Israel-based cybersecurity researchers said they have uncovered an ongoing cyberattack campaign targeting high-profile targets in the Uighur community, a Turkic ethnic minority group, both in China and Pakistan.
Uighurs are a group native to the Xinjiang Uighur Autonomous Region in northwest China. They are considered to be one of China’s 55 officially recognized ethnic minorities, with Xinjiang home to 12 million Uighurs, most of whom are Muslim. They are being oppressed by controversial Chinese government policies to forcibly assimilate them and other Muslim populations. Beijing claims its policies are necessary because of separatists who want to set up their own state. In April, the Human Rights Watch group said the Chinese government was committing crimes against humanity against the Uighurs.
As part of the campaign to penetrate computers belonging to members of the Uighur community, the attackers send malicious documents by email falsely using the name of the United Nations. They also set up a fake human rights foundation website called the “Turkic Culture and Heritage Foundation,” which tricks people into installing a backdoor to the Windows software running on their computers, giving the hackers access to their data.
Once the backdoor is installed, the attackers can collect nearly any information they want, as well as install additional malware in order to spy on their targets, Israel-based researchers at Check Point Software Technologies and the Kaspersky Global Research and Analysis Team (GReAT) said in a blogpost. The cybersecurity experts have been tracking the attack for the past year, they said.
The researchers said they found that a malicious document named UgyhurApplicationList.docx, which carried the logo of the United Nations Human Rights Council and was emailed to targets, included decoy content from the United Nations General Assembly on human rights violations.
The attackers also invented the fake human rights’ organization called TCAHF, for which they set up a fake website. TCAHF is supposedly a private organization that funds and supports groups working for Turkic culture and human rights. Most of its website’s content are copied from a legitimate website of the foundation “opensocietyfoundations.org” set up by Geroge Soros, which is among the largest private funders of independent groups working for justice.
“The malicious functionality of the TCAHF website is well disguised and only appears when the victim attempts to apply for a grant,” the researchers said. The website claims it must make sure the operating system is safe before the target enters sensitive information, and therefore asks them to download a program to scan their environments. Once the program is downloaded, access to the computers is granted to the hackers.
The researchers said they believe that the malicious campaign is intended to target the Uighur minority or organizations supporting them. They said they have identified “only a handful of victims” in Pakistan and Xinjiang in China. In both cases, the victims were located in regions mostly populated by the Uighur minority.
The cybersecurity experts also said they believed, “with low to medium confidence,” that a Chinese-speaking entity, or threat actor, is behind the attacks, based on code found in the malicious document that was identical to code that appeared in other Chinese forums.
“What we see here are cyber-attacks targeting the Uighurs,” said Lotem Finkelsteen, head of threat intelligence at Check Point. “These attacks clearly utilize the theme of the UN Human Rights Council to trick its targets into downloading malicious malware.”
“We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uighur community,” Finkelsteen said. “The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”
Check Point Software Technologies is Israel’s largest cybersecurity company. Kaspersky Lab is a Russia-based cybersecurity firm that has a research team in Israel. The teams collaborated on the project.