search

Israel-based cybersecurity experts expose ongoing hack attacks on Uighurs

Attacker believed to be Chinese-speaking entity; created false human rights organization with website that installs malicious material on targets’ computers, making data accessible

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

Illustrative: In this March 15, 2018, file photo, Uighurs and their supporters rally across the street from United Nations headquarters in New York. Members of the Uighur Muslim ethnic group are calling on China to post videos of their relatives who have disappeared into a vast system of internment camps. The campaign follows the release of a state media video showing famed Uighur musician Abdurehim Heyit, who many believed had died in custody. (AP Photo/Seth Wenig, File)
Illustrative: In this March 15, 2018, file photo, Uighurs and their supporters rally across the street from United Nations headquarters in New York. Members of the Uighur Muslim ethnic group are calling on China to post videos of their relatives who have disappeared into a vast system of internment camps. The campaign follows the release of a state media video showing famed Uighur musician Abdurehim Heyit, who many believed had died in custody. (AP Photo/Seth Wenig, File)

Israel-based cybersecurity researchers said they have uncovered an ongoing cyberattack campaign targeting high-profile targets in the Uighur community, a Turkic ethnic minority group, both in China and Pakistan.

Uighurs are a group native to the Xinjiang Uighur Autonomous Region in northwest China. They are considered to be one of China’s 55 officially recognized ethnic minorities, with Xinjiang home to 12 million Uighurs, most of whom are Muslim. They are being oppressed by controversial Chinese government policies to forcibly assimilate them and other Muslim populations. Beijing claims its policies are necessary because of separatists who want to set up their own state. In April, the Human Rights Watch group said the Chinese government was committing crimes against humanity against the Uighurs.

As part of the campaign to penetrate computers belonging to members of the Uighur community, the attackers send malicious documents by email falsely using the name of the United Nations. They also set up a fake human rights foundation website called the “Turkic Culture and Heritage Foundation,” which tricks people into installing a backdoor to the Windows software running on their computers, giving the hackers access to their data.

Once the backdoor is installed, the attackers can collect nearly any information they want, as well as install additional malware in order to spy on their targets, Israel-based researchers at Check Point Software Technologies and the Kaspersky Global Research and Analysis Team (GReAT) said in a blogpost. The cybersecurity experts have been tracking the attack for the past year, they said.

The delivery document carrying the UNHCR logo targeting members of the Uighur community in China and Pakistan, shown by Check Point Software Technologies and Kaspersky’s Global Research & Analysis Team (GReAT) researchers (Courtesy)

The researchers said they found that a malicious document named UgyhurApplicationList.docx, which carried the logo of the United Nations Human Rights Council and was emailed to targets, included decoy content from the United Nations General Assembly on human rights violations.

The attackers also invented the fake human rights’ organization called TCAHF, for which they set up a fake website. TCAHF is supposedly a private organization that funds and supports groups working for Turkic culture and human rights. Most of its website’s content are copied from a legitimate website of the foundation “opensocietyfoundations.org” set up by Geroge Soros, which is among the largest private funders of independent groups working for justice.

The fake website (top) compared to the legitimate one; Check Point Software Technologies and Kaspersky’s Global Research & Analysis Team (GReAT) researchers say a fake website has been set up to target members Uighur community in China and Pakistan (Courtesy)

“The malicious functionality of the TCAHF website is well disguised and only appears when the victim attempts to apply for a grant,” the researchers said. The website claims it must make sure the operating system is safe before the target enters sensitive information, and therefore asks them to download a program to scan their environments. Once the program is downloaded, access to the computers is granted to the hackers.

The researchers said they believe that the malicious campaign is intended to target the Uighur minority or organizations supporting them. They said they have identified “only a handful of victims” in Pakistan and Xinjiang in China. In both cases, the victims were located in regions mostly populated by the Uighur minority.

The cybersecurity experts also said they believed, “with low to medium confidence,” that a Chinese-speaking entity, or threat actor, is behind the attacks, based on code found in the malicious document that was identical to code that appeared in other Chinese forums.

Lotem Finkelstein, heads the threat intelligence desk at Check Point Software Technologies in Tel Aviv; Dec. 3, 2018 (Shoshanna Solomon/Times of Israel)

“What we see here are cyber-attacks targeting the Uighurs,” said Lotem Finkelsteen, head of threat intelligence at Check Point. “These attacks clearly utilize the theme of the UN Human Rights Council to trick its targets into downloading malicious malware.”

“We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uighur community,” Finkelsteen said. “The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”

Check Point Software Technologies is Israel’s largest cybersecurity company. Kaspersky Lab is a Russia-based cybersecurity firm that has a research team in Israel. The teams collaborated on the project.

read more:
comments
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed