Before Chinese police hung high-powered surveillance cameras and locked up ethnic minorities by the hundreds of thousands in China's western region of Xinjiang, China's hackers went to work building malware, researchers say.
The Chinese hacking campaign, which researchers at Lookout — the San Francisco mobile security firm — said Wednesday had begun in earnest as far back as 2013 and continues to this day, was part of a broad but often invisible effort to pull in data from the devices that know people best: their smartphones.
Lookout found links between eight types of malicious software — some previously known, others not — that show how groups connected to China's government hacked into Android phones used by Xinjiang's largely Muslim Uighur population on a scale far larger than had been realised.
The timeline suggests the hacking campaign was an early cornerstone in China's Uighur surveillance efforts that would later extend to collecting blood samples, voice prints, facial scans and other personal data to transform Xinjiang into a virtual police state. It also shows the lengths to which China's minders were determined to follow Uighurs as they fled China for as many as 15 other countries.
The tools the hackers assembled hid in special keyboards used by Uighurs and disguised themselves as commonly used apps in third-party websites. Some could remotely turn on a phone's microphone, record calls or export photos, phone locations and conversations on chat apps. Others were embedded in apps that hosted Uighur-language news, Uighur-targeted beauty tips, religious texts like the Quran and details of the latest Muslim cleric arrests.
"Wherever China's Uighurs are going, however far they go, whether it was Turkey, Indonesia or Syria, the malware followed them there," said Apurva Kumar, a threat intelligence engineer at Lookout who helped unravel the campaign. "It was like watching a predator stalk its prey throughout the world."
A decade ago, the People's Liberation Army's hackers were notable not so much for their sophistication as for the volume of their attacks. But under threat of U.S. sanctions, President Xi Jinping of China struck an agreement with President Barack Obama in 2015 to cease hacking U.S. targets for commercial gain. The agreement stuck for a time, with a significant drop in Chinese hacks in the United States.
Last fall, private researchers determined that — over that same period — China had turned its most advanced hacking tools on its own people. In overlapping discoveries, researchers at Google, security firm Volexity and the Citizen Lab at the University of Toronto's Munk School of Public Affairs separately uncovered what amounted to an advanced Chinese hack against iPhones and Android phones belonging to Chinese Uighurs and Tibetans throughout the world.
Google's researchers discovered that hackers had infected websites frequented by Uighurs — inside China and in other countries — with tools that could hack their iPhones and siphon off their data.
Lookout's latest analysis suggests that China's mobile hacking campaign was broader and more aggressive than security experts, human rights activists and spyware victims had realised. But experts on Chinese surveillance say it should come as no surprise, given the lengths to which Beijing has gone to monitor Xinjiang.
"We should think about smartphone surveillance being used as a way to track people's inner life, their everyday behavior, their trustworthiness," said Darren Byler, who studies surveillance of minority populations at the University of Colorado, Boulder.
In 2015, as Beijing pushed to crack down on sporadic ethnic violence in Xinjiang, authorities grew "desperate" to track fast-growing Uighur communications online, Byler said. Uighurs began to fear that their online chats discussing Islam or politics were risky. Savvier Uighurs took to owning a second "clean phone," said Byler, who lived in Xinjiang in 2015.
On the streets of Xinjiang, police began confiscating Uighurs' phones. Sometimes, they returned them months later with new spyware installed. Other times, people were handed back entirely different phones. Officials visiting Uighur villages regularly recorded the serial numbers used to identify smartphones. They lined the streets with new hardware that tracked people's phones as they walked past.
Authorities dragged Uighurs off to detention camps for having two phones or an antiquated phone, arbitrarily dumping a phone, or not having a phone at all, according to testimonials and government documents.
Over that same period, Lookout said China's mobile hacking efforts accelerated. One type of Chinese malware, known as GoldenEagle after the words hackers littered throughout their code — an apparent reference to the eagles used for hunting in Xinjiang — was used as early as 2011. But its use picked up in 2015 and 2016. Lookout uncovered more than 650 versions of GoldenEagle malware and a large number of fake Uighur apps that function as a sort of Trojan horse to spy on users' mobile communications.
The malicious apps mimicked so-called virtual private networks, which are used to set up secure web connections and view prohibited content inside China. They also targeted apps frequently used by Uighurs for shopping, video games, music streaming, adult media and travel booking, as well as specialised Uighur keyboard apps. Some offered Uighurs beauty and traditional-medicine tips. Others impersonated apps from Twitter, Facebook, QQ — the Chinese instant messaging service — and search giant Baidu.
Once downloaded, the apps gave China's hackers a real-time window into their targets' phone activity. They also gave China's minders the ability to kill their spyware on command, including when it appeared to suck up too much battery life. In some cases, Lookout discovered that all China's hackers needed to do to get data off a target's phone was send the user an invisible text message. The malware captured a victim's data and sent it back to the attackers' phone via a text reply, then deleted any trace of the exchange.
In June 2019, Lookout uncovered Chinese malware buried in an app called Syrian News. The content was Uighur-focused, suggesting China was trying to bait Uighurs inside Syria into downloading their malware. That Beijing's hackers would track Uighurs to Syria gave Lookout's researchers a window into Chinese anxiety over Uighur involvement in the Syrian civil war. Lookout's researchers found similarly malicious apps tailored to Uighurs in Kuwait, Turkey, Indonesia, Malaysia, Afghanistan and Pakistan.
Researchers at other security research groups, like Citizen Lab, had previously uncovered various pieces of China's mobile hacking campaign and linked them back to Chinese state hackers. However, Lookout's new report appears to be the first time researchers were able to piece these older campaigns with new mobile malware and tie them to the same groups.
"Just how far removed the state is from these operations is always the open question," said Christoph Hebeisen, Lookout's director of security intelligence. "It could be that these are patriotic hackers, like the kind we have seen in Russia. But the targeting of Uighurs, Tibetans, the diaspora and even Daesh, in one case, suggests otherwise," he added, using another term for the Islamic State.
One clue to the attackers' identities came when Lookout's researchers found what appeared to be test versions of China's malware on several smartphones that were clustered in and around the headquarters of Chinese defense contractor Xi'an Tianhe Defense Technology.
A large supplier of defense technology, Tianhe sent employees to a major defense conference in Xinjiang in 2015 to market products that could monitor crowds. As a surveillance gold rush took over the region, Tianhe doubled down, establishing a subsidiary in Xinjiang in 2018. The company did not respond to emails requesting comment.
"That could be an interesting coincidence," Hebeisen said, "or it could be the smoking gun."
Written by: Paul Mozur and Nicole Perlroth
Photographs by: Gillies Sabrie
© 2020 THE NEW YORK TIMES