Chinese cyber espionage operation targeted Canadian Uyghurs, says Facebook

Facebook says sophisticated operation used its platform to lead targets to sites containing malware

A demonstrator wearing a mask painted with the colours of the flag of East Turkestan and a hand bearing the colours of the Chinese flag attends a protest against China’s treatment of ethnic Uyghur Muslims in Istanbul on July 5, 2018. (Ozan Kose/AFP/Getty Images)

Members of Canada’s Uyghur community have been targeted by a sophisticated cyber espionage campaign that has been trying to infect devices with malware to permit surveillance, Facebook said today.

Facebook said the campaign used its platform to target hundreds of Uyghur activists, journalists and dissidents in several countries with posts designed to take them to other websites harbouring malware. The company said it cannot tell how many people were tricked into clicking on links that infected their mobile phones or computers.

Facebook Canada said it will notify “fewer than 20” people in Canada who were targeted.

The company said it traced the malware used by the hackers — known as Earth Empusa or Evil Eye — to two companies in China. Facebook said it was not able to determine whether the Chinese government was involved.

“This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance,” wrote Mike Dvilyanski — head of cyber espionage investigations for Facebook — and the company’s head of security policy Nathaniel Gleicher in a media statement.

“This activity had the hallmarks of a well resourced and persistent operation, while obfuscating who’s behind it.”

Facebook said the operation targeted Uyghurs from China’s Xinjiang province living in Canada, the United States, Turkey, Kazakhstan, Syria, Australia and other countries.

Fake accounts, fake sites

Facebook said the operation used a variety of techniques to reach the people they were targeting. The company said the hackers set up Facebook accounts where they posed as “journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.”

They also set up malicious websites that looked like popular Uyghur or Turkish news sites and launched “watering hole attacks” to infect visitors to legitimate websites, Facebook said.

Facebook said the hackers also set up fake third party stores with Uyghur-themed apps that contained malware. They included a keyboard app, a prayer app and a dictionary app.

“To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor,” Facebook said.

Evan Koronewski is spokesperson for the Communication Security Establishment, Canada’s electronic spy agency. He said the CSE welcomes Facebook’s move to disrupt the Chinese cyber espionage campaign.

“Online foreign influence campaigns are almost certainly ongoing and not limited to key political events like elections,” he wrote in an e-mailed response. “Online foreign influence activities are a new normal, and adversaries seek to influence domestic events, as well as impact international discourse related to current events.”

CSE officials are scheduled to testify Thursday before a parliamentary committee on relations between Canada and China.

News of the cyber espionage operation comes the same week that Canada and other countries sanctioned four Chinese officials for human rights abuses in Xinjiang. Global Affairs Canada said Beijing has arbitrarily imprisoned more than a million people on the basis of their religion and ethnicity.

It also comes a month after the House of Commons voted to declare China’s actions in Xinjiang “a genocide.”

Mehmet Tohti, executive director of the Uyghur Rights Advocacy Project, said Chinese authorities have long targeted the roughly 2,000 members Uyghur community in Canada. What Facebook reported today, he said, is more sophisticated than previous tactics — such as sending e-mails that sound like they come from a friend and encouraging people to click on links.

Tohti said he has not yet heard from anyone contacted by Facebook, adding many Canadian Uyghurs are already wary of social media and any apps that originate in China.

‘Canadians are rightly worried’

Conservative foreign affairs critic Michael Chong said it’s “long past time” for Prime Minister Justin Trudeau’s government to act.

“The Chinese regime’s ongoing threats and intimidation of Canadians and those living here at home is unacceptable,” he said. “The Trudeau government has yet to introduce a robust plan to counter these threats and intimidation, even though the House of Commons adopted a Conservative motion on Nov. 18, 2020, calling on the Trudeau government to do exactly that.”

NDP foreign affairs critic Jack Harris said both the government and Facebook should be doing more to stop cyber espionage in Canada.

“Canadians are rightly worried and it is not acceptable for this kind of surveillance to be happening in Canada,” Harris said. “The Liberal government has an obligation to require Facebook and other social media giants to ensure they aren’t used as a tool for authoritarian governments.

“We were told that there are legal tools that the government can use to protect Canadians from harassment and surveillance in Canada. Having tougher laws for companies like Facebook is a necessary place to start.”

Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca