Facebook announced it is acting to stop hackers in China known in the security industry as Earth Empusa or Evil Eye from distributing malware and hack people’s accounts across the internet. Facebook says the hackers have targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries.
“This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance. This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it”, Facebook said in a blog post.
”On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other companies’ actions to disrupt their activity.”
We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:
- Selective targeting and exploit protection:This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.
- Compromising and impersonating news websites: This group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites.
- Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.
- Using fake third party app stores:We found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications.
- Outsourcing malware development: We’ve observed this group use several distinct Android malware families.
- Industry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa or Evil Eye or PoisonCarp. We shared our findings and threat indicators with industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.