skip to Main Content

Cyber Espionage, Facebook blocked Earth Empusa attacks on Uyghurs

Facebook blocked Earth Empusa attacks on Uyghurs. The Chinese hackers (aka Evil Eye) targeted activists, journalists and dissidents with various TTPs to infect their devices with malware

Facebook blocked Earth Empusa (aka Evil Eye) operations to distribute malware and hack people’s accounts across the internet. It has been denounced by Mike Dvilyanski, Head of Cyber Espionage Investigations, and Nathaniel Gleicher, Head of Security Policy of the platform in a blog post. According to the, cybersecurity experts, the Chinese hackers targeted activists, journalists and dissidents, predominantly among Uyghurs from Xinjiang, primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries. This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance.

The Chinese hackers TTPs

The Facebook cybersecurity experts underlined that Earth Empusa exploited different TTPs:

  • Selective targeting and exploit protection: This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings;
  • Compromising and impersonating news websites: the Chinese hackers set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised;
  • Social engineering: They used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links;
  • Using fake third party app stores: researchers found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app. These apps were trojanized (contained malware that misled people of its true intent) with two Android malware strains — ActionSpy or PluginPhantom;
  • Outsourcing malware development: The ATP uses several distinct Android malware families. Specifically, the investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.
Back To Top