Facebook has uncovered a sophisticated espionage campaign conducted by Chinese hackers that tried to trick pro-Uyghur activists and dissidents around the world into downloading malicious software that would allow surveillance of their devices.
The revelations come after growing concern from the US and its allies about China’s repression of 1m Uyghurs in Xinjiang, which politicians globally have referred to as a “genocide”.
The operation, which Facebook attributed to a known Chinese hacking group, created fake versions of news websites popular in Uyghur communities and injected them with malicious software. Users who clicked on the sites would then inadvertently download the malware, allowing the hackers access to their devices.
In other cases, the hackers hid malware in certain pages of websites frequently visited by their targets, and in malicious apps they created in fake versions of app stores.
Facebook said the number of targets was “less than 500” across the world, but that it could not say how many of them had successfully been hacked without access to their devices.
The victims were predominantly Uyghur dissidents, journalists and activists from Xinjiang who are now based outside of China, in countries including the US, Turkey, Kazakhstan, Canada and Australia among others.
Fake accounts on Facebook — impersonating journalists, students, human rights activists and other Uyghur community members — were used to share links to the malicious sites and apps, the company said, adding that it found evidence that the campaign had been ongoing since 2019.
“This activity had the hallmarks of a well-resourced and persistent operation, while obfuscating who is behind it,” Facebook said, naming the Chinese hacking group responsible as Earth Empusa, or Evil Eye. It is unclear whether the group is backed by the Chinese government.
The US, EU, UK and Canada this week co-ordinated the imposition of sanctions on several Chinese Communist party officials for their role in the repression of Uyghurs in Xinjiang. The move marks the growing concern from the West over vast detention camps in the northwestern province.
Antony Blinken, US secretary of state, has described the repression as “genocide” and the Biden administration has stressed that it will take a hard line against Beijing over human rights issues including possible offences in Xinjiang.
The Canadian and Dutch parliaments have also passed resolutions declaring that Beijing is committing “genocide”. Some lawmakers in Washington are also calling for the US to boycott the Winter Olympics that are scheduled to be held in China next year unless the International Olympic Committee moves the games elsewhere.
The various malware strains wielded by the attackers that Facebook uncovered had different capabilities, from allowing attackers to monitor a phone’s use to being able to turn on a device’s camera and microphone, and targeted Android and iOS devices.
Facebook said it was taking action to thwart the network by blocking its infrastructure and the malicious links from its platform. It also said it was alerting victims.
It also named two Chinese vendors, Beijing Best United Technology and Dalian 9Rush Technology Co, that it said were behind the development of the malware tools, although it said it could not ascertain if the companies were those deploying them.