Chinese Cyberwarfare Targets Uighur Population

China may have the most robust cyberwarfare units in the world, but the country’s relationship with their Muslim Uighur minority has been tense for years. Ethnically, the Uighurs are Turkic Muslims, and there are about 11 million of them in western China. There are about 11 million Uighurs in China, mainly in the Xinjiang area.

In the past year, Beijing has reportedly detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee. To the average bystander, it would appear that the Chinese government doesn’t like the Uighur people, and it seems that the minority group is one of the targets of China’s cyberwarfare groups.

One incident that really escalated the conflict was 2014’s terrorist knife attack in Kunming’s train station - despite the fact that knife attacks are generally a lot less lethal than gun attacks, the toll was devastating. Witnesses told of assailants dressed in black storming the train station and slashing people indiscriminately with large knives and machetes. In total there were 33 deaths caused by the attack, and 143 people were wounded. Four of the assailants were shot dead on the scene by Chinese police.

Chinese President Xi Jinping blamed the incident on Uighur people. But the Chinese Uighur have reason to be suspicious about being blamed for the attack. An Uighur man who goes by the name Akpar said, “How do we know them? We could not tell if the assailants were Uighurs as they were all dressed in black. We did not like the attack either.”

Is China Monitoring its Uighur Population?

Fast forward to September 2019. It was recently reported that China has been monitoring telecommunications networks in their fight against the Uighur community. The cyber espionage entails monitoring Uighur people who travel between central and east Asia, particularly “high-value individuals” such as diplomats and foreign military personnel. The telecommunications networks intercepted by the Chinese are based in Turkey, Kazakhstan, India, Thailand and Malaysia, although no companies have been named.

China, of course, denies the allegations. A statement from a Chinese ministry said, “We would again like to stress that China is a resolute safe-guarder of Internet security. We consistently and resolutely oppose and crack down on any forms of Internet attacks.” Maybe when China is the victim, yes.

More technical details come from Volexity, a cybersecurity firm which has been investigating Chinese cyberwarfare. They identified at least 11 Uighur and East Turkistan websites that were allegedly compromised for exploitation and surveillance. At least two separate Chinese APT groups are responsible for ongoing campaigns against Uighurs, according to their data.

Google apps have also been used to exploit Google OAuth in order to access people’s emails and contact lists through Gmail. Phishing and associated domain spoofing have been imitating Google, the Turkistan Times, and the Uyghur Academy. The firm also was able to find specific code used on the exploited and imitated websites:

“The websites listed above all contained one or more instances of malicious code on them. The code was often updated over time and some websites even housed multiple different instances of malicious code at the same time. The majority of the websites that were linked to by the malicious code were unavailable when Volexity examined them or returned 0-byte responses.

The latter indicating that whitelisting may be employed or that the attack operation was otherwise on pause or being leveraged to simply track visitors.  The primary instances where code was returned involved the deployment of Scanbox by one actor and exploit code targeting Android users by another.”

The web, Gmail, and telecommunications networks infrastructure weren’t the only means Chinese cyberwarfare has used against the Uighurs. Android devices were also exploited. Volexity discovered this through the malicious code found on the websites they investigated. Some of it targets an Android Chrome vulnerability as an entry point.

From that attack vector, many other Android functions were exfiltrated, including:

  • Unique ID
  • Model
  • Brand
  • Manufacturer
  • Locale
  • IMEI
  • SIM state
  • IMSI
  • ICCID
  • Phone number
  • Roaming status
  • Baseband version
  • Current network type
  • Current network name
  • Operator code
  • Battery level
  • Whether the phone is rooted
  • ROM version
  • Android version
  • Android API level
  • Android patch version
  • Android ID
  • Kernel version
  • MAC address
  • Public and private IP addresses
  • Total and free space on SD card
  • Total and free RAM
  • Device fingerprint
  • Serial number
  • Screen resolution
  • CPU
  • Uptime
  • Username

Ouch! That data can be used to completely control a targeted Android device. And it’s an effective way to monitor Uighurs because people typically carry their phones with them wherever they go – regardless of nationality or ethnic grouping.

What happens when a country is able to gain such insight and power over its own citizens? Only time will tell, but it seems to be a portent of things to come, and not just in China.