Watering Holes and Million Dollar Dissidents: the Changing Economics of Digital Surveillance

Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits on anyone who visited, with the aim of installing a surveillance implant on the device. Google didn’t reveal the names of the websites or indeed who was being targeted but it soon became clear through other reporting that the likely target of this campaign was the Uyghur community, a Turkic Muslim minority in China facing mass detention and other harsh crackdowns perpetrated by the Chinese government with the most repressive policies coming into place in recent years.

Security company Volexity followed up the week after with detailed reports of similar website exploit chains targeting Android and Windows devices, again hosted on websites with a primarily Uyghur readership. This week, another publication confirmed that the Chinese government had compromised several international telcos in order to perform yet more invasive surveillance on expatriated Uyghurs.

Resetting Our Thinking on States and Zero Days

There are many important things to take away from these astonishing reports by Google and others. The biggest lesson is that we have to re-consider our understanding how state actors use zero days. The dominant thinking among security researchers has long been that governments and law enforcement would only want to use zero-day exploits sparingly and with very specific targets, to reduce the risk that an exploit would be discovered by security researchers or companies, who would then fix the bugs underlying the exploit, thus rendering it useless. 

Zero day exploits can be expensive, with iPhone exploits used against a single activist reportedly fetching upwards of 1 million dollars. Google’s report seemingly upends the traditional logic of zero day economics. This time a zero day was being used to exploit thousands of users, indiscriminately targeting all visitors to a specific set of websites. But if we consider the targets of this campaign and the likely actors behind it, the economics make perfect sense. While it is new to observe a state sponsored actor burning zero-days to target an entire community instead of one individual in the community it is a reasonable tactic in this case.

These attacks likely have the goal of spying on the Uyghur diaspora outside China, to gain as much intelligence as possible on anyone associated with this movement within China or supporting the community from outside of China’s national borders. In the past, China has already arrested many community leaders, Uyghur activists, human rights defenders, as well as their relatives, and is likely interested in discovering any nascent leaders before they become a problem.

Google’s report and Apple’s recent response both miss the mark on the impact of this attack. Google’s Project Zero post  was vague about the targeted nature of the attack saying “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device … we estimate that these sites receive thous