Hackers posing as the United Nations targeted a small group of Uyghur muslims inside China and Pakistan, according to security researchers.
The hackers sent malicious documents pretending to be from the UN and set up a fake website for a human rights foundation in an attempt to identify people within the Uyghur community, according to cybersecurity company Check Point, which published a new report on Thursday.
The research shows how persistent and creative hackers can be in going after one of the most oppressed and persecuted minorities in the world. In the last few years, several cybersecurity companies, media organizations, and tech giants such as Google and Facebook—have discovered hacking campaigns targeting Uyghurs, a Muslim minority from the Xinjiang region in China. Uyghurs there live in what the UN described as a “massive internment camp that is shrouded in secrecy,” and many of them have been detained, deported to other regions in China, or forced to flee out of the country.
The hackers behind the campaign, whom researchers believe may be Chinese-speaking, also tried to trick targets into running a fake antivirus scanner before opening the malicious documents in an attempt to exploit their fears of getting hacked.
The scanner that was supposed to protect the targets was in fact the malware designed to hack them, according to the researchers, who collaborated with Kaspersky Lab on their report.
"They understand that the Uyghurs or people that are trying to attack have a high security awareness and they leverage this," Lotem Finkelsteen, the threat intelligence group manager at Check Point, told Motherboard in a phone call. "They use their paranoia and leverage that to their own goals."
A screenshot of the malicious antivirus scanner that the hackers tricked targets into installing. (Image: Check Point)
The hackers were going after high-profile people within the Uyghur community, people who may be interested in reading UN documents discussing human rights violations, and people who may want to apply for a grant from a foundation. In this case, hackers set up a fake UN website, and a fake website that purported to offer grants from the Turkic Culture and Heritage Foundation. The organization is real, but the hackers set up a malicious fake website for it with content lifted from the Open Society Foundations, according to the researchers.
A screenshot of the malicious fake UN document sent to the targets of the hacking campaign. (Image: Check Point)
Researchers said that the malware used against the targets was not designed to steal any data, but to simply give hackers a profile of the people they were going after, and the type of computers they were using. The hackers' goal was to whittle down the number of targets and then personalize the malware to send them in a second stage of the campaign.
"It's definitely an attempt to filter and characterize the victims within this community," Finkelsteen said. "They are trying to filter people with the right interest and the right relations, then they try to fingerprint the systems they use."
Do you research or track hacking campaigns against Uyghurs or other minorities? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Researchers said they were not able to observe the second stage of the campaign.
The researchers were unable to definitively determine exactly who is behind this campaign, but wrote in the report that they have "low to medium confidence" that it's a Chinese-speaking group, based on who they were going after, and the fact that they used code from a Chinese hacking forum. The campaign was active last year, but researchers said they were able to find some new infrastructure this year that linked to the campaign. This shows the hackers are still actively going after Uyghurs and may be expanding their scope to other countries like Malaysia and Turkey, researchers said.
Subscribe to our cybersecurity podcast CYBER, here.