Researchers at Canada’s Citizen Lab have spotted a phishing campaign and supply chain attack directed at Uyghur people living outside China, and suggest it’s an example of Beijing’s attempts to target the ethnic minority group.

Many Uyghur people, a Muslim ethnic majority, live in China’s Xinjiang province and according to the United Nations are [1]subjected to “serious human rights violations” including arbitrary detention, may be forced not to use their own language, and are subject to discriminatory government policies that create “interlocking patterns of severe and undue restrictions on a wide range of human rights.”

Some Uyghur people have moved abroad, and formed a group called the World Uyghur Congress (WUC) to lobby for their people’s rights. According to Citizen Lab, “several senior members” of the Congress living outside China were sent emails that “impersonated a trusted contact at a partner organization and contained Google Drive links that, if clicked, would download a password-protected RAR archive.”

[2]

That archive contained a Windows version of an open source Uyghur text editor called UyghurEditPP. Citizen Lab thinks members of the WUC know the application’s developer, who has also worked on optical character recognition software for Uyghur script and speech recognition software for the Uyghur language. That prior relationship means recipients would likely trust the sender.

[3]

[4]

That trust was misplaced: Citizen Lab alleges the version of UyghurEditPP linked to in the phishing mails was altered to include malware and “contained a backdoor that would allow the operator to gather information about the device, upload information to a command and control server, and download additional files, including other malware.”

The malware also makes it possible to download files from the target device and install malware plugins.

[5]Beijing reportedly asked Hikvision to identify fasting students in Muslim-majority province

[6]Chinese citizens feel their government is doing such a fine job with surveillance

[7]Drone maker DJI sues Pentagon over ‘Chinese military company’ label

[8]Winnie the Pooh slasher flick mysteriously cancelled in Hong Kong

Citizen Lab hasn’t identified the source of the phishing campaign or the supply chain attack on UyghurEditPP but notes China has used similar tactics before.

The Lab also points out that China aims to suppress the Uyghur language and an attack on software designed for those who speak the tongue therefore meets Beijing’s goals.

[9]

“According to a WUC member, only a few people in the diaspora have both the technical knowhow and the motivation to develop such software,” Citizen Labs researchers wrote. “Trojanizing their projects by implanting malware causes harm beyond the immediate phishing attempt because it sows fear and uncertainty about the very tools aiming to support and preserve the community.”

The Lab found a few small positives to take away from the incident, because the WUC members targeted by the phishing campaign were alerted to it by Google, weren’t fooled by it, and the attack “was not notable for its technical sophistication and did not involve zero-day exploits or mercenary spyware.”

On the downside, Citizen lab wrote “delivery of the malware showed a high level of social engineering, revealing the attackers’ deep understanding of the target community.” The outfit also worries that attack’s limited success could lead to an escalation in future aggressive campaigns.

[10]

“The need to be constantly alert to the next threat is a daunting task for targeted communities,” Citizen Lab’s researchers wrote. ®

Get our [11]Tech Resources



[1] https://news.un.org/en/story/2022/08/1125932

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBFL8DV_RFd2ktglDe7MXwAAApI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8DV_RFd2ktglDe7MXwAAApI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8DV_RFd2ktglDe7MXwAAApI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2023/11/14/hikvision_fasting_identification/

[6] https://www.theregister.com/2023/10/13/chinese_citizens_feel_their_government/

[7] https://www.theregister.com/2024/10/22/dji_sues_dod/

[8] https://www.theregister.com/2023/03/22/pooh_slasher_flick_cancelled_china/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8DV_RFd2ktglDe7MXwAAApI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8DV_RFd2ktglDe7MXwAAApI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://whitepapers.theregister.com/