A secret group known as Earth Empusa or Evil Eye is attacking the accounts of those exposing repression in Xinjiang.
by Daniela Bovolenta
The Chinese Communist Party’s persecution of Uyghurs is not limited to the Xinjiang region alone, nor is it limited to the physical world. The surveillance of the Uyghurs uses sophisticated hi-tech systems, as well as social platforms and international internet websites.
On March 24, the official Facebook website published an article by Mike Dvilyanski, Head of Cyber Espionage Investigations, and Nathaniel Gleicher, Head of Security Policy. Unfortunately, few media noticed it.
The article reports on the actions taken by Mark Zuckerberg’s company against a group of hackers known as Earth Empusa or Evil Eye. The activities of this group, according to what Facebook threat intelligence analysts expose, take place on two fronts.
On the one hand, a kind of social engineering has been put in place, creating a network of fake profiles that pass themselves off as journalists, students, human rights advocates, or members of the Uyghur community. These profiles serve to build trust on social media and to facilitate clicks on websites and apps affected by malwares.
The attacks take place in an extremely selective manner and only after a cross-check of the identity of the person who clicked on the corrupted link, which involves checking the IP, operating system, browser, country, and language settings. When a target is identified with certainty, corrupt sites or apps infect his or her devices with viruses capable of monitoring activities. In some cases, fake informational sites were built, similar to others that already exist. On other occasions, the malware was injected into legitimate sites, which unknowingly infected their visitors.
Or, again, they were fake app stores, which offered Android applications in the Uyghur language. iOS devices have also been subjected to attacks and malware.
TrendMicro, a company specializing in cybersecurity, has for example detected a phishing page, disguised as a download page of a popular Android video application. It also verified the existence of web pages completely identical to those of the World Uyghur Congress, intended to deceive their visitors and download malware onto their devices.
What was exposed by the Facebook experts is also confirmed by years of investigations carried out by Volexity, another company specialized in cybersecurity based in Washington DC. In 2019, Volexity published an interesting article in which it was claimed that the main target of the attacks was the Uyghur diaspora throughout the world.
The hackers of Earth Empusa, based in China, appear to have also taken advantage of external development companies, such as Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), also based in China.
Facebook announces that, following its investigation, sharing contents from malicious sites has been blocked on its platform, a number of accounts have been disabled, and potential attack victims have been warned.