Zack Whittaker, reporting for TechCrunch:
A number of malicious websites used to hack into iPhones over a
two-year period were targeting Uyghur Muslims, TechCrunch has
Sources familiar with the matter said the websites were part of a
state-backed attack — likely China — designed to target the
Uyghur community in the country’s Xinjiang state.
It’s part of the latest effort by the Chinese government to crack
down on the minority Muslim community in recent history. In the
past year, Beijing has detained more than a million Uyghurs in
internment camps, according to a United Nations human rights
Google’s Project Zero team discovered these exploits early this year, and Apple closed them shortly thereafter. This week, the Project Zero team published their findings, and it’s really extraordinary work. What makes this case so unusual is that these sort of exploits are worth millions of dollars, and they are typically used very selectively to target individuals. What the Project Zero team discovered was different:
Earlier this year Google’s Threat Analysis Group (TAG) discovered
a small collection of hacked websites. The hacked sites were being
used in indiscriminate watering hole attacks against their
visitors, using iPhone 0-day.
There was no target discrimination; simply visiting the hacked
site was enough for the exploit server to attack your device, and
if it was successful, install a monitoring implant. We estimate
that these sites receive thousands of visitors per week.
TAG was able to collect five separate, complete and unique iPhone
exploit chains, covering almost every version from iOS 10 through
to the latest version of iOS 12. This indicated a group making a
sustained effort to hack the users of iPhones in certain
communities over a period of at least two years.
What Project Zero did not reveal is where these infected websites were located, or what group(s) they were targeting. Now, we apparently know: it was the Chinese government targeting Uyghur Muslims.
★ Monday, 2 September 2019