Cyber Incident Victim: Istiqlal TV

Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and related organizations. These operations focused on individuals advocating for East Turkistan independence and Uyghur human rights, leveraging compromised websites as central attack platforms. Attackers infiltrated at least 11 Uyghur and East Turkistan-related websites, injecting malicious JavaScript code to profile visitors and deliver exploits. The compromised sites served multiple purposes: deploying the Scanbox framework to collect system information, browser details, and network configurations from visitors, while simultaneously redirecting Android mobile users to sites hosting exploits that delivered 64-bit ARM executables. Attackers registered doppelganger domains mimicking legitimate services including Google, the Turkistan Times, and the Uyghur Academy to enhance credential phishing and malware distribution efforts.

The campaigns employed Google OAuth implementations to steal Gmail access tokens, enabling unauthorized access to victims' emails and contact lists. Forensic analysis revealed attacker infrastructure using IP addresses encoded in decimal notation for operational security, with command-and-control servers routing traffic through multiple compromised hosts. Volexity identified at least two distinct Chinese APT groups orchestrating these activities, noting possible connections to iPhone-targeting operations though no conclusive evidence was provided. These coordinated efforts resulted in persistent digital surveillance of Uyghur activists, exfiltration of sensitive communications, and establishment of long-term access to compromised devices. The technical footprint indicated systematic resource allocation toward monitoring physical movements, online behavior, and organizational networks within the Uyghur diaspora community.