An attack that used malicious websites to hack iPhones is now believed to have originated in China and, in a new development, appears to have targeted Android devices and Microsoft Windows PCs as well.

The attack, first revealed Aug. 30 by Ian Beer, a researcher with Google LLC’s Project Zero, involved the use of malicious sites going back as far two years. Those sites, designed to hack the devices of visitors to gain access to their devices to steal data used at least 14 different vulnerabilities to do so, including some previously unknown “zero-day” exploits.

Xinjiang Uyghur Autonomous Region

The origin of the attacks remained unknown before now, but two separate reports claim that the malicious sites were part of a Chinese state-sponsored attack that was targeting the Uyghur community of the Middle Kingdom’s Xinjiang Uyghur Autonomous Region. The area has gained western media attention after China responded to an independence campaign and terrorist attacks by detaining a significant number Uyghurs in re-education camps aimed at changing ther political and religious beliefs. Western media claims they’re concentration camps.

TechCrunch broke the China link first on Saturday, quoting sources as saying that while the campaign was targeting Uyghurs the websites also infected non-Uygurs who inadvertently accessed these domains as they were indexed in Google search.

Since that initial report, Forbes confirmed today that the China link with its own sources with the addition that the campaign was not limited to iPhones but also sought to infect Android devices and Windows computers belonging to the Uyghur community as well. “Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks,” the report said.

That non-Uyghurs may have been infected in the campaign should come as no surprise. In July it was reported that Chinese border guards were allegedly installing spyware on the phones of people who enter some land borders into Xinjiang as well.

Kirsty Kelly, head of risk and cyber investigation at cloud-based email management firm Mimecast Ltd., told SiliconANGLE that the most concerning types of cyberattack for security researchers are the ones that exploit the victim without any interaction from the victim themselves, as happened here.

“Now that users are being made aware they might have been compromised by this technique, the real work can start in securing vulnerable apps and accounts again,” Kelly explained. “Threat actors now have access to user passwords, images, apps, Gmail database and the like, so a big concern is that they could also have access to emails that are synced to their mailbox. If the infected phone has been used solely for business purposes, it is likely that the company now faces the scenario that their private business information is now known to the threat actor and has either been leaked or could be exploited for financial gain.”

Photo: jamiejohn/Flickr; image: Wikimedia Commons