Cyber Incident Victim: Uyghur American Association
Date:
Jan 2013
Location:
China
Summary
Chinese APT groups conducted extensive cyber campaigns targeting the Uyghur diaspora through compromised websites and malicious infrastructure. Attackers deployed Android exploits, the Scanbox framework, and fraudulent Google OAuth prompts to steal Gmail credentials, while using doppelganger domains mimicking legitimate services for surveillance. These operations enabled unauthorized tracking of device activity, behavioral profiling, and exfiltration of sensitive communications and contact lists. Multiple Uyghur-related websites were strategically breached to facilitate exploitation, reflecting systematic efforts to monitor and infiltrate the community's digital presence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between 2013 and 2019, Chinese state-sponsored advanced persistent threat (APT) groups conducted extensive cyber surveillance and exploitation campaigns targeting the Uyghur diaspora, particularly activists, NGOs, and organizations advocating for East Turkistan independence. Volexity investigations revealed at least 11 Uyghur and East Turkistan-related websites compromised to facilitate these operations. Attackers injected malicious JavaScript into legitimate sites to deploy the Scanbox framework, which profiled visitors’ browser configurations, geolocations, and network details for selective targeting. Simultaneously, attackers distributed Android exploits delivering 64-bit ARM executables to compromise mobile devices. The campaigns employed doppelganger domains impersonating Google, the Turkistan Times, and the Uyghur Academy to deceive targets into providing credentials or downloading malware.
The attackers utilized Google OAuth integrations to harvest Gmail account access, enabling theft of emails and contact lists for intelligence gathering. Infrastructure analysis revealed IP addresses concealed via decimal notation and domains registered through privacy services. Volexity attributed the activity to at least two distinct Chinese APT groups based on tactical overlaps with historical operations, including potential links to iPhone exploitation campaigns. These groups systematically monitored physical movements, online behaviors, and communications of Uyghur individuals globally. The digital campaigns complemented China’s physical oppression in Xinjiang, extending surveillance capabilities beyond China’s borders to track dissidents and suppress separatist sentiments through cyber espionage.