DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors
A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.
Since the people of Hong Kong started protesting against China’s refusal to let the Asian financial hub democratically elect its leader, there has been a lot of movement in cyberspace. Protesters were targeted with malicious mobile applications, Anonymous hacktivists threatened Hong Kong police over their crowd-control methods and, more recently, DDoS attacks were launched against some pro-democracy websites.
Researchers at security firm FireEye have identified several pieces of malware that have been used to launch DDoS attacks against websites of Next Media, the largest media company in Hong Kong, and HKGolden, a popular online forum that has been used to organize protests.
Once it infects a computer, the malware drops a variant of a DDoS tool called KernelBot. The threat connects to its command and control (C&C) server from which it gets a configuration file containing a list of targeted IP addresses and domains.
The IPs identified by researchers belong to Next Media, including ones associated with the company’s Apple Daily newspaper, and HKGolden — all of which are blocked in China. The floods stopped on October 24 and FireEye told SecurityWeek that it hasn’t seen any targets related to the pro-democracy movement in Hong Kong attacked since this date.
Interestingly, the attacks stopped after on October 23 the bots had been instructed to flood an IP hosting one of the domains controlled by the attackers. Experts said it’s uncertain if they did this on purpose to test the capability of their botnet, or if they made a mistake.
While DDoS attacks are in many cases conducted by hacktivists to attract attention to a cause, researchers have uncovered evidence that connects this particular campaign to the activities of China-based advanced persistent threat (APT) actors, including the ones behind Operation Poisoned Hurricane, in which organizations from the Unites States and Asia had been targeted.
The pieces of malware used in the DDoS attacks have been signed with code signing certificates from QTI International and CallTogether. These certificates had been used previously to sign pieces of malware involved in various other APT campaigns.
This overlap in tools and infrastructure shows that there is a connection between recent APT campaigns, whose goals included the theft of intellectual property, and the DDoS attacks targeting the pro-democracy movement in Hong Kong. Researchers have pointed out that the Chinese government could be behind both types of operations since it is interested not only in silencing free speech, but also in obtaining information that can be used for economic gain.
“Clearly, the Chinese government has identified social media and uncontrolled information as a major threat. The linkage between probable Chinese hackers responsible for a number of Advanced Persistent Threat (APT) attacks around intellectual property theft and the ongoing Distributed Denial of Service attacks against the Pro Democracy movement in Hong Kong makes sense,” Tony Cole, VP and Global Government CTO at FireEye, said in a blog post.
“The Chinese government is utilizing their deep hacking expertise garnered to shut down any online systems hosting information pertaining to and supporting the Pro-Democracy Movement in Hong Kong. All the while, they continue to shut down Social Media via the Great FireWall of China and thereby limit access to information on the Internet.”