Security researchers have discovered a new Chinese phishing campaign targeting the ethnic minority Uyghur group with emails impersonating the United Nations and others.
Check Point and Kaspersky teamed up to lift the lid on the attacks, which spoof not only the UN Human Rights Council (UNHRC) but also a fake human rights organization called TCAHF, targeting Uyghurs applying for grants.
As well as emailed documents from the ‘UNHRC’ designed to trick individuals into installing a Windows backdoor, the researchers discovered a phishing website branded with the details of the fake human rights organization.
This aims to convince victims into downloading a .NET backdoor, by disguising it as a ‘security scanner,’ which is necessary to install due to the sensitive nature of the information needed for a grant application.
Most of the website’s content is apparently copied from a legitimate Open Society Foundations site.
Kaspersky and Check Point have discovered only a handful of victims in Pakistan and China, where around 12 million Uyghurs live in the north-west Xinjiang region. Reports suggest the authorities there have erected concentration camps in a ghoulish state-sanctioned scheme involving forced sterilisations and mass ‘re-education.’
Amidst an international furore and mutterings of countries boycotting the Beijing Winter Olympics in 2022, it has become a serious geopolitical issue for China’s leaders.
The research teams assigned the activity to a Chinese-speaking threat actor with low to medium confidence. They found excerpts of the code in malicious macros used in the attacks which were identical to VBA code appearing in multiple Chinese forums, and which may have been copied direct from there.
“These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community,” explained Check Point’s head of threat intelligence, Lotem Finkelsteen.
“The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”