China-based hackers used front companies to hack Uighurs, Facebook says

Facebook on Wednesday exposed what it said was a long-running hacking campaign targeting Uighurs living around the world and supported by Chinese technology firms.

The scheme was aimed at journalists and dissidents, and affected Uighurs living in places like as far-flung as U.S., Turkey and Australia. It involved fake Facebook personas duping targets into clicking on links, as well as malicious Android and iOS software, Facebook said. Facebook said it’s aware of less than 500 people whom the campaign targeted.

Facebook’s investigators traced the Android malware developers in the hacking campaign to Chinese firms Beijing Best United Technology and Dalian 9Rush Technology. Neither could be reached for comment on Wednesday. China has a history of allegedly using front companies as cover for its hacking operations.

The hacking campaign began as far as back as 2019, and Facebook executives said they expected the attackers to continue their spying efforts.

It’s only the latest in a series of surveillance efforts aimed at the Uighurs, a Turkic-speaking people, many of whom live in China’s Xinjiang province. The Chinese government has detained more than 1 million ethnic minorities, many of them Uighur Muslims, in prison camps in the name of “counterterrorism” and security — repression that some State Department officials say amounts to crimes against humanity.

One of the trojanized Android apps tracked by Facebook’s security team posed an app related to prayer. In reality, it planted malicious code on a user’s devices capable of closely tracking their movements.  

In July 2020, security firm Lookout linked a vast spying operation against Uighurs’ mobile phones to the Chinese government. Beijing regularly denies conducting hacking operations.

While Facebook said the hackers in the latest activity were based in China, it stopped short of attributing the activity to Beijing because, the social media firm said, the technical evidence didn’t support that. Nonetheless, Facebook security executives wrote in a blog post Wednesday, “This activity had the hallmarks of a well-resourced and persistent operation, while obfuscating who’s behind it.” 

Ben Read, director of analysis at Mandiant Threat Intelligence, which helped uncover the activity, said his firm believes “this operation was conducted in support of the [Chinese] government.”

The hacking group responsible has also been known to deploy its spyware on users in Tibet, another region of China with a heavily surveilled minority.   

Clarification, 3/24/21: This story has been updated to clarify the number of people that Facebook believes were targeted in this campaign.