Chinese Uighurs were the target of an iOS malware attack lasting more than two years that was revealed last week, according to multiple reports.
Android and Windows devices were also targeted in the campaign, which took the form of “watering hole attacks”: taking over commonly visited websites or redirecting their visitors to clones in order to indiscriminately attack each member of a community.
Zack Whittaker of TechCrunch, who first reported the focus of the attack on the Uighur Muslim community in Xinjiang province, said “the websites were part of a state-backed attack – likely [by] China – designed to target the Uighur community”.
The attack is thought to be the first large-scale exploitation of iOS vulnerabilities in the history of the iPhone. Using a large number of previously undiscovered weaknesses in the operating system, the malicious websites were able to gain near-total control of visiting devices without the users becoming aware, or having to do anything other than open the website in their browser.
The campaign was discovered by researchers at Google and shut down by Apple after the company was notified.
Even before the Chinese link was reported, many researchers assumed the attack was a state-backed campaign, since the value on the open market of one “no-click jailbreak” – a vulnerability that can take control of a phone without user interaction – is more than $1m (£830,000).
While the iOS attacks were the most noteworthy, the campaign also targeted more widely used devices, according to Thomas Brewster of Forbes.
“That Android and Windows were targeted is a sign that the hacks were part of a broad, two-year effort that went beyond Apple phones and infected many more than first suspected,” Brewster wrote.
“One source suggested that the attacks were updated over time for different operating systems as the tech usage of the Uighur community changed.”