Researchers say that suspected Chinese hackers are posing as the United Nations and a fake human rights organization in an ongoing campaign to target Uyghurs, an ethnic group that’s repeatedly been on the receiving end of surveillance and cyberattacks this year.
“We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community,” said Lotem Finkelsteen, head of threat intelligence at Check Point, which published the research on Wednesday along with fellow security firm Kaspersky.
Researchers observed targeting of the Turkic ethnic group in China, Pakistan and China’s Xinjiang Uyghur Autonomous Region. In one attack method, the hackers use malicious documents bearing the name of the United Nations Human Rights Council. They also erected a website for a non-existent Turkic Culture and Heritage Foundation, luring would-be grant applicants to download a fake security scanner.
Uyghurs have endured a relentless combination of digital and physical abuse, with the Chinese government most commonly identified as the perpetuators by, for instance, developing technology to subdue minority populations or buying tech to track Uyghur movement.
The findings published Wednesday are only the newest digital woe for Uyghurs, where in China they face what the United States and other nations have labeled genocide. Just a couple months ago, Facebook publicized a campaign targeting Uyghurs around the world.
Earlier this month, MIT Technology Review detailed an older attack. The incident, involving suspected Chinese hackers exploiting Apple vulnerabilities to target Uyghurs, sparked a row between Google researchers and Apple in 2019.
Last year brought news of more widespread surveillance of Uyghurs by the Chinese government than previously known.
Check Point and Kaspersky could not definitively attribute the latest campaign to China after tracking the attacks on a small group of Uyghurs during the past year. Most of the attacks came during 2020, but the researchers saw some in 2021 and believe the campaign is ongoing.
“Although we were unable to find code or infrastructure similarities to a known threat group, we attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor,” the companies wrote. “When examining the malicious macros in the delivery document, we noticed that some excerpts of the code were identical to [Visual Basics for Applications] code that appeared in multiple Chinese forums, and might have been copied from there directly.”