The announcement came as the United States, Britain, Canada and the European Union this week announced sanctions on Chinese officials for violating the human rights of its Uyghur minority, whose forced assimilation and detention in reeducation camps in northwest China has drawn international condemnation.
In December, Facebook launched an initiative to expose cyberespionage campaigns targeting journalists, dissidents and others, and this week’s operation marks its third such disruption. It has also taken action against hackers in Vietnam and Bangladesh.
Facebook said the hackers posed as journalists and human rights activists on the social media platform and sent targets links to malicious websites. Some of the sites were fake, mimicking popular Uyghur and Turkish news sites; some were legitimate sites frequently visited by their targets, said Nathaniel Gleicher, Facebook’s head of security policy.
Most of the victims wound up at the malicious sites through ways other than Facebook links, Gleicher said. But the links led Facebook to investigate the tactics the spies used.
Facebook has not identified the specific espionage group, which it has been tracking since last year, but through technical indicators was able to place the hackers in China.
“This activity had the hallmarks of a well-resourced and persistent operation, while obfuscating who’s behind it,’’ Facebook said in a blog post. The firm also shared information it had gathered on the hackers with federal law enforcement.
The Chinese Ministry of Foreign Affairs did not reply to a request for comment.
Other threat research firms that have monitored the same group assessed that the hackers worked for the Chinese government. “It’s absolutely a nation-state,” said Steven Adair, founder and president of Volexity, a cybersecurity firm, which first detected the group in 2019 installing malware on Android phones. Volexity later saw the group, which it dubbed Evil Eye, exploiting Apple iOS devices.
“Who has the resources, time and money to compromise these sites, develop this malware, worth potentially millions of dollars and then spend so much time to go after the Uyghur diaspora?” he said. “The answer is very clear.”
Gleicher noted that the campaign was “super targeted.” Fewer than 500 individuals in total were identified as having been sent malware on their phones or devices, he said. Most of them were in Turkey, followed by Kazakhstan and the United States, which had fewer than 100. “They were very careful to be hitting their [target] community,” he said.
The hackers infected the devices only of individuals who met the target profile, apparently determined by IP address, browser, country and language settings, Gleicher said.
The group also set up websites that posed as third-party Android app stores, where they published Uyghur-themed applications, including keyboard, prayer and dictionary apps that contained malware, Facebook said.
Some of the Android malware was developed by two Chinese companies, Best Lh Technology and 9Rush Technology, the firm said.
Highlighting the espionage campaign educates the public and the victims, imposes costs on the hackers and aids the researcher community, Gleicher said.
“The majority of this behavior is intentionally designed to stitch together multiple platforms,” he said. “You see them using the open Internet, targeting Android and iOS, using messaging platforms.”
So, he said, besides disrupting the campaign, “being public about what we see is another thing that we can do to help the broader community.”
Gerry Shih in Taipei, Taiwan, contributed to this report