Cyber Incident Victim: Google (imitated domain)

Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and affiliated organizations. Attackers compromised at least 11 websites related to Uyghur interests and East Turkistan independence movements, injecting malicious JavaScript code into these platforms. The compromised sites served multiple purposes: deploying the Scanbox framework to profile visitors' systems and locations, redirecting Android mobile users to exploits delivering 64-bit ARM executables, and hosting phishing content through doppelganger domains impersonating Google services, the Turkistan Times, and the Uyghur Academy. These fake domains, particularly the Google imitation, facilitated credential harvesting campaigns leveraging Google OAuth to gain unauthorized access to victims' Gmail accounts, including emails and contact lists.

The campaigns enabled persistent monitoring of Uyghur individuals' online activities, physical movements, and social networks. Volexity's analysis identified two distinct Chinese APT groups orchestrating these operations, utilizing attacker infrastructure with IP addresses concealed through decimal notation encoding. Detection efforts revealed the attackers' exploitation toolkit, including the "Evil Eye" surveillance framework and network signatures tied to the infrastructure. While the article notes possible connections to iPhone targeting, it does not confirm iOS exploitation. The operations formed part of a broader pattern of digital suppression complementing physical detention campaigns against Uyghurs in Xinjiang. Volexity documented these activities through technical analysis conducted in collaboration with NGOs and human rights defenders, though specific containment measures or victim remediation actions are not detailed in the provided source material.