Facebook announcing action against Chinese hackers
Facebook announced it is acting to stop hackers in China known in the security industry as Earth Empusa or Evil Eye from distributing malware and hack people’s accounts across the internet. Facebook says the hackers have targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries.
“This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance. This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it”, Facebook said in a blog post.
”On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other companies’ actions to disrupt their activity.”
We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:
- Selective targeting and exploit protection:This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.
- Compromising and impersonating news websites: This group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites.
- Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.
- Using fake third party app stores:We found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications.
- Outsourcing malware development: We’ve observed this group use several distinct Android malware families.
- Industry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa or Evil Eye or PoisonCarp. We shared our findings and threat indicators with industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.
Moonshot News is an independent European news website for all IT, Media and Advertising professionals, powered by women and with a focus on driving the narrative for diversity, inclusion and gender equality in the industry.
Our mission is to provide top and unbiased information for all professionals and to make sure that women get their fair share of voice in the news and in the spotlight!
We produce original content, news articles, a curated calendar of industry events and a database of women IT, Media and Advertising associations.
