A recently published report revealed a campaign by Chinese hackers, pretending to be entities associated with the United Nations (UN) or human rights organizations, to hack into and take control of computers used by Muslim minority Uyghurs.
The report was published through a collaboration between Check Point Research (CPR), a U.S.-Israeli cybersecurity firm, and Russian cybersecurity company Kaspersky’s Global Research & Analysis Team (GReAT). The following methods by which Chinese hackers install backdoors on target computers were identified:
- Fake UN document: On a free malware scanning app service named VirusTotal, the hackers inserted a malicious document called “UgyhurApplicationList.docx” that discussed issues related to human rights violations. It contained the logo of the United Nations Human Rights Council (UNHRC).
When users opened the document and clicked on the “enable editing” option, an external template containing malicious macro code was automatically downloaded. This code then decoded an embedded backdoor, which was saved in the %TEMP% directory as “OfficeUpdate.exe.”
- Fake Organization: An organization named Turkic Culture and Heritage Foundation (TCAHF) claimed to fund and support groups working for Turkic culture and human rights. When the targeted individual attempted to apply for a grant, the website asked them to download a program to scan the PC for safety. However, this opened up a backdoor into the victim’s terminal.
The downloaded executables exfiltrated basic system information of infected PCs, and additional commands from the command and control server were fetched as needed. “This means that the researchers have not yet seen all the capabilities of this malware, or the full course of action taken by the attackers following a successful infection,” the report stated.
The authors found that some code excerpts from the malicious macros shared similarities with Visual Basic for Applications (VBA) code on Chinese forums, and “might have been copied from there directly.”
“The motivation behind these cyberattacks seem to indicate a campaign of espionage, with the end game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community. The attacks are designed to fingerprint infected devices, including all of its running programs.”
The research team found that the hacking attempt affected a “handful of victims in Pakistan and China.” In both cases, the victims were located “in regions mostly populated by the Uyghur minority.” The team attributed the hacking activity, “with low to medium confidence,” to a “Chinese-speaking threat actor.”
While much of the activity occurred in 2020, the perpetrators “are still active and working with newly registered domains.” New infrastructure is being created “for what looks like future attacks.”
The team found a domain impersonating the Turkic Ministry of the Interior, and another domain that redirected to the Terengganu Islamic Foundation, an entity run by the Malaysian government. “This suggests that they are pursuing additional targets in countries such as Malaysia and Turkey,” according the report.
In March this year, Facebook reported that Chinese hackers were targeting Uyghurs living abroad in the United States, Syria, Kazakhstan, Turkey, Canada, Australia, and other nations. The group used various cyber-espionage tactics to “identify its targets and infect their devices with malware to enable surveillance,” the company said in a blog post.
The hacking group established malicious look-alike webpages of popular Turkish and Uyghur websites, while also compromising legitimate domains frequented by their targets. “This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.”
In September 2019, Reuters reported on hackers working for the Chinese regime who had broken into the telecom networks of Central Asia and Southeast Asia to track down Uyghur travelers.
With reporting by Jonathan Walker