Apple said Friday that a massive phone hacking scheme that affected Apple and Android phones targeted Uighurs, a persecuted Muslim ethnic minority group whose people have been imprisoned by the Chinese government.
In a blog post, the iPhone-maker took issue with some of the findings released by Google researchers last week that publicized vulnerabilities in Apple’s iOS operating system, noting that Google’s disclosure came six months after Apple had patched them. Apple claimed that Google’s research created “the false impression” of a “mass exploitation” and that the attacks were only operational for two months, not two years, as first implied by Google.
In the same post, Apple confirmed earlier reporting and research that the website-based attacks, in which users visited compromised websites and jeopardized the security of their iPhones and Android devices, focused on Uighurs, a minority Turkic group that includes more than 11 million people living in Xinjiang, a region in northwest China.
“The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” Apple said. “Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.”
Xinjiang is one of the most surveilled places in the world, and the Chinese government has been cracking down on the ethnic minorities who live there under the guise of public safety. Since 2017, more than a million people have been detained in internment camps in Xinjiang in a practice that’s been decried by the US government and the international community.
A source close to the situation told BuzzFeed News that the hack emanated from China. An FBI official familiar with discussions around the exploit said that the agency had been aware of the issue for "some time" and has been "closely monitoring" the situation for updates. That person said other US intelligence agencies have also been monitoring the problem.
The source said that there have been communications between the FBI and Apple and that there are generally regular conversations between the bureau and Silicon Valley companies. An FBI spokesperson declined to comment.
An Apple spokesperson did not immediately return a request for comment.
In what was a strong rebuke of Google’s findings, Apple’s post declared that the “sophisticated attack” did not target iPhones “en masse.” While Google did not reveal how many devices were ultimately infected, it noted last week that “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”
“We estimate that these sites receive thousands of visitors per week,” Ian Beer of Google’s Project Zero wrote in the post.
Apple gave no indication of how many Apple devices were compromised by the exploit.
“We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it,” the company said. “When Google approached us, we were already in the process of fixing the exploited bugs.”
In a response Friday, a Google spokesperson said the company stood by its research, "which was written to focus on the technical aspects of these vulnerabilities."
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies," a spokesperson said in a statement. "We will continue to work with Apple and other leading companies to help keep people safe online.”
This story has been updated with information from an FBI official and Google.
Jason Leopold is a senior investigative reporter for BuzzFeed News and is based in Los Angeles. He is a 2018 Pulitzer finalist for international reporting, recipient of the IRE 2016 FOI award and a 2016 Newseum Institute National Freedom of Information Hall of Fame inductee.