Human rights activists at a 2021 demonstration organized by the World Uyghur Congress, Free Tibet and more in London.
Citizen Lab found the advocates, including some featured in ICIJ’s China Targets investigation, were targeted with malicious software disguised as a Uyghur-language tool.
Digital security researchers at the University of Toronto’s Citizen Lab say threat actors close to the Chinese government were likely behind an attempt to infiltrate the devices of a group of Uyghur activists with malicious surveillance software hidden in an email, according to a new report.
The malware was disguised in an altered version of a Uyghur language word processing and spell check tool, the researchers said.
They added that the failed cyberattack on the activists, who are affiliated with the Munich-based World Uyghur Congress, appeared to be part of Beijing’s transnational repression campaign — including online surveillance and intimidation — against the Turkic ethnic group native to China’s northwest Xinjiang region. Uyghurs have faced discrimination and rights violations, including mass detention in Xinjiang, by Chinese authorities.
“Such attacks are, of course, annoying and they show that we are fighting against a brutal Chinese government that is trying by all means to erase our voice,” said Erkin Zunun, one of the activists, in an interview with the International Consortium of Investigative Journalists and Paper Trail Media. “We are trying to be a voice for the voiceless, but China is trying to suppress that too.”
Citizen Lab, an academic research lab that studies digital threats, analyzed the malware threat after the activists alerted its researchers, as well as reporters at Paper Trail Media who were investigating Beijing’s tactics to silence its critics overseas as part of the China Targets investigation led by ICIJ.
Members of the World Uyghur Congress have frequently been the targets of cyberattacks by the Chinese state and its proxies, the Citizen Lab report said. By analyzing the traces left by the malware and comparing it to previously analyzed attacks, the researchers said they identified tactics, techniques and tradecraft that “align closely with activities of the Chinese government.”
“The ruse employed by the attackers replicates a typical pattern,” the Citizen Lab report said. “Threats actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities.”
The Chinese Embassy in Germany did not reply to Paper Trail Media’s request for comment about the alleged attack.
ICIJ’s China Targets investigation is a collaboration between 43 media partners in 30 countries that exposes the mechanics of the Chinese government’s global repression campaign against its perceived enemies — and the governments and international organizations that fail to stop it.
The probe is based on interviews with 105 victims in 23 countries, secret video and audio recordings of police interrogations, internal Chinese documents, and other evidence. The victims include Chinese and Hong Kong political dissidents as well as members of oppressed Uyghur and Tibetan minorities.
Half of the people interviewed by the reporters said they believed they had been followed or were targets of surveillance or spying by Chinese officials or their proxies; 27 said they were victims of an online smear campaign, and 19 said they had received suspicious messages or experienced hacking attempts, including by state actors.
Sowing fear and uncertainty
In early March, Erkin Zunun and other members of the World Uyghur Congress, which advocates for the rights of the Muslim-majority group, received a friendly-sounding email wishing them a blessed Ramadan. “Ramadan Mubarak!” the greeting of the email read.
The sender purported to be associated with one of World Uyghur Congress’ partner organizations and asked the activists to install and test software that enables users to write in Uyghur, a Turkic language with an Arabic-derived alphabet.
Zunun immediately received a Google email notification warning that a “government-backed attack” could be seeking to “compromise” his system.
Zunun told ICIJ and Paper Trail Media that he and other activists are regularly targeted with hacking and phishing attempts, and the tone and wording of the email made him think the Ramadan message was a trap.
He alerted Citizen Lab, whose analysis confirmed the message contained an altered version of real Uyghur language software, which, if activated, could infiltrate a Windows device, collect information, and download and upload files.
Although the attack “was not notable for its technical sophistication,” the researchers concluded, it showed the attackers had a deep understanding of the targets and could ultimately sow “fear and uncertainty about the very tools aiming to support and preserve the [Uyghur] community.”
“The attack demonstrates the ability of a government to reach across borders and target an ethnic minority repressed both at home and abroad even using less technically advanced tools,” the report said.
The attack demonstrates the ability of a government to reach across borders and target an ethnic minority repressed both at home and abroad even using less technically advanced tools.
— Citizen Lab researchers
A Google analyst confirmed the nature of the attack to Paper Trail Media. “Google Threat Intelligence Group thinks the activity is likely the work of China-nexus actors,” said Ben Read, a group senior manager.
Earlier this month, the United Kingdom’s National Cyber Security Centre warned that Uyghur, Tibetan and Taiwanese communities were being targeted with spyware that could collect data, including audio and location information, hidden inside otherwise legitimate apps.
As part of China Targets, ICIJ reported that activists affiliated with the World Uyghur Congress were repeatedly targeted last year around and during the organization’s general assembly in Sarajevo. Among several threats, the organizers received a video of masked men claiming to be Islamic terrorists threatening World Uyghur Congress leaders, and anonymous emails featuring photos of guns and of the hotel where the meeting was held.
Scilla Alecci
