Threat intelligence analysts from Facebook disrupted cyber espionage campaigns by Chinese state-sponsored cybercriminal groups. Tracked as “Earth Empusa” or “Evil Eye,” the criminal group is allegedly abusing the Facebook platform to target the Uyghur community in China by tricking them into downloading malware that would allow hackers to snoop on their devices. The group reportedly targeted activists, journalists, and dissidents of the Uyghur community living across different countries in Turkey, the U.S., Kazakhstan, Syria, Australia, and Canada.
Evil Eye’s TTPs The threat group leveraged well-resourced and persistent hacking operations to distribute malicious software and links to compromise targeted devices. The different tactics, techniques, and procedures (TTPs) used by the threat actors include:
- Selective targeting and exploit protection
- Compromising and impersonating news websites
- Social-engineering attacks
- Using fake third-party app stores
- Outsourcing malware development
How capable are Evil Eye operators?
Evil Eye threat actors are responsible for targeting users with Android and iOS exploits and malware for many years. The most recent series of cyberattacks against the Uyghur diaspora include:
- A wide-ranging series of digital surveillance and exploitation campaigns identified via multiple strategically compromised websites.
- Mobile device users running Android OS are targeted via an exploit that will deliver a 64-bit ARM executable.
- Website visitors tracked and targeted via Scanbox profiling and exploitation framework.
- Attacker’s arsenal includes Google Applications for gaining access to e-mails and contact lists of Gmail accounts via OAuth.
- Doppelganger domains emulating Google, the Turkistan Times, and the Uyghur Academy leveraged by attackers.
Facebook Analysts Say…
The threat intelligence experts at Facebook stated that they’ve disrupted the cyber operations of Evil Eye by blocking their malicious domains from being shared on the platform. The social media giant also notified the suspected users targeted by this threat group.
The disruption of hackers’ activities come days after the Western countries including European Union, the U.K., the U.S., and Canada imposed sanctions on officials in China over human rights abuses against the Uyghur minority group.