Mandarin-speaking cyber hackers posing as United Nations (UN) representatives are launching online attacks against ethnic Uyghurs, a Turkic minority group in China’s westernmost Xinjiang territory, the MIT Technology Review reported on Thursday.
Researchers from the U.S.-Israeli cybersecurity firm Check Point and the Russian multinational cybersecurity firm Kaspersky recently identified a cyber attack “in which hackers posing as the UN Human Rights Council send a document detailing human rights violations to Uyghur individuals,” according to the Review. “It is in fact a malicious Microsoft Word file that, once downloaded, fetches malware: the likely goal, say the two companies, is to trick high-profile Uyghurs inside China and Pakistan into opening a back door to their computers.”
The firms also identified another type of cyber attack in which the hackers “set up a fake human rights foundation website called the ‘Turkic Culture and Heritage Foundation,’ which tricks people into installing a backdoor to the [Microsoft] Windows software running on their computers, giving the hackers access to their data,” the Times of Israel reported on May 27.
“What we see here are cyber-attacks targeting the Uyghurs,” Lotem Finkelsteen, head of threat intelligence at Check Point, said in a statement. “These attacks clearly utilize the theme of the UN Human Rights Council to trick its targets into downloading malicious malware.”
“We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community,” Finkelsteen said. “The attacks are designed to fingerprint infected devices, including all of its running programs [sic]. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”
Check Point collaborated with Kaspersky to research the cyber attacks over the past year, according to a recent blog post by Check Point. The two firms said they “identified a handful of victims” of the cyber attacks “in Pakistan and China. In both cases, the victims were located in regions mostly populated by the Uyghur minority.” Though the companies’ researchers failed to trace “code or infrastructure similarities to a known threat group,” they said they attributed the malign cyber activity “with low to medium confidence, to a Chinese [Mandarin]-speaking threat actor. When examining the malicious macros [macroinstructions] in the delivery document, the research team noticed that some excerpts of the code were identical to VBA code [programming language] that have appeared in multiple Chinese forums, and might have been copied from there directly.”
The majority of the Uyghur cyberattacks researched by Check Point and Kapersky took place in 2020, but the firms believe the actors behind the campaign “are still active, and working with newly registered domains.”
The Chinese Communist Party (CCP) has detained 1-3 million Uyghurs and other ethnic minorities, such as Kazakhs and Kyrgyz people, in state-run concentration camps since about 2017. The communists claim the extralegal detentions are necessary to curb “extremist” and “terrorist” activity by the mainly Sunni Muslim ethnic minorities in Xinjiang. Survivors and former employees of the camps have testified to experiencing or witnessing slave labor conditions, torture, sexual assault, rape, and forced sterilizations and abortions.
China is a member of the UN Human Rights Council.