 Uyghur and East Turkistan-related websites, including domains impersonating legitimate entities like the Turkistan Times and the Uyghur Academy. The attackers injected malicious JavaScript code into these websites to deploy the Scanbox reconnaissance framework, which profiled visitors' browser configurations, operating systems, installed plugins, and geographic locations. This initial surveillance enabled selective targeting of high-value individuals, particularly those advocating for Uyghur independence or criticizing Chinese policies in the Xinjiang Uyghur Autonomous Region (XUAR).
Attackers employed multiple exploitation vectors against identified targets. Android mobile users received malicious links delivering a 64-bit ARM executable capable of full device compromise. Simultaneously, attackers created doppelganger domains mimicking Google services to harvest Gmail credentials via fraudulent OAuth authorization prompts, granting access to victims' emails and contact lists. Infrastructure analysis revealed attacker-controlled servers using IP addresses encoded in decimal notation for obfuscation. Volexity attributed the campaigns to at least two distinct Chinese APT groups based on tactical overlaps with historical operations. The operations facilitated persistent surveillance of Uyghur activists, extraction of sensitive communications, and potential identification of individuals for physical repression. No remediation efforts by affected organizations were documented in the reporting period.