FB crackdown on Chinese hackers targeting Uyghurs

The Facebook threat intelligence analysts disabled the accounts of a group of hackers in China known as "Earth Empusa" or "Evil Eye", disrupting their ability to use  their infrastructure to abuse its platform, distribute malware and hack people's accounts across the Internet. 

The investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies,  are the developers behind some of the Android tooling deployed by this group. 

"They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," Nathaniel Gleicher, Head of Security Policy at Facebook, said in a statement late on Wednesday. 

The cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. 

"We saw this activity slow down at various times, likely in response to our and other companies' actions to disrupt their activity," Facebook said. 

The hacker group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. 

They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers  infect websites frequently visited by intended targets to compromise their devices. 

"This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community  to build trust with people they targeted and trick them into clicking on malicious links," the social network explained. 

Facebook also found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app, and disabled those.