Cyber Incident Victim: Istiqlalhaber

Between 2019 and prior years, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber operations targeting the Uyghur diaspora, particularly those advocating for East Turkistan independence. These campaigns involved the strategic compromise of at least 11 Uyghur and East Turkistan-related websites, which were modified to host malicious code enabling surveillance and exploitation of visitors. Attackers injected unauthorized JavaScript into compromised sites to deploy the Scanbox framework, which profiled visitors' browser configurations, geolocations, and network information while attempting to exploit vulnerabilities for further access. Simultaneously, Android mobile device users were targeted through exploits delivering 64-bit ARM executables, indicating capabilities for persistent device compromise. The attackers also abused Google's OAuth implementation, creating deceptive authorization prompts to harvest Gmail credentials and access victims' email content and contact lists.

The operation utilized sophisticated infrastructure including doppelganger domains mimicking legitimate services like Google, the Turkistan Times, and the Uyghur Academy to enhance phishing credibility. Attackers employed IP addresses encoded in decimal notation within their malicious scripts to obscure command-and-control server locations. Forensic evidence linked these activities to at least two distinct Chinese APT groups, though specific group names weren't disclosed. These coordinated efforts enabled broad monitoring of Uyghur activists' communications, movements, and associations through both web-based and mobile attack vectors. The campaigns formed part of a long-term digital suppression strategy against Uyghur communities, complementing physical persecution measures documented in Xinjiang. No victim remediation efforts or technical countermeasures were described in the available reporting.