Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Network Security

DDoS Attacks Against Hong Kong Movement Linked to Chinese Threat Actors: FireEye

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

Since the people of Hong Kong started protesting against China’s refusal to let the Asian financial hub democratically elect its leader, there has been a lot of movement in cyberspace. Protesters were targeted with malicious mobile applications, Anonymous hacktivists threatened Hong Kong police over their crowd-control methods and, more recently, DDoS attacks were launched against some pro-democracy websites.

Researchers at security firm FireEye have identified several pieces of malware that have been used to launch DDoS attacks against websites of Next Media, the largest media company in Hong Kong, and HKGolden, a popular online forum that has been used to organize protests.

Once it infects a computer, the malware drops a variant of a DDoS tool called KernelBot. The threat connects to its command and control (C&C) server from which it gets a configuration file containing a list of targeted IP addresses and domains.

The IPs identified by researchers belong to Next Media, including ones associated with the company’s Apple Daily newspaper, and HKGolden — all of which are blocked in China. The floods stopped on October 24 and FireEye told SecurityWeek that it hasn’t seen any targets related to the pro-democracy movement in Hong Kong attacked since this date.

Interestingly, the attacks stopped after on October 23 the bots had been instructed to flood an IP hosting one of the domains controlled by the attackers. Experts said it’s uncertain if they did this on purpose to test the capability of their botnet, or if they made a mistake.

While DDoS attacks are in many cases conducted by hacktivists to attract attention to a cause, researchers have uncovered evidence that connects this particular campaign to the activities of China-based advanced persistent threat (APT) actors, including the ones behind Operation Poisoned Hurricane, in which organizations from the Unites States and Asia had been targeted.

Advertisement. Scroll to continue reading.

The pieces of malware used in the DDoS attacks have been signed with code signing certificates from QTI International and CallTogether. These certificates had been used previously to sign pieces of malware involved in various other APT campaigns.

For example, the QTI International certificate was used to sign a piece of malware, Backdoor.APT.PISCES, which used hk.java-se[.]com for C&C. The same domain was seen in June when malicious JavaScript was detected on the website of the Hong Kong Association for Democracy and People’s Livelihood. The malicious JavaScript was also spotted on the site of the Democratic Party of Hong Kong, FireEye said.

This overlap in tools and infrastructure shows that there is a connection between recent APT campaigns, whose goals included the theft of intellectual property, and the DDoS attacks targeting the pro-democracy movement in Hong Kong. Researchers have pointed out that the Chinese government could be behind both types of operations since it is interested not only in silencing free speech, but also in obtaining information that can be used for economic gain.

“Clearly, the Chinese government has identified social media and uncontrolled information as a major threat. The linkage between probable Chinese hackers responsible for a number of Advanced Persistent Threat (APT) attacks around intellectual property theft and the ongoing Distributed Denial of Service attacks against the Pro Democracy movement in Hong Kong makes sense,” Tony Cole, VP and Global Government CTO at FireEye, said in a blog post.

“The Chinese government is utilizing their deep hacking expertise garnered to shut down any online systems hosting information pertaining to and supporting the Pro-Democracy Movement in Hong Kong. All the while, they continue to shut down Social Media via the Great FireWall of China and thereby limit access to information on the Internet.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as its new CRO.

Identity orchestration provider Strata Identity has appointed Aldo Pietropaolo as Field CTO.

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights