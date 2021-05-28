The Uighur minority is being targeted by cybercriminals in China and Pakistan, with emails using the names of diplomatic and human rights organizations to install spyware. The goal is to gain access to Windows resources for extracting information and tracking targets, with documents using even the United Nations logo and aesthetics.

The attacks on the minority were discovered in research by Check Point Research, in collaboration with Kaspersky. In addition to sending emails against Uighurs, also in Pakistan, the espionage campaign has fake websites named after non-existent companies or humanitarian organizations, which offer help and support, but actually try to install backdoors on the victims’ computers.

The Uighurs are of Turkish origin and are located mainly in the Chinese region of Xinjiang. It is also the main focus of repression by the country’s government against the minority, particularly because of its Muslim roots. UN data indicate that more than one million citizens in the province have been arrested in so-called “political indoctrination camps”, cited by authorities as part of their fight against domestic terrorism, but also denounced for severe human rights violations.

The false document, signed on behalf of the United Nations, addresses precisely these transgressions. These are the minutes of an assembly to be held on the subject, with complaints and quotes about cases that occurred within these fields; the document, in DOCX format, serves as a vector for the installation of malware, which starts to monitor the websites accessed, typed information and other uses of the victim’s computer.

A second vector is associated with the Foundation for Turkish Culture and Heritage, which does not exist, but says it tries to help minorities from a headquarters in Azerbaijan. The layout of the website is copied and resembles that of the Open Society Foundation, another international philanthropic organization, and offers scholarships and specialization courses. It is from these records that the attack takes place, with the requirement to download a solution that promises to guarantee the security of the device, but, in reality, brings the malware to the machine.

In addition to the minority itself, security experts point to companies and organizations that support people of Turkish origin as possible secondary targets. While a direct governmental relationship has not been made, evidence in the malware code indicates that responsible cybercriminals speak the Chinese language, while excerpts from the plague’s programming also include similarities with other attempts in the region.

The experts’ recommendation is that users, especially those who are in vulnerable conditions or are targeted for any reason, avoid opening attached files or downloading applications. Personal data should only be delivered when the user is sure about the reliability of the registration, while security solutions must always be active and updated on the computer and cell phone, as they help to protect against the most common attack attempts.