Cyber Incident Victim: Turkistanpress
Date:
Aug 2019
Location:
China
Summary
Chinese APT groups conducted large-scale digital surveillance and exploitation campaigns targeting a minority diaspora, compromising over 11 websites related to their cause. Attackers deployed malicious frameworks including Scanbox for visitor profiling, Android exploits to deliver ARM executables, and doppelganger domains mimicking legitimate services like Turkistan Times to facilitate credential theft. The campaigns leveraged Google OAuth for unauthorized Gmail access, enabling monitoring of communications and contacts, while mobile device users were specifically targeted for malware deployment. These operations enabled extensive data collection and persistent monitoring of the victim community through both web and mobile attack vectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber espionage campaigns targeting the Uyghur diaspora and affiliated organizations. These operations involved the strategic compromise of at least 11 Uyghur and East Turkistan-related websites, including domains associated with media outlets and academic institutions. Attackers injected malicious JavaScript code into these websites to deploy the Scanbox reconnaissance framework, which profiled visitors' browser configurations, operating systems, installed plugins, and geographic locations. This initial surveillance enabled selective follow-on attacks, including the delivery of a 64-bit ARM executable targeting Android mobile device users through exploit chains.
The campaigns employed multiple technical components for persistent surveillance and data exfiltration. Threat actors registered doppelganger domains mimicking legitimate services including Google, the Turkistan Times, and the Uyghur Academy to facilitate credential phishing and malware distribution. They weaponized Google OAuth implementations to gain unauthorized access to victims' Gmail accounts, enabling theft of emails and contact lists. Infrastructure analysis revealed attacker use of decimal notation IP addresses and compromised WordPress sites for command-and-control operations. Volexity's investigations identified at least two distinct Chinese APT groups orchestrating these activities, which resulted in widespread monitoring of Uyghur activists, extraction of sensitive communications, and establishment of persistent access to mobile devices. The technical artifacts and targeting patterns aligned with China's broader physical surveillance and detention programs against Uyghur populations in Xinjiang.