Demonstrators wave Uyghur nationalist flags in central Istanbul as they hold up photos of missing relatives caught up in China
Demonstrators wave Uyghur nationalist flags in central Istanbul as they hold up photos of missing relatives caught up in China's crackdown on the Uyghur minority group.
PHOTO: Isil Sariyuce/CNN
Now playing
03:39
Uyghurs plead for answers about family in China
Holocaust Survivor Irene Butter intv ward pkg intl hnk vpx_00001621.png
Holocaust Survivor Irene Butter intv ward pkg intl hnk vpx_00001621.png
Now playing
04:37
Survivor sounds alarm over 'echoes of the Holocaust'
PHOTO: CNN
Now playing
02:27
Young Russians emboldened to speak up against Putin
A year after the first coronavirus lockdown enveloped Wuhan, China, Chinese officials have been cracking down on citizen journalists who risked their freedoms to reveal and preserve the truth about the initial outbreak. CNN
A year after the first coronavirus lockdown enveloped Wuhan, China, Chinese officials have been cracking down on citizen journalists who risked their freedoms to reveal and preserve the truth about the initial outbreak. CNN's David Culver speaks with Chen Kun, who fled the country after his younger brother was arrested for preserving an important internet database of news archives.
PHOTO: CNN
Now playing
04:28
Beijing cracks down on citizen journalists who blew whistle on Covid-19
screengrab farmers protest republic day 2
screengrab farmers protest republic day 2
PHOTO: ANI via Reuters
Now playing
02:34
Video shows police clash with farmers on Republic Day
Now playing
01:01
Watch London police break up an illegal rave
Russia protests Alexey Navalny Putin Pleitgen pkg vpx _00015627.png
Russia protests Alexey Navalny Putin Pleitgen pkg vpx _00015627.png
PHOTO: Reuters
Now playing
02:19
Thousands turn out across Russia to protest Navalny's arrest
PHOTO: FBK
Now playing
02:52
Kremlin critic's investigation into Putin is going viral in Russia
libya russian backed mercenaries wagner investigation npw pkg intl ldn vpx_00001519.png
libya russian backed mercenaries wagner investigation npw pkg intl ldn vpx_00001519.png
Now playing
02:27
Images show huge trench being dug by Russian-backed mercenaries
screengrab who independent panel
screengrab who independent panel
PHOTO: EBS+ News
Now playing
02:34
WHO and China criticized for slow Covid-19 responses
Iraqi security forces keep guard the site of a suicide attack in Baghdad, Iraq January 21, 2021. REUTERS/Thaier al-Sudani
Iraqi security forces keep guard the site of a suicide attack in Baghdad, Iraq January 21, 2021. REUTERS/Thaier al-Sudani
PHOTO: Thaier al-Sudani/Reuters
Now playing
02:42
Dozens killed and hundreds injured in Baghdad suicide blasts
PHOTO: Policia Nacional via Reters
Now playing
00:53
See the aftermath of the Madrid explosion
PHOTO: Alexey Navalny
Now playing
02:35
Navalny urges his supporters to hit the streets
TOPSHOT - Russian President Vladimir Putin crosses himself as he plunges into the icy waters during the celebration of the Epiphany holiday in Moscow region on January 19, 2021. (Photo by Mikhail KLIMENTYEV / SPUTNIK / AFP) (Photo by MIKHAIL KLIMENTYEV/SPUTNIK/AFP via Getty Images)
TOPSHOT - Russian President Vladimir Putin crosses himself as he plunges into the icy waters during the celebration of the Epiphany holiday in Moscow region on January 19, 2021. (Photo by Mikhail KLIMENTYEV / SPUTNIK / AFP) (Photo by MIKHAIL KLIMENTYEV/SPUTNIK/AFP via Getty Images)
PHOTO: MIKHAIL KLIMENTYEV/SPUTNIK/AFP/Getty Images
Now playing
00:36
See Putin take part in traditional icy Epiphany dip
guatemala honduras migrants tear gas Oppmann intl ldn vpx_00000604.png
guatemala honduras migrants tear gas Oppmann intl ldn vpx_00000604.png
PHOTO: CNNE
Now playing
01:30
Authorities use tear gas and batons against US-bound migrants
(CNN) —  

Hackers associated with the Chinese government compromised websites frequented by ethnic minority Uyghurs earlier this year, programming them to install monitoring implants to spy on the phones of users that visited them, according to researchers.

Some of the sites had the capability to infect both Android phones and iPhones, a source familiar with multiple companies’ research on the sites, some of which is not public, confirmed to CNN. It wasn’t clear, however, that the sites were capable of hacking both types of phones at the same time.

The findings highlight just how powerful cyberespionage campaigns can be when governments with sufficient resources decide to spy on particular groups by compromising entire categories of websites and indiscriminately hacking the mobile users who access them.

The broad approach of the attacks could easily be repurposed for other groups, like Hong Kong protesters, said Adam Segal, the director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.

“These are all outwardly facing websites, so you would expect that the capacity would be able to do the same to Taiwanese parties or Hong Kong student websites, or any other websites,” Segal told CNN.

China has been resoundingly condemned by the international community recently for its treatment of Uyghurs, including putting them under intense, multifaceted surveillance.

Researchers at the cybersecurity company Volexity, whose specialties include tracking how the Chinese government spies on Uyghurs, released a report Monday showing how certain websites tailored for a Uyghur audience would automatically hack the Android phones of some people who visit them. Called a “watering hole” attack, the tactic allows a hacker to compromise sites their targets are likely to go to rather than seek them out directly.

As many as a million Uyghur Muslims have been detained in detention “reeducation” camps by the Chinese government in Xinjiang province and they are among the most surveilled groups of people on the planet. Areas with heavy Uyghur populations are rife with security cameras and facial recognition systems, and residents are often relentlessly tracked.

Compromised websites include relatively popular Uyghur news sites and learning resources like the online Uyghur Academy.

“If you literally go searching for Uyghur websites, Uyghur news, these are the search results. They picked a pretty good set of targets to go after the Uyghur population,” Volexity CEO Steven Adair told CNN.

iPhones also targeted

Volexity’s research helps shed light on recent groundbreaking but mysterious research.

Last week Google’s Project Zero, a research team that studies undiscovered, critical software vulnerabilities that leave developers scrambling to write updates to patch them, revealed an unprecedented finding from earlier this year.

The team also described watering hole attacks. But unlike the attacks Volexity documented on Android phones, which exploited known vulnerabilities and wouldn’t affect users who had updated their phones to the latest version of Android, the iPhone findings were shocking.

The team found that practically anyone who visited one of a handful of particular websites on an iPhone, generally regarded as one of the safest common devices on the planet, would be at risk of a monitoring implant being installed on their phone. Apple has since patched the vulnerability on all phones with the latest version of the iOS operating system.

Google declined to share who was affected, prompting a minor controversy in the security community. But a source familiar with Google’s research confirmed that at least some of the URLs Volexity found targeting Uyghur Android users also went after iPhones.

The news that websites referred to in Project Zero’s research were aimed at Uyghurs was first reported by TechCrunch.

On Wednesday, a source familiar with Project Zero’s research confirmed that some of the URLs it saw overlapped with those in Volexity’s report.

Google declined to comment on the record about the issue. Its refusal has led some in the information security community to question why Google would announce a campaign that targeted its competitors’ phones but not mention a similar campaign against its own smartphone operating system. But Project Zero manager Tim Willis defended the company’s decisions on Twitter, saying specifically that Google had found iOS exploits in January. Volexity’s research found Android exploits later in the year.

Nury Turkel, chairman of the Uyghur Human Rights Project, told CNN that while he had been unaware of the watering hole attacks, they were in line with what he has come to expect from China.

“This is the first time I’m seeing this particular report,” Turkel told CNN. “But I can tell you that I am not surprised at this.”

“When I was the head of the Uyghur American Association and the Uyghur Human Rights Project, we were constantly attacked. Our websites were shut down at times, and I was personally the target of email-based hacking attempts,” Turkel said.

China has a long history of aggressively surveilling the digital lives of not only Uyghurs, but also other minorities who either live in China or have fled the country. In 2014, for example, Tibetan Buddhists, a regular target of spearphishing attacks, began a campaign to avoid using email attachments.

Google and Apple declined to comment on the record for this story.