An iOS exploit called Insomnia has been used between January and March 2020 to spy on Uyghurs in China.
Important points to remember
- Insomnia affects iOS 12.3, iOS 12.3.1 and iOS 12.3.2. Apple has solved it in iOS 12.4.
- It has been used by various Chinese entities, including the hacking entity known as the “Evil Eye”.
Details
Using a series of exploits, Evil Eye used an open source framework called IRONSQUIRREL to use a vulnerability in WebKit that was fixed in 2019. If this first attack is successful, the group then installs malware called Insomnia.
During the first series of attacks, it targeted visitors to the Uyghur Academy website. Another website was the Uyghur Times. Only sure user agents targeted, meaning if a website visitor is detected using an Apple device, like this:
Mozilla / 5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit / 605.1.15 (KHTML, like Gecko) Version / 12.1.1 EdgiOS / 44.5.0.10 Mobile / 15E148 Safari / 604.1
Mozilla / 5.0 (iPad; 12_3_1 like Mac OS X) AppleWebKit / 605.1.15 (KHTML, like Gecko) Version / 12.0 EdgiOS / 44.5.2 Mobile / 15E148 Safari / 605.1.15CPU OS 1
Since all browsers on iOS must use Apple’s WebKit engine, it was not specific to Safari users. Safari, Google Chrome, and Microsoft Edge have all been successful recipients of the exploit.
The malware had a list of applications, the data of which would steal if it happened to be installed on the victims’ devices. Signal was recently added to the list: Signal, a private messaging application, and ProtonMail, a private messaging service. Both use end-to-end encryption, and it is likely that China has targeted Uyghurs by using these apps to mask their communications.
More details can be found in the Volexity report.