The Uyghurs are a Turkic, Muslim ethnic group living in Eastern and Central Asia and China. Like Tibetan activists, they consider themselves autonomous, and in recent months have been finding themselves in several skirmishes with the Han, who comprise 92% of China’s population. Ground zero for the unrest is Xinjiang, an autonomous region in northwestern China.
Dovetailing with the unrest, AlienVault and Kaspersky Lab in the last year have reported multiple attacks targeting Uyghurs, including a MaControl variant and a Windows version using Gh0st RAT. The culprits are likely Chinese hacktivists.
“During the past months, we’ve monitored a series of targeted attacks against Uyghur supporters, most notably against the World Uyghur Congress (WUC),” said Kaspersky Lab researcher Costin Raiu. “Although some of these attacks were observed during 2012, we’ve noticed a significant spike in the number of attacks during Jan 2013 and Feb 2013, indicating the attackers are extremely active at the moment.”
The mails contain Word documents with information purporting to be of interest to activists within the group. Examples include “Concerns over Uyghur People.doc,” “The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc,” “Uyghur Political Prisoner.doc,” “Deported Uyghurs.doc”, and so on.
The attachments, however, are far from helpful. “The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac,” explained AlienVault researcher Jaime Blasco. “This is the same exploit used in other attacks we discovered in the past.” Microsoft patched the vulnerability in 2009, but many computers in China go unpatched thanks to software piracy.
This is not the first such campaign against ethnic groups in China. Last March, a near-identical spear phishing campaign was discovered to be targeting Tibetan activists with malicious attachments related to a Tibetan religious festival held in January; the attackers used a contaminated Office file to exploit a known vulnerability in software.
Then, in December, one of the Dalai Lama’s English-language websites was hacked. The Java-based exploit CVE-2012-0507 was being used to push the Dockster malware via the site, which was established in 2010 to bring Dalai Lama supporters a raft of news and information with embedded YouTube videos. Clearly the intent was to inconvenience sympathizers of the Buddhist leader, a central figure in the Tibetan movement to establish its freedom from China.