Facebook says Chinese hackers used its platform in targeted campaign to infect, surveil user devices

The hackers were attempting to distribute malware via malicious links shared under fake personas.
Written by Natalie Gagliordi, Contributor

Facebook said it has disrupted a network of hackers tied to China who were attempting to distribute malware via malicious links shared under fake personas. The social network's cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 500 users who were targeted.

The hackers -- believed to be part of the Earth Empusa or Evil Eye groups -- were targeting activists, journalists and dissidents, predominantly among Uyghurs from Xinjiang in China, living abroad in Turkey, Kazakhstan, the US, Syria, Australia, and Canada. 

Facebook said the highly focused campaign was aimed at collecting information about these targets by infecting their devices with malicious code for surveillance purposes. The links that were shared through Facebook included links to both legitimate and lookalike news websites, as well as to fake Android app stores. 

In the case of the news websites, Facebook's head of cyber espionage investigations Mike Dvilyanski said the hackers were able to compromise legitimate websites frequently visited by their targets in a process known as a watering hole campaign intended to infect devices with malware. 

The hackers also created lookalike domains for Turkish news websites and injected malicious code that would infect the target's device with malware. Similarly, third-party lookalike app stores were built to trick targets into downloading Uyghur-themed apps with malicious code that would allow the hackers to exploit the devices they were installed on. 

Facebook said the group took steps to conceal their activity by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, and country and language settings.

On Facebook, the malicious infrastructure was blocked and the accounts were taken down. Facebook said its cyber team first became aware of the hacking efforts in mid-2020 based on intensification of the activity on the Facebook platform. It's believed that the efforts extend back to 2019.

"Measuring impact and intent can be challenging but we do know even for the small number of users around the world, the consequences [of being hacked] can be very high and that is why the team took this so seriously," said Nathaniel Gleicher, head of security policy for Facebook. "It's a small number of targets, under 500 for the entire campaign, but that is only for the aspects that touched Facebook in some way. The majority of what this threat actor has done took place off Facebook."


Editorial standards