Eleven websites related to China’s Uighur population and the East Turkestan region where they reside were compromised and exploited as part of a surveillance operation that may be connected to an iOS hacking campaign revealed last week, according to new security research.
Volexity, an incident response and digital forensics firm, on Monday said at least 11 websites had been “strategically compromised and leveraged as part of a series of attack campaigns” aimed at the Uighur people. By using the affected websites — which include the Uighur Times, the Turkistan Press, Turkistan TV and the Uyghur Academy — hackers could infect visitors’ Android devices and collect information including the unique identification number, the phone number, location, CPU data, username and other sensitive details.
Volexity did not directly attribute the attack to Beijing, saying only that two advanced persistent threat (APT) groups with ties to Chinese were behind it.
The Chinese government in recent years has intensified its persecution of the Uighur population, forcing large numbers of the ethnic minority into mass detention camps and deploying vast surveillance measures against millions of people who have experienced generations of repression.
“The systematic targeting and compromise [of] websites that are run by and cater to Uyghurs make it clear they are the primary targets,” Volexity researchers said. “However, each of the compromised websites are banned by the great firewall in China, leaving largely only those outside the country as targets and potential victims.”
Volexity said only that this attack had “possible ties” to the Google Project Zero findings disclosed last week. In that case, researchers determined unknown attackers had carried out an “indiscriminate” hacking campaign that targeted thousands of Apple iPhones by infecting those devices whenever those devices visited specific URLs (which were not disclosed). Media outlets including TechCrunch and Forbes attributed those attacks to a state-sponsored hacking group, with sources suggesting China was behind the operation.
“While Volexity can only confirm malware targeted Android users through Uyghurs websites, it is reasonable to suspect that these same attack campaigns could have easily been leveraged to target Apple and Microsoft users,” Volexity noted.
Researchers went on to explain that, shortly after Google’s research was made public, three of the DNS names included in the Volexity research went dark. Multiple other sites also began showing Google Safe Browsing warnings, and most of the malicious scripts listed on the compromised sites also were removed in that time period, Volexity noted.
Volexity researchers also noticed code on the Uyghur Academy website that included in the “appstore” term, a possible indication the attackers were using that portal to target iOS.