Those hackers Google’s researchers sussed out earlier this week apparently went after more than just iPhone users. Microsoft’s operating system along with Google’s own were also targeted, according to Forbes, in what some reports are calling a possibly state-backed effort to spy on the Uighur ethnic group in China.
Google’s Threat Analysis Group discovered the scheme earlier this year, and the company’s Project Zero team of security analysts first disclosed news of it Thursday. It involved a small group of websites aiming to infect visitors’ devices to gain access to their private information, including live location data and encrypted information on apps like on WhatsApp, iMessage, and Telegram. These websites were up for two years, during which thousands of visitors purportedly accessed them each week.
In February, Google notified Apple of 14 vulnerabilities the site’s malware exploited, which the company fixed within days with iOS 12.1.4. Apple disclosed in that update that the flaws, referred to as “memory corruption” issues, were fixed with “improved input validation.” The company hasn’t publically addressed Google’s account of the hack since the news broke earlier this week.
While the Google team only reported iPhone users being targeted by this attack, sources familiar with the matter told Forbes that devices using Google and Microsoft operating systems were also targeted by these same sites. Thus widening the potential scale of an already unprecedented attack.
Whether Google found or shared evidence of this is unclear, as is whether the attackers used the same method of attack as they did with iPhone users, which involved attempting to sneak malicious code onto users’ phones upon their visit to the infected websites.
When asked about these reported developments, a Google spokesperson said the company had no new information to disclose. As for Microsoft, a company spokesperson provided the following statement:
“Google Project Zero was very specific in its blog post that the recently publicized attacks used unique iPhone exploits and they have not disclosed similar information to us. Microsoft has a strong commitment to investigate reported security issues and, should new information be disclosed, we will take appropriate action as needed to help keep customers protected.”
The hack was all part of a broad, two-year campaign to gather surveillance on the Uighur community, a minority Muslim group often targeted by the Chinese government, according to a TechCrunch report later confirmed by Forbes. However, Google noted in its disclosure that “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.” So it’s possible people outside this ethnic group could have been affected by the attack. A source also told Forbes the attacks may have been updated over time to be able to break into other operating systems to correspond with changes in the community’s usage.
This would mark the latest in a series of crackdowns on the ethnic group launched by the Chinese government and fueled by claims that the country’s remote Xinjiang region is being threatened by Islamist militants and separatists. Last year, the state forced 2 million Uighurs and Muslim minorities into “political camps for indoctrination,” according to reports from the United Nations, prompting more than 20 countries to call on China to put a stop to its mass detention efforts.
Referring to the hack Google recently revealed, Cooper Quintin, senior staff technologist at the digital rights non-profit group Electronic Frontier Foundation, told Forbes:
“The Chinese government has been systematically targeting the Uighur population for surveillance and imprisonment for years. These attacks likely have the goal of spying on the Uighur population in China, the Uyghur diaspora outside of China and people who sympathize with and might wish to help the Uighur in their struggle for independence.”
Update 9/2/2019, 3:31 p.m.: This story was updated with statements from Google and Microsoft, each of which said they had no new information besides what Google’s Project Zero team previously disclosed.