Facebook says hackers were distributing malware via malicious links shared under fake personas on the social network.
Facebook’s cyber-espionage investigations team discovered a network of hackers with links to China who distributed malware via malicious links and has taken action against the group – disabled their accounts and notified the roughly 500 users who were targeted.
The hackers are believed to be part of the Earth Empusa or Evil Eye groups were specifically targeting activists, journalists, and dissidents, predominantly those from the Uyghur minority living abroad in Kazakhstan, Turkey, Syria, the US, Canada, and Australia.
The hackers wanted to collect information about these targets by infecting their devices with malicious code for later surveillance. The links that were shared through Facebook included links to both legitimate and lookalike news websites, and to fake Android app pages.
Facebook’s head of cyber espionage investigations Mike Dvilyanski explained that in order to infect user devices with malware the hackers compromised legitimate news websites frequently visited by their targets by using a tactic known as a watering hole campaign.
To infect Turkish victims, the hackers created lookalike domains for news websites and lookalike pages with injected malicious code that infected the target’s device with malware upon visiting the fake pages.
The hackers also built lookalike app stores to trick targets into downloading apps attractive to Uyghurs that contained malicious code that would allow the hackers to eavesdrop on the devices.
To conceal their activity, the hackers ran technical checks into IP address, operating system, browser, country, and language and only infected people with iOS malware.
Facebook blocked the malicious infrastructure and took down attackers’ fake accounts. The social media giant said its cyber team first detected the hacking efforts when it noticed a spike in activity on Facebook in mid-2020. It’ says these hacking efforts may go back to 2019.
“Measuring impact and intent can be challenging but we do know even for the small number of users around the world, the consequences [of being hacked] can be very high and that is why the team took this so seriously,” said Nathaniel Gleicher, head of security policy for Facebook. “It’s a small number of targets, under 500 for the entire campaign, but that is only for the aspects that touched Facebook in some way. The majority of what this threat actor has done took place off Facebook.”