Evil Eye” Cyber Campaign Shows China’s Increasing Willingness To Combine Cyber Attacks And Information Operations

The Coun­cil on For­eign Rela­tions (CFR), a US think tank, has pub­lished a report ana­lyz­ing the Chi­nese “Evil Eye” cyber cam­paign, argu­ing that the cam­paign shows that Chi­na is increas­ing­ly will­ing to use cyber­at­tacks and infor­ma­tion oper­a­tions to pur­sue its polit­i­cal goals. Accord­ing to a CFR arti­cle:

May 24, 2021 On March 24, 2021, Face­book announced they had tak­en actions against an advanced per­sis­tent threat (APT) group locat­ed in Chi­na, pre­vi­ous­ly monikered as Evil Eye. Face­book accused the APT of abus­ing its plat­form, cre­at­ing mali­cious web­sites, hack­ing legit­i­mate web­sites and Face­book accounts, and dis­trib­ut­ing mal­ware to affect­ed indi­vid­u­als. The main tar­gets of the cam­paign were Uyghur activists and jour­nal­ists liv­ing abroad. Face­book sub­se­quent­ly used dif­fer­ent tac­tics to iden­ti­fy and sur­veil sus­pect­ed mem­bers of Evil Eye. To mit­i­gate dam­age, Face­book blocked mali­cious domains used by the cam­paign, removed fake users, and noti­fied Face­book users believed to have been tar­get­ed. Evil Eye’s cam­paign was clear­ly moti­vat­ed by a polit­i­cal goal that Chi­na fre­quent­ly uses a blend of infor­ma­tion oper­a­tions (IO) and cyber means to accom­plish: the dis­rup­tion of dis­si­dents, espe­cial­ly those who raise aware­ness of China’s human rights vio­la­tions against its eth­nic minori­ties. Pre­vi­ous attri­bu­tions of Evil Eye show them tar­get­ing Tibetan, Uyghur, and Hong Kong dis­si­dents start­ing in 2019 and pos­si­bil­i­ty as ear­ly as 2013. Evil Eye’s cam­paign com­bined a mul­ti­tude of oper­a­tions and attack vec­tors. Infor­ma­tion, psy­cho­log­i­cal, and influ­ence oper­a­tions were exe­cut­ed using infor­ma­tion and social media manip­u­la­tion and social engi­neer­ing that includ­ed iden­ti­ty theft. Water­ing hole attacks, phish­ing, tro­janed third par­ty app stores, and mobile mal­ware were deployed. A con­cur­rent goal in the recent cam­paign was to silence eth­nic minor­i­ty dis­si­dents and deter fur­ther use of social media by instill­ing fear that they were under surveillance.

Read the rest here.

In recent years, there has been a rapid rise in cyber-attacks such as phish­ing and iden­ti­ty theft that are being com­bined with influ­ence oper­a­tions. In May, we report­ed on a sus­pect­ed state-spon­sored cyberes­pi­onage actor that tar­get­ed audi­ences in Lithua­nia, Latvia, and Poland with nar­ra­tives crit­i­cal of NATO’s pres­ence in East­ern Europe.

In May, we report­ed that in the Czech Repub­lic, Chi­na is laun­der­ing pro­pa­gan­da arti­cles dis­miss­ing crit­i­cism of China’s pol­i­cy against Uyghurs through local ‘alter­na­tive media’ out­lets. We also report­ed in May that YouTube is being flood­ed with hun­dreds of Chi­nese pro­pa­gan­da videos denounc­ing West­ern com­pa­nies after they accused the Chi­nese gov­ern­ment of using forced labor in the cot­ton-grow­ing Xin­jiang region.