Chinese Hackers Used Fake Facebook Accounts in Effort to Spread Malware
Several cyber-espionage tactics were used by Chinese hackers to infect devices and enable surveillance.
The social media company disclosed on Wednesday it has detected a sophisticated espionage campaign controlled by a group of Chinese hackers that sought to trick Uyghurs activists and dissidents all over the world into downloading malicious software that would allow surveillance of their devices.
In a blog post, Facebook stated its discovery about the cyber-espionage campaign.
“They targeted activists, journalists, and dissidents among Uyghurs and other Muslim minorities from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, and other countries.”
The operation, which Facebook attributed to a Chinese hacking group known in the cybersecurity industry as Earth Empusa or Evil Eye, created fake versions of news websites popular in Uyghur communities and injected them with malicious software.
According to Facebook, the Chinese hackers also created fake Facebook accounts and posed as journalists, students, and human rights advocates to convince their targets to click on links that sent them to these malicious websites, which could then infect their phones.
Similarly, third-party lookalike app stores were built to trick targets into downloading Uyghur-themed apps with malicious code that would allow the hackers to exploit the devices they were installed on.
The links shared through Facebook included links to both legitimate and lookalike news websites, as well as to fake Android app stores.
Users who clicked on the sites would then accidentally download the malware, allowing the hackers to collect information about them and grand access to their devices enabling surveillance.
In the case of the news websites, the Chinese hackers were able to compromise legitimate websites that were frequently browsed by their targets in a process known as a watering hole campaign meant to infect devices with malware, Facebook’s head of cyber espionage investigations Mike Dvilyanski stated.
As stated by FireEye, a cybersecurity firm that worked on the investigation, the software could obtain information including the victim’s location, keystrokes, and contacts.
“Measuring impact and intent can be challenging but we do know even for the small number of users around the world, the consequences [of being hacked] can be very high and that is why the team took this so seriously. It’s a small number of targets, under 500 for the entire campaign, but that is only for the aspects that touched Facebook in some way. The majority of what this threat actor has done took place off Facebook.”, Nathaniel Gleicher, head of security policy for Facebook
Facebook said it has blocked the malicious websites from its platform, the accounts were taken down and those who it believes were targeted were notified.
The social media platform also said its cyber team first became aware of the hacking efforts in mid-2020 based on the intensification of the activity on the Facebook platform. It’s believed that the efforts extend back to 2019.
Facebook’s investigation uncovered links between two technology firms based in China (Beijing Best United Technology Co Ltd and Dalian 9Rush Technology Co Ltd) and the hackers but no direct links to the Chinese Government, which has been criticized for its harsh treatment of Uyghurs in Xinjiang.
FireEye, however, said in a statement that “we believe this operation was conducted in support” of the Chinese Government.