Cyber Incident Victim: Uyghur Academy

Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora, particularly activists and organizations advocating for East Turkistan independence. Attackers compromised at least 11 Uyghur-related websites, including the Uyghur Academy, by injecting unauthorized code to redirect visitors to attacker-controlled infrastructure. These sites served as delivery platforms for the Scanbox framework, which profiled visitors' browser configurations, geolocations, and network details to enable tailored follow-on attacks. Mobile users running Android OS were targeted with exploits delivering 64-bit ARM executables, while attackers also employed doppelganger domains impersonating Google, the Turkistan Times, and the Uyghur Academy to harvest credentials. The threat actors leveraged Google OAuth integrations to gain unauthorized access to victims' Gmail accounts and contact lists, expanding their surveillance reach.

Volexity's analysis identified two distinct Chinese APT groups orchestrating these campaigns, utilizing decimal-notation IP addresses and strategically registered domains to obscure their infrastructure. The attackers' toolkit included the "Evil Eye" surveillance malware and network signatures consistent with previous China-nexus operations. These operations enabled systematic monitoring of Uyghur activists' communications, movements, and associations. While specific containment measures weren't detailed, Volexity's disclosure provided network indicators and technical artifacts enabling detection of compromised websites and malicious infrastructure. The campaigns resulted in widespread digital tracking of the Uyghur community, facilitating physical repression through coordinated cyber-physical intelligence gathering aligned with China's policies in Xinjiang.