Hackers associated with the Chinese government compromised websites frequented by ethnic minority Uyghurs earlier this year, programming them to install monitoring implants to spy on the phones of users that visited them, according to researchers.
Some of the sites had the capability to infect both Android phones and iPhones, a source familiar with multiple companies’ research on the sites, some of which is not public, confirmed to CNN. It wasn’t clear, however, that the sites were capable of hacking both types of phones at the same time.
The findings highlight just how powerful cyberespionage campaigns can be when governments with sufficient resources decide to spy on particular groups by compromising entire categories of websites and indiscriminately hacking the mobile users who access them.
The broad approach of the attacks could easily be repurposed for other groups, like Hong Kong protesters, said Adam Segal, the director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
“These are all outwardly facing websites, so you would expect that the capacity would be able to do the same to Taiwanese parties or Hong Kong student websites, or any other websites,” Segal told CNN.
China has been resoundingly condemned by the international community recently for its treatment of Uyghurs, including putting them under intense, multifaceted surveillance.
Researchers at the cybersecurity company Volexity, whose specialties include tracking how the Chinese government spies on Uyghurs, released a report Monday showing how certain websites tailored for a Uyghur audience would automatically hack the Android phones of some people who visit them. Called a “watering hole” attack, the tactic allows a hacker to compromise sites their targets are likely to go to rather than seek them out directly.
As many as a million Uyghur Muslims have been detained in detention “reeducation” camps by the Chinese government in Xinjiang province and they are among the most surveilled groups of people on the planet. Areas with heavy Uyghur populations are rife with security cameras and facial recognition systems, and residents are often relentlessly tracked.
Compromised websites include relatively popular Uyghur news sites and learning resources like the online Uyghur Academy.
“If you literally go searching for Uyghur websites, Uyghur news, these are the search results. They picked a pretty good set of targets to go after the Uyghur population,” Volexity CEO Steven Adair told CNN.
iPhones also targeted
Volexity’s research helps shed light on recent groundbreaking but mysterious research.
Last week Google’s Project Zero, a research team that studies undiscovered, critical software vulnerabilities that leave developers scrambling to write updates to patch them, revealed an unprecedented finding from earlier this year.
The team also described watering hole attacks. But unlike the attacks Volexity documented on Android phones, which exploited known vulnerabilities and wouldn’t affect users who had updated their phones to the latest version of Android, the iPhone findings were shocking.
The team found that practically anyone who visited one of a handful of particular websites on an iPhone, generally regarded as one of the safest common devices on the planet, would be at risk of a monitoring implant being installed on their phone. Apple has since patched the vulnerability on all phones with the latest version of the iOS operating system.
Google declined to share who was affected, prompting a minor controversy in the security community. But a source familiar with Google’s research confirmed that at least some of the URLs Volexity found targeting Uyghur Android users also went after iPhones.
The news that websites referred to in Project Zero’s research were aimed at Uyghurs was first reported by TechCrunch.
On Wednesday, a source familiar with Project Zero’s research confirmed that some of the URLs it saw overlapped with those in Volexity’s report.
Google declined to comment on the record about the issue. Its refusal has led some in the information security community to question why Google would announce a campaign that targeted its competitors’ phones but not mention a similar campaign against its own smartphone operating system. But Project Zero manager Tim Willis defended the company’s decisions on Twitter, saying specifically that Google had found iOS exploits in January. Volexity’s research found Android exploits later in the year.
Nury Turkel, chairman of the Uyghur Human Rights Project, told CNN that while he had been unaware of the watering hole attacks, they were in line with what he has come to expect from China.
“This is the first time I’m seeing this particular report,” Turkel told CNN. “But I can tell you that I am not surprised at this.”
“When I was the head of the Uyghur American Association and the Uyghur Human Rights Project, we were constantly attacked. Our websites were shut down at times, and I was personally the target of email-based hacking attempts,” Turkel said.
China has a long history of aggressively surveilling the digital lives of not only Uyghurs, but also other minorities who either live in China or have fled the country. In 2014, for example, Tibetan Buddhists, a regular target of spearphishing attacks, began a campaign to avoid using email attachments.
Google and Apple declined to comment on the record for this story.