The United Kingdom’s National Cyber Security Centre (NCSC), in collaboration with international cybersecurity agencies, has issued a critical advisory concerning the proliferation of two sophisticated spyware variants, MOONSHINE and BADBAZAAR. These malicious programs are being strategically deployed to surveil and intimidate specific communities worldwide, including Uyghur Muslims, Tibetan rights advocates, Taiwanese independence supporters, and other groups critical of the Chinese government.
Identification and Attribution
MOONSHINE has been attributed to the Chinese-backed hacking group known as POISON CARP, also referred to as Evil Eye and Earth Empusa. This surveillanceware has been observed targeting Tibetan and Uyghur communities, aiming to monitor and suppress activities deemed as religious extremism or separatism by Chinese authorities. BADBAZAAR, on the other hand, is linked to APT15, also known as VIXEN PANDA and NICKEL. This malware family has been utilized to track pre-criminal activities within these communities, facilitating extensive data collection and surveillance.
Deployment Mechanisms
Both MOONSHINE and BADBAZAAR are disseminated through applications that masquerade as legitimate and appealing to the targeted communities. For instance, MOONSHINE has been embedded in trojanized versions of popular social media platforms like WhatsApp and Telegram, as well as in applications related to religious practices, such as Audio Quran, which specifically targets Uyghur Muslims. BADBAZAAR has been distributed through apps like TibetOne, an iOS application that appeared on the Apple App Store in December 2021 but has since been removed. These applications are often promoted within community-specific online forums, including Telegram channels and Reddit communities frequented by potential victims.
Capabilities and Risks
Once installed on a device, these spyware variants possess extensive data collection capabilities, including:
– Accessing device microphones and cameras.
– Retrieving SMS messages and call records.
– Collecting contact information.
– Extracting photos and media files.
– Tracking real-time location data.
– Accessing WeChat database files.
The data harvested through these means can facilitate digital surveillance, harassment, and suppression of the targeted individuals and groups. The indiscriminate nature of the malware’s distribution also poses a broader risk, potentially affecting individuals beyond the intended targets.
International Response
The advisory has been jointly issued by cybersecurity agencies from six nations: the UK’s NCSC, Australia’s Australian Cyber Security Centre (ACSC), Canada’s Canadian Centre for Cyber Security (CCCS), Germany’s Bundesnachrichtendienst (BND) and Bundesamt für Verfassungsschutz (BfV), New Zealand’s National Cyber Security Centre (NCSC-NZ), and the United States’ Federal Bureau of Investigation (FBI) and National Security Agency (NSA). This coordinated effort underscores the global concern regarding the use of state-sponsored surveillance tools to target and suppress specific communities.
Protective Measures
The NCSC has outlined several key recommendations for individuals, particularly those at risk, to protect themselves against such threats:
1. Stay Mainstream: Utilize official app stores for downloading applications and avoid jailbreaking or rooting devices, as these actions can expose devices to security vulnerabilities.
2. Stay Organized: Regularly review installed applications and their permissions to ensure no unauthorized access is granted.
3. Stay in Touch: Report any suspicious messages, files, or applications to platform providers to help mitigate the spread of malicious software.
4. Stay Alert: Exercise caution with links and files shared on social media platforms, as these can be vectors for malware distribution.
By adhering to these guidelines, individuals can enhance their security posture and reduce the risk of falling victim to such surveillance campaigns.
Context and Implications
This warning comes amid escalating geopolitical tensions, including recent Chinese military drills around Taiwan and ongoing concerns about human rights violations in regions like Xinjiang and Tibet. The deployment of MOONSHINE and BADBAZAAR reflects a broader strategy of digital surveillance and suppression employed by state-sponsored actors to monitor and intimidate dissident communities.
The international community’s response highlights the need for vigilance and proactive measures to protect vulnerable populations from cyber threats. It also underscores the importance of collaboration among nations to address and mitigate the risks posed by state-sponsored cyber activities.
Conclusion
The NCSC’s advisory serves as a critical reminder of the evolving nature of cyber threats and the importance of maintaining robust security practices. Individuals and organizations, particularly those within targeted communities, must remain vigilant and adopt recommended protective measures to safeguard against these sophisticated surveillance tools. The collective efforts of international cybersecurity agencies aim to raise awareness and provide the necessary resources to combat such malicious activities effectively.
