Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

DDoS Attacks Against Hong Kong Movement Linked to Chinese Threat Actors: FireEye

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

Since the people of Hong Kong started protesting against China’s refusal to let the Asian financial hub democratically elect its leader, there has been a lot of movement in cyberspace. Protesters were targeted with malicious mobile applications, Anonymous hacktivists threatened Hong Kong police over their crowd-control methods and, more recently, DDoS attacks were launched against some pro-democracy websites.

Researchers at security firm FireEye have identified several pieces of malware that have been used to launch DDoS attacks against websites of Next Media, the largest media company in Hong Kong, and HKGolden, a popular online forum that has been used to organize protests.

Once it infects a computer, the malware drops a variant of a DDoS tool called KernelBot. The threat connects to its command and control (C&C) server from which it gets a configuration file containing a list of targeted IP addresses and domains.

The IPs identified by researchers belong to Next Media, including ones associated with the company’s Apple Daily newspaper, and HKGolden — all of which are blocked in China. The floods stopped on October 24 and FireEye told SecurityWeek that it hasn’t seen any targets related to the pro-democracy movement in Hong Kong attacked since this date.

Interestingly, the attacks stopped after on October 23 the bots had been instructed to flood an IP hosting one of the domains controlled by the attackers. Experts said it’s uncertain if they did this on purpose to test the capability of their botnet, or if they made a mistake.

While DDoS attacks are in many cases conducted by hacktivists to attract attention to a cause, researchers have uncovered evidence that connects this particular campaign to the activities of China-based advanced persistent threat (APT) actors, including the ones behind Operation Poisoned Hurricane, in which organizations from the Unites States and Asia had been targeted.

Advertisement. Scroll to continue reading.

The pieces of malware used in the DDoS attacks have been signed with code signing certificates from QTI International and CallTogether. These certificates had been used previously to sign pieces of malware involved in various other APT campaigns.

For example, the QTI International certificate was used to sign a piece of malware, Backdoor.APT.PISCES, which used hk.java-se[.]com for C&C. The same domain was seen in June when malicious JavaScript was detected on the website of the Hong Kong Association for Democracy and People’s Livelihood. The malicious JavaScript was also spotted on the site of the Democratic Party of Hong Kong, FireEye said.

This overlap in tools and infrastructure shows that there is a connection between recent APT campaigns, whose goals included the theft of intellectual property, and the DDoS attacks targeting the pro-democracy movement in Hong Kong. Researchers have pointed out that the Chinese government could be behind both types of operations since it is interested not only in silencing free speech, but also in obtaining information that can be used for economic gain.

“Clearly, the Chinese government has identified social media and uncontrolled information as a major threat. The linkage between probable Chinese hackers responsible for a number of Advanced Persistent Threat (APT) attacks around intellectual property theft and the ongoing Distributed Denial of Service attacks against the Pro Democracy movement in Hong Kong makes sense,” Tony Cole, VP and Global Government CTO at FireEye, said in a blog post.

“The Chinese government is utilizing their deep hacking expertise garnered to shut down any online systems hosting information pertaining to and supporting the Pro-Democracy Movement in Hong Kong. All the while, they continue to shut down Social Media via the Great FireWall of China and thereby limit access to information on the Internet.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...