Some of the most prolific surveillance tooling emerging as of late from Chinese threat actors has been used to specifically target Uyghur populations and other ethnic minority groups in the region. Over the past several years, Lookout has encountered a dozen unique mobile surveillance families used to collect extensive information.
Despite recently published exposés on human rights abuses within internment camps in Xinjiang, surveillance operations have only intensified, bringing wide-spread mobile surveillance from highly targeted individuals — like journalists, activists and human rights groups — to the greater Uyghur population.
This talk will outline:
● several mobile malware families tied to these surveillance operations;
● noteworthy technical capabilities;
● the ways in which these campaigns have developed both in their level of sophistication as well as distribution tactics;
● and the ways in which mobile surveillance in the region has impacted the PRC’s effort to detain individuals.
The session will begin with a brief historical overview of China’s surveillance of minority groups in recent years, with a particular focus on Uyghur-specific campaigns. It will then identify and discuss the tooling most recently observed in mobile campaigns tied to state-sponsored surveillance.
Included in this discussion is MOONSHINE (first disclosed by CitizenLab in 2019), a surveillance tool initially used to target Tibetans in the region and attributed to APT group POISON CARP. Since its disclosure in 2019, MOONSHINE has been significantly modified and distributed as part of a wide-spread surveillance campaign against Uyghur-speaking mobile device users. The talk will discuss these developments as well as the ways in which this surveillance tool has been distributed - shifting from highly targeted attacks to widespread distribution for mass surveillance.
The session will also introduce the novel family BadBazaar, a surveillance tool Lookout has been tracking since late 2021 but has yet to publicly disclose. BadBazaar surveillanceware has permeated nearly all Uyghur-language Telegram channels while masquerading as useful Android applications.
Additional, less widely observed Uyghur-targeted surveillance tools will also be introduced. The session will provide a technical overview of each family of interest, infrastructure connected to these samples, and will identify the organizations to which these campaigns can be attributed with high confidence. We will dive into the mechanisms through which many of these tools are distributed, including known social media channels and forums, suspected watering holes, and the use of both highly targeted and widespread campaigns.