China watchEvil Eye Gazes Beyond China’s Borders: Troubling Trends in Chinese Cyber Campaigns

By Eli Clemens

Published 25 May 2021

On March 24, 2021, Facebook announced they had taken actions against an advanced persistent threat (APT) group located in China, previously monikered as Evil Eye. Evil Eye’s campaign was clearly motivated by a political goal that China frequently uses a blend of information operations (IO) and cyber means to accomplish: the disruption of dissidents, especially those who raise awareness of China’s human rights violations against its ethnic minorities.

On March 24, 2021, Facebook announced they had taken actions against an advanced persistent threat (APT) group located in China, previously monikered as Evil Eye. Facebook accused the APT of abusing its platform, creating malicious websites, hacking legitimate websites and Facebook accounts, and distributing malware to affected individuals. The main targets of the campaign were Uyghur activists and journalists living abroad. Facebook subsequently used different tactics to identify and surveil suspected members of Evil Eye. To mitigate damage, Facebook blocked malicious domains used by the campaign, removed fake users, and notified Facebook users believed to have been targeted.

Evil Eye’s campaign was clearly motivated by a political goal that China frequently uses a blend of information operations (IO) and cyber means to accomplish: the disruption of dissidents, especially those who raise awareness of China’s human rights violations against its ethnic minorities. Previous attributions of Evil Eye show them targeting Tibetan, Uyghur, and Hong Kong dissidents starting in 2019 and possibility as early as 2013. Evil Eye’s campaign combined a multitude of operations and attack vectors. Information, psychological, and influence operations were executed using information and social media manipulation and social engineering that included identity theft. Watering hole attacks, phishing, trojaned third party app stores, and mobile malware were deployed. A concurrent goal in the recent campaign was to silence ethnic minority dissidents and deter further use of social media by instilling fear that they were under surveillance. Members of the Uyghur diaspora in Canada, Turkey, Kazakhstan, Australia, United States and Syria were likely disturbed and frightened to learn that some of their Uyghur language keyboard, dictionary, and prayer apps were in fact fake and trojaned.

Facebook has formerly attributed this campaign to Evil Eye, though the involvement of other threat actors in the campaign is possible. While Facebook did not explicitly connect Evil Eye to the Chinese state, information from the current incident and prior knowledge of Evil Eye’s operations strongly suggests it. The outsourcing of Android tooling to deploy malware to two different companies may mean that Evil Eye has significant resources at its disposal for its campaigns, hinting at nation-state backing. Second, due to its multiple attack vectors, Evil Eye would seem to have members skilled in both cyber and IO operations and thus likely works in tandem with other Chinese APT groups.

Despite Facebook providing significant technical details in the report, what information the company used to claim that the hackers resided in China was not supplied. Hua Chunying, director of China’s Foreign Ministry Information Department, pointed out this information gap, denying any Chinese affiliation: “You’re saying that a hack targeting some people outside China originated in China, but where is your evidence?”

Social media companies should be cognizant of three trends from this incident. First, Facebook was just one part in a larger APT campaign. Other firms that discover information operations should be alert to a range of blended tactics. Second, the ease of opening new accounts on Facebook and other social media accounts remains a critical vulnerability with the fake user accounts easily weaponized. Evil Eye used social engineering to access targeted individuals and have them install and pass on exploits for prepared malware. The fake accounts were also used to conduct psychological damage and identity theft.  Third, social media companies have an ever-increasing need for information sharing with relevant cybersecurity partners; in this incident, Facebook should be commended for collaborating with FireEye.

Uyghur-language media companies, Uyghur cultural and outreach organizations, and Uyghur Islamist and solidarity organizations are all likely future targets of similar campaigns. Moreover, multinational companies like Apple and Nike that have clashed with China in recent years over sensitive topics should take note of Evil Eye’s campaign. Companies facing scrutiny for what Beijing considers to be politically sensitive stances should increase their vigilance for potential attacks blending IO and cyber tactics.

Throughout 2021, the Biden administration will deliberate whether to take further actions against China’s human rights violations against the Uyghurs, such as increased sanctions or even boycotting the 2022 Beijing Olympics. Incidents like the Evil Eye campaign could force President Biden’s hand, as they show an empowered China increasingly willing to use cyber attacks and information operations in pursuit of its political goals.

Eli Clemens is a student at Columbia University’s School of International and Public Affairs, studying international security policy and cybersecurity policy. This article is published courtesy of the Council on Foreign Relations (CFR).