Cyber Incident Victim: Uyghur Academy
Date:
Sep 2015
Location:
China
Summary
Chinese APT groups conducted extensive cyber campaigns targeting the Uyghur diaspora through compromised websites, including doppelganger domains impersonating entities like the Uyghur Academy. Attackers deployed surveillance tools such as the Scanbox framework to profile visitors, exploited Android devices via malicious executables, and leveraged Google OAuth to illicitly access Gmail accounts. These operations facilitated large-scale digital tracking, data theft, and exploitation of mobile users, reflecting systematic efforts to monitor and suppress the minority group through cyber espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora and related organizations. Attackers compromised at least 11 Uyghur and East Turkistan-related websites, injecting unauthorized code to facilitate surveillance. These compromised sites served as strategic platforms to deploy malicious frameworks including Scanbox, which profiled visitors' browser configurations, geolocations, and system metadata for targeted exploitation. Simultaneously, attackers employed doppelganger domains impersonating legitimate entities such as Google, the Turkistan Times, and the Uyghur Academy to deceive victims into interacting with malicious infrastructure. Mobile device users running Android OS were targeted through exploits delivering 64-bit ARM executables, while attackers also leveraged Google OAuth to gain unauthorized access to victims' Gmail accounts, enabling theft of emails and contact lists. Volexity's investigation revealed ties to at least two distinct Chinese APT groups coordinating these operations, with infrastructure overlaps suggesting possible connections to earlier Apple iPhone exploitation campaigns against Uyghur targets.
The campaigns enabled systematic monitoring of Uyghur activists, dissidents, and human rights defenders through both digital tracking and data exfiltration. Compromised websites facilitated the delivery of reconnaissance payloads that mapped victim networks and harvested personally identifiable information. Attackers utilized IP addresses encoded in decimal notation to obscure command-and-control communications, while the Evil Eye framework provided additional capabilities for persistent access. These operations formed part of a broader pattern of digital suppression complementing physical persecution documented in China's Xinjiang region. Volexity identified attacker infrastructure through network traffic analysis and signature-based detection methods, documenting the use of forged authentication portals and exploit chains tailored for mobile and desktop systems. The sustained targeting demonstrated advanced technical tradecraft focused on long-term intelligence gathering, with compromised websites remaining operational for extended periods to maximize data collection. Forensic evidence indicated continuous adaptation of tactics, including updates to exploitation frameworks and infrastructure rotation to evade detection.