The Council on Foreign Relations (CFR), a US think tank, has published a report analyzing the Chinese “Evil Eye” cyber campaign, arguing that the campaign shows that China is increasingly willing to use cyberattacks and information operations to pursue its political goals. According to a CFR article:
May 24, 2021 On March 24, 2021, Facebook announced they had taken actions against an advanced persistent threat (APT) group located in China, previously monikered as Evil Eye. Facebook accused the APT of abusing its platform, creating malicious websites, hacking legitimate websites and Facebook accounts, and distributing malware to affected individuals. The main targets of the campaign were Uyghur activists and journalists living abroad. Facebook subsequently used different tactics to identify and surveil suspected members of Evil Eye. To mitigate damage, Facebook blocked malicious domains used by the campaign, removed fake users, and notified Facebook users believed to have been targeted. Evil Eye’s campaign was clearly motivated by a political goal that China frequently uses a blend of information operations (IO) and cyber means to accomplish: the disruption of dissidents, especially those who raise awareness of China’s human rights violations against its ethnic minorities. Previous attributions of Evil Eye show them targeting Tibetan, Uyghur, and Hong Kong dissidents starting in 2019 and possibility as early as 2013. Evil Eye’s campaign combined a multitude of operations and attack vectors. Information, psychological, and influence operations were executed using information and social media manipulation and social engineering that included identity theft. Watering hole attacks, phishing, trojaned third party app stores, and mobile malware were deployed. A concurrent goal in the recent campaign was to silence ethnic minority dissidents and deter further use of social media by instilling fear that they were under surveillance.
Read the rest here.
In recent years, there has been a rapid rise in cyber-attacks such as phishing and identity theft that are being combined with influence operations. In May, we reported on a suspected state-sponsored cyberespionage actor that targeted audiences in Lithuania, Latvia, and Poland with narratives critical of NATO’s presence in Eastern Europe.
In May, we reported that in the Czech Republic, China is laundering propaganda articles dismissing criticism of China’s policy against Uyghurs through local ‘alternative media’ outlets. We also reported in May that YouTube is being flooded with hundreds of Chinese propaganda videos denouncing Western companies after they accused the Chinese government of using forced labor in the cotton-growing Xinjiang region.