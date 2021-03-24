By Jeff Horwitz and Robert McMillan

Facebook Inc. has taken down a network of China-based accounts being used to spread malware meant to spy on journalists and dissidents in the overseas Uyghur Muslim community, the company said on Wednesday.

The sophisticated effort, which the company said was tied to a group of Chinese hackers, included setting up fake news sites and compromising real ones to infect the devices of a small number of people. The hackers also placed malware-laden apps -- including Uyghur language keyboards and prayer apps -- in third-party Android app stores.

The Uyghurs have been targeted for mass detention by the Chinese government and some nations, including the U.S., have labeled the yearslong crackdown against them a genocide.

China is an active player in digital espionage, national security experts have said, and Facebook in recent years has stepped up efforts to prevent foreign manipulation and abuse of its platform.

The company has announced takedowns of foreign disinformation and covert influence operations for years, but has more recently begun exposing hacking campaigns that use Facebook accounts. In December, the company revealed cyber-espionage efforts linked to entities in Vietnam and Bangladesh.

Facebook didn't attribute the attack to the Chinese government, but pinned the effort, which dates back to 2019, to a long-running Chinese hacking network and called out two Chinese companies for creating the infected apps.

A representative from China's U.S. Embassy didn't immediately respond to a message seeking comment. China has previously denied engaging in hacking.

The company's move was announced the day before a hearing Thursday of the House Energy and Commerce Committee in which Facebook Chief Executive Mark Zuckerberg will testify about "social media's role in promoting extremism and misinformation." In advance remarks, he said Facebook supports regulatory changes that would make social media companies more responsible for the content on their platforms.

The company said the hacking activity mostly occurred off Facebook although the network did use fake Facebook accounts purporting to be members of the Uyghur community to share links to the infected sites and apps in a social-media based version of phishing. Accounts pretending to be journalists or activists would interact with members of the Uyghur community and send them links to infected sites or apps. Devices exposed to the malware would only download it if they met criteria such as using Uyghur-language settings.

"We saw attackers injecting malicious code into the website pages, and that would profile users and then infect them with specific malware if they met criteria that attackers set up," said Mike Dvilyanski, who handles cyber threat intelligence for Facebook. He said the company identified "a fairly small number of targets" -- less than 500 -- but those only represent those instances that touched Facebook in some way.

Facebook said that it didn't expect that its actions would permanently halt the effort to target the Uyghur community, but that revealing the effort would at least disrupt it.

"It's important for us to share our findings with industry to keep increasing the costs for these actors," Mr. Dvilyanski said.

In recent years, alleged Chinese hackers have targeted both Android and Apple Inc.'s mobile phones by building digital attacks that leverage bugs in these devices and tricking their victims into visiting websites that contain the attack code, security experts say.

Victims have included media organizations, Tibetan and Uyghur organizations and Hong Kong-based democracy activists, said John Hultquist, director of intelligence analysis with the U.S. cybersecurity firm FireEye Inc., which has investigated some aspects of the attacks. "The number one interest of the regime there is maintaining power and one of the ways they do that is by monitoring sources of opposition," he said.

"What's so unique about social media is you can carry out reconnaissance through it," he said. "You can identify your targets of interest and you can even attach yourself to some of these social networks and then leverage your relationships in that network to sort of swim through the social network," Mr. Hultquist said.



