China may have been one of the first countries to lock down over the first months of 2020, as Covid-19 began its global spread. But that didn’t stop suspected Chinese spies from carrying out a new smartphone-hacking campaign aimed at one of their favorite targets: the country’s Uighur ethnic minority.
From as early as December of last year and continuing through March, Chinese hackers used so-called “watering hole” attacks to plant malware on the iPhones of Uighurs, according to new findings from the security firm Volexity. To do so, a hacker group that Volexity calls Evil Eye compromised popular Uighur websites, including the news and education site Uyghur Academy and the Uighur Times news outlet. Visiting those sites on an iPhone would automatically infect the device with sophisticated spyware designed to gain access to its data, particularly messaging applications.
That indiscriminate web-based hacking campaign is remarkable not just because it occurred during the peak of China’s novel coronavirus crisis, but also because it began just months after Volexity and Google publicly revealed that the same Evil Eye group was hacking smartphones via those same websites, using a rare collection of previously unknown iOS software vulnerabilities—also known as zero-day vulnerabilities—that shocked the cybersecurity world. The security research group Citizen Lab found that the same zero-day vulnerabilities were also being used to target Tibetan victims, which Volexity sees as a suggestion that the hackers were likely carrying out domestic surveillance on behalf of the Chinese government. The country has faced international criticism over its treatment of both ethnic groups, with a growing focus in recent years on the reported suppression of Uighurs in the Xinjiang region of western China.
The fact that the hackers so quickly retooled and launched a new spy campaign in late 2019 and early 2020 seems to suggest just how determined China’s state-sponsored hackers are to keep tabs on Uighurs’ communications, says Volexity founder Steven Adair. “To put this many resources and effort into developing implants and exploits clearly shows that Uighurs are a high priority target,” says Adair, using the term “exploit” to refer to a hacking technique and “implant” to mean the malware it installs on a target machine. “They’re up there enough that, even in the time of coronavirus and even after this group was publicly outed and exposed, it didn’t deter them from continuing to operate.”
Last fall, Google’s Project Zero research team revealed that a group of hackers had used no fewer than 14 zero-day vulnerabilities in web-based watering hole attacks, which Volexity subsequently tied to an ongoing hacking campaign targeting Chinese Uighurs. The more recent attacks, by contrast, didn’t use any zero-day vulnerabilities, but instead targeted phones missing the most recent iOS patches previous to July of 2019, including iOS versions 12.3, 12.3.1, and 12.3.2. (In separate news, security firm ZecOps today revealed that a zero-day hacking technique had been used against iPhones in the wild, and only patched in a beta update for iOS last week. Update your iPhone to protect against both attacks.)
According to Volexity, the hackers used vulnerabilities in Webkit, which serves as the foundation of iOS browsers, to hack website visitors with malicious iframes planted on the targeted sites. Volexity’s Adair says the exploit would have been almost impossible for a user to detect, and didn’t discriminate among victims, simply infecting every visitor to compromised sites. “For someone on the phone, there’s zero indication this happened,” Adair says. “They just cast the widest net, pulled in the catch, and then went through the results.”