Daniel Sinclair @_DanielSinclair Building for young people. Not reading @danielsunread. Lurking behind likes and thinking about social media, communication, & China. Sep. 26, 2019 5 min read

Almost 10 days ago now, this video dropped on YouTube, displaying a Chinese paramilitary force — labeled as SWAT 特警 — moving what appear to be heavily restrained, even blindfolded, Uyghur men.  https://youtu.be/gGYoeJ5U7cQ 

It appeared from a throwaway YouTube account, in tandem with this throwaway Twitter handle. Both went cold within an hour.

The video, shot from a drone, is disturbing to watch. It parallels a dark historical context, and displays the systematic destruction of Uyghur culture in Xinjiang, on the ground, in its cold procedure, for the first time. We saw the camps and kindergartens. But this was new.

The incredible work here validated the drone footage as authentic, and predicts that it was captured in August of 2018. It also places it near one of the detention camps.

There are still some questions, and interesting details that put this video in a better context. I haven't seen those analyzed yet. So I'll give it a shot, and share what I found.

That first tweet appeared at 1:39pm EST on September 17th. The timecode seen in the first few frames of the video — which is a phone recording of a monitor — displays Wednesday 23:58. 9/17 was a Tuesday. No time zone reaches that far ahead. This recording was at least 6 days old.

There are a lot of details in that first frame that paint a picture of what we are looking at. Here it is in its totality. This is a Kali distribution of Linux. It's an OS loaded with pentesting tools common in infosec. In the dock, we have Nmap and Metasploit.

On the right, we're looking at this anonymous individual's filesystem. The directory they're in is /Home/Desktop/Under--Documents. It's challenging to make out some of the characters; an actual translator probably could. Best-in-class Chinese OCR models failed too.

The actual video is being played from a subdirectory /GL2_WIN7/----Flight- that contains 4 similarly named video files.

The most important clue of what we are looking at is this window. It doesn't tell the full story, but it gives us a glimpse. This is Metasploit Meterpreter in action. But we can only really see the post-exploit cleanup; it appears to be a data exfiltration to a local 46572 port.

By all evidence here, it appears that we aren't looking at the footage from an onlooker. We are looking at footage from a Chinese government drone that was filming the movement of these prisoners — and someone, somewhere, stole that footage and uploaded it to YouTube a year later

The last clues that further paints this picture are these directories. The video we watched was in GL2_WIN7. I think that stands for Global Area 2 on Windows 7; that appears to be an IBM z/OS mainframe arch. SMB is a file server. VistaJ is Liquent Vista Java, used by IBM FileNet.

Someone appears to have unwound an IBM mainframe within the Chinese government, & that resulted in this video coming out of Xinjiang. I'm not weathered in infosec, and could be wrong about these naming schemas — but this does appear to be a hack. They def got fired for buying IBM

That's not where this ends; there is more evidence in the video that paints the picture that this was captured by the Chinese government itself.

At 39 meters in the air, with the pilot just 34.8 meters away, not a single member of this paramilitary force is reacting to the sound of a drone. Drones aren't silent, but everything continues on the ground as normal — because this must be a normal procedure.

The app we are seeing in this recording is DJI Go, and it gives us more hints as to the origin of this video. While the pilot zooms in, we can see that it maxes out at 30x. It's not digital zoom. This is optical zoom, and only one DJI camera supports 30x zoom, the Zenmuse Z30.

The DJI Zenmuse Z30 only supports these enterprise products: Matrice 100, Matrice M200 Series, Matrice M200 Series V2, M600 Pro and Matrice 600. The 2018 timing of the video, and release of the Z30, makes me believe we are looking at a M600 Pro. This is an industrial-grade drone.

Needless to say, that Hollywood & industry level hexacopter is not quiet. If it was operated by an onlooker, spying on SWAT moving persecuted Uyghurs, it would likely have been gunned down by any number of those heavily armed paramilitary police officers.

I think we know who was piloting that drone, because they appear to have filmed themself. We see pelican hard cases; that is common for large industry drones like DJI's Matrice line. It looks like they also have a custom control station; DJI doesn't sell that, at least publicly.

From other angles, we can actually see that this custom DJI control station appears be connected to a satellite uplink. That's a black satellite dish right there; you can see the dome reflection. Maybe it was connected to Beijing — and maybe that's where this IBM hack played out.

Based on @Nrg8000's localization and validation work, you could probably play back the satellite orbit records from the tracking community to place Chinese military satellites (like the ChinaSat constellation) in orbit. Every government probably already has.

There are some odd things about the screen-recording of this drone footage, I should add. Firstly, the camera remains oddly still, with a natural shake, but we don't see that really change when they use a key to go fullscreen here. There's also an odd white screentear on the left

Here, we see a cut. There are actually quite a few throughout this recording. This one does appear to be in the raw video. The battery goes from 85% to 32% and we lose 14 minutes of this drone footage.

In this one, slowed down further, there are actually two cuts, with visible cross fades. I can't explain what's going on here. The most odd thing is not just how the raw video may be acting, but the monitor camera too — look at the exposure of the battery indicator. It changes.

There are some strange things in that video that I can’t really explain. They could just be artifacting and compression bugs. Video over radio -> satellite uplink -> mainframe -> yoink -> playback in a VM -> uploaded to YouTube. Still odd. Not inauthentic. But possibly edited.

You can follow @_DanielSinclair.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.