Full Report
The U.K.’s National Cyber Security Centre and international cybersecurity and intelligence agencies on Wednesday said hackers are deploying two forms of previously identified spyware to snoop on Uyghur, Tibetan and Taiwanese individuals and civil society organizations.
Analysis Summary
# Threat Actor: Unnamed Hacking Group (Associated with Chinese State Interests)
## Attribution & Identity
Attribution points toward actors whose activities align with the interests of the Chinese state. The NCSC and international partners uncovered the operational details. No specific named actor group is provided, only "malicious actors."
## Activity Summary
Hackers are actively deploying two previously identified forms of spyware (MOONSHINE and BADBAZAAR) to conduct surveillance against targeted individuals and civil society organizations globally. The campaign aims to silence, monitor, and intimidate communities perceived by the Chinese state as threats to its stability. Specific deployment methods included creating apps mimicking popular platforms (WhatsApp, Skype style) or standalone apps like "Tibet One" (uploaded to the Apple App Store in Dec 2021, now removed) and "Audio Quran." These malicious apps were distributed via online gathering places like Telegram channels and Reddit forums relevant to the target communities.
## Tactics, Techniques & Procedures
- **Device Compromise/Surveillance:** Breaking into devices to access microphones, cameras, messages, photos, and location data, enabling real-time monitoring.
- **Masquerading/Social Engineering:** Creating malicious applications designed to look legitimate (e.g., "Tibet One," "Audio Quran") and leveraging community trust (e.g., using Uyghur language in file names for the Audio Quran app).
- **Distribution:** Pushing compromised apps through community-specific forums and messaging platforms.
## Targeting
- **Sectors:** Civil society organizations, potentially privacy advocates, and religious/ethnic advocacy groups.
- **Geography:** Individuals and organizations worldwide who are tied to activities considered threatening by the Chinese state.
- **Victims:** Individuals tied to the Taiwan independence movement, Tibetan rights organizations, Uyghur Muslims, ethnic minorities from Xinjiang, democracy advocates, and members of the Falun Gong faith.
## Tools & Infrastructure
- **Malware families used:** MOONSHINE spyware and BADBAZAAR spyware.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in terms of IPs/domains, but distribution involved the Apple App Store (for Tibet One) and Telegram/Reddit forums for dissemination.
## Implications
The sustained use of advanced spyware against specific ethnic and political minority groups demonstrates a persistent, state-backed effort to conduct cross-border espionage and intimidation against perceived dissidents. This escalation highlights a significant threat to freedom of expression and privacy for at-risk communities globally.
## Mitigations
- At-risk populations should only use known, trusted application stores.
- Routinely review and audit application permissions after installation.
- Report any questionable messages or files received.
- Exercise extreme caution when inspecting shared files and links found on social media platforms.