Red Sky Alliance has recently observed multiple Chinese, state sponsored, Advanced Persistent Threat (APT) groups targeting Chinese-Muslim non-governmental organizations (NGOs). Historically, Chinese APT groups have conducted specific cyber campaigns against these type organizations, traditionally with little or no overlap.
The US Secretary of State (SECSTATE), Mike Pompeo, issued a statement on 26 November 2019 reporting a collection of leaked documents that prove Chinese authorities are engaged in massive and systemic repression of Muslims and other minorities in western China. Many international governments are expressing grave concerns about China’s scale of their oppression campaign.
The SECSTATE said the documents emphasized, “an overwhelming and growing body of evidence” that China’s regime is responsible for significant human rights violations in the Xinjiang region. The content of these leaked documents indicates the Chinese government monitor citizens in these Muslim communities. The documents contain sensitive personal information such as marriage status, residence registration and whether the citizens are in detention.
In a separate collection and analysis campaign, Red Sky Alliance analysts are currently observing heavy targeting of mobile devices and the development of Chinese mobile malware frameworks like “Moonshine”, BXAQ, MESSAGETAP, and an unnamed IoS exploit framework/implant. These all are developed by suspected Chinese APT groups. In the past, Chinese APT groups have used the Chinese-Muslim NGOs to test new cyber TTPs before unleashing the newly perfected TTPs on Western companies in support of China’s Five-Year Plans.
The mobile malware framework is called “Moonshine” by Citizenlab, due to alcohol named related strings within the malware. Names like Bourbon, Whisky and Scotch are used to name the strings. The Android exploit URLs that deliver Moonshine, follow the pattern of:
Red Sky Alliance is currently working on collection and analysis of multiple suspected Chinese APT groups using these named mobile malware frameworks and heavily targeting the Turkic Muslim culture in the Xinjiang Uyghur Autonomous Region (XUAR), located in northwest China. These groups are additionally targeting various Tibetan Non-Governmental Organizations (NGO)s. Citizenlab and Volexity report two unknown Chinese APT groups, referred to as POISON CARP / Evil Eye, as exploiting eleven (11) compromised Uyghur and East Turkistan websites to conduct surveillance of these groups.
Red Sky Alliance will be producing a full technical report on these Chinese campaigns and the malicious use of these mobile malware frameworks. The combination of traditional surveillance methods in conjunction with the infiltration of mobile devises, creates a serious invasion of privacy for individuals both inside and outside China. The exploitation of mobile devices will only continue and likely spread outside China, as smartphones are generally taking the place of laptops and desktop computers.
Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org