“It really makes me scared”: How Chinese hackers used Facebook to spy on Uyghurs

Ferkat Jawdat is used to intimidation from the Chinese state. A Uyghur living in Washington D.C., he was one of the first in the exile community to start speaking out about something that everyone knew, but no one dared mention — that their families in the Xinjiang Autonomous Region were disappearing one by one into internment camps. Among them was Jawdat’s mother, who was detained first in 2017 and then again in February 2018. When other family members were arrested a few months later, he sounded the alarm. 

His activism led to appearances in the U.S. media and a meeting in 2019 with then-Secretary of State Mike Pompeo. Chinese authorities retaliated. His mother was moved from a camp to a prison. He received threats over social media and messaging services. In the summer of 2019, he said he spent two weeks engaged in a WeChat conversation with someone who identified himself as a senior Communist Party official. The man started out friendly, but quickly turned nasty. 

“He started threatening me, saying I’m just one person going against a superpower, and [that] compared to them I’m just nothing,” Jawdat recalled, over a Signal call from his home in the U.S.

At times, he said, he was “scared as hell,” but he felt that staying quiet wouldn’t achieve anything, a sentiment that has become increasingly common among Uyghur exiles over the past year. “I didn’t have any choice… I was worried that my mum would just be gone in those dark cells.”

On March 24, Jawdat logged into Facebook to find a warning that malevolent actors may have tried to access his devices. He was one of around 500 Uyghur activists targeted by a Chinese government-backed hacking group known in cybersecurity circles as “Evil Eye” or “Earth Empusa,” according to Facebook.  On March 24, the social media platform announced that it had taken action to remove accounts and block domains that hackers had used to target Uyghurs. 

Facebook alleges that the hackers’ built websites that mimicked popular Uyghur and Turkish news sites, but which contained code that installed malware on users’ devices — so-called “watering hole” attacks. They also compromised legitimate sites that carried the code, and impersonated journalists and human rights advocates in order to trick activists into clicking on malicious links. Users of Android devices were directed to download software, including dictionaries and prayer apps, which contained malware. Facebook said the targets were “activists, journalists and dissidents predominantly among [Uyghurs] from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries.”

Jawdat doesn’t think he clicked on anything suspicious, but he can’t be sure. “It really makes me scared. Facebook has access to all our information, like pictures, contacts, phone calls. Everything on the phone,” he said. He never posts anything about his children or family in the US on social media.“But now if they have access to all the contents of my phone, they know about my kids, my family, everything I do.”

This is not the first time that Chinese state-backed hackers have targeted Uyghurs. In 2019, researchers from Google Project Zero identified several compromised websites that exploited a security weakness in iPhones and which were being used for watering hole attacks. Apple later confirmed that the targets had been Uyghurs. 

“It seems like there is some group, either state-sponsored or actually in the Chinese government that really cares a lot about keeping tabs on the Uyghur population,” said Tom Uren, a senior analyst with the International Cyber Policy Centre at the Australian Strategic Policy Institute.

The Chinese government is facing increasing pressure from the international community over its incarceration of more than a million Uyghurs in “re-education” camps, prisons and forced labor facilities. The government has tried to restrict information about human rights abuses — which experts say meets the threshold for cultural genocide — from leaking out of the country, barring journalists from entering the region, censoring discussions about it on social media and threatening exiles and their families to prevent them from talking openly about the camps.

However, in part because of activists like Jawdat, the abuses taking place in Xinjiang are being widely reported. Multinational companies, including H&M, Nike and Apple have been forced to examine their supply chains to ensure that they are not indirectly using Uyghur forced labor. Several governments, including the European Union, U.S. and U.K have sanctioned Chinese individuals connected to the camps.

Uren said that the sophistication of the hack suggests that the Chinese government is investing heavily in its surveillance of overseas Uyghur communities. 

“They are obviously spending a lot of effort on what would be extremely valuable bugs,” he said. “The kind of bugs that they’re talking about would really be worth a lot, because they’re low interaction iPhone bugs, which have been traditionally quite hard to find… it just indicates what their priorities are.”

Jawdat isn’t sure what to do now. Certainly, he needs to get a new phone, and delete his social media apps. “It’s really hard. Everything is connected to each other. It’s really hard to live without those apps on your phone,” he said. “I don’t know how much information they already have. Even changing your phone, changing your phone number, cutting off everything like social media, I don’t know if there’s any use [to] it.”

But, he said, the response from the Communist Party reassures him that he is landing blows through his activism. He recalled some of the worst moments of his campaign to free his mother, including when she was moved to a jail after his meeting with Pompeo. He kept speaking up, and, eventually, his mother was released. “I decided that my actions, my words, were making some impact on them,” he said. “That’s why I was being pressured.”