Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

DDoS Attacks Against Hong Kong Movement Linked to Chinese Threat Actors: FireEye

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

DDoS Attacks on Hong Kong Pro-Democracy Movement Linked to Chinese Threat Actors

A series of distributed denial-of-service (DDoS) attacks launched recently against websites related to the pro-democracy movement in Hong Kong appear to be connected to a Chinese threat actor.

Since the people of Hong Kong started protesting against China’s refusal to let the Asian financial hub democratically elect its leader, there has been a lot of movement in cyberspace. Protesters were targeted with malicious mobile applications, Anonymous hacktivists threatened Hong Kong police over their crowd-control methods and, more recently, DDoS attacks were launched against some pro-democracy websites.

Researchers at security firm FireEye have identified several pieces of malware that have been used to launch DDoS attacks against websites of Next Media, the largest media company in Hong Kong, and HKGolden, a popular online forum that has been used to organize protests.

Once it infects a computer, the malware drops a variant of a DDoS tool called KernelBot. The threat connects to its command and control (C&C) server from which it gets a configuration file containing a list of targeted IP addresses and domains.

The IPs identified by researchers belong to Next Media, including ones associated with the company’s Apple Daily newspaper, and HKGolden — all of which are blocked in China. The floods stopped on October 24 and FireEye told SecurityWeek that it hasn’t seen any targets related to the pro-democracy movement in Hong Kong attacked since this date.

Interestingly, the attacks stopped after on October 23 the bots had been instructed to flood an IP hosting one of the domains controlled by the attackers. Experts said it’s uncertain if they did this on purpose to test the capability of their botnet, or if they made a mistake.

While DDoS attacks are in many cases conducted by hacktivists to attract attention to a cause, researchers have uncovered evidence that connects this particular campaign to the activities of China-based advanced persistent threat (APT) actors, including the ones behind Operation Poisoned Hurricane, in which organizations from the Unites States and Asia had been targeted.

The pieces of malware used in the DDoS attacks have been signed with code signing certificates from QTI International and CallTogether. These certificates had been used previously to sign pieces of malware involved in various other APT campaigns.

For example, the QTI International certificate was used to sign a piece of malware, Backdoor.APT.PISCES, which used[.]com for C&C. The same domain was seen in June when malicious JavaScript was detected on the website of the Hong Kong Association for Democracy and People’s Livelihood. The malicious JavaScript was also spotted on the site of the Democratic Party of Hong Kong, FireEye said.

This overlap in tools and infrastructure shows that there is a connection between recent APT campaigns, whose goals included the theft of intellectual property, and the DDoS attacks targeting the pro-democracy movement in Hong Kong. Researchers have pointed out that the Chinese government could be behind both types of operations since it is interested not only in silencing free speech, but also in obtaining information that can be used for economic gain.

“Clearly, the Chinese government has identified social media and uncontrolled information as a major threat. The linkage between probable Chinese hackers responsible for a number of Advanced Persistent Threat (APT) attacks around intellectual property theft and the ongoing Distributed Denial of Service attacks against the Pro Democracy movement in Hong Kong makes sense,” Tony Cole, VP and Global Government CTO at FireEye, said in a blog post.

“The Chinese government is utilizing their deep hacking expertise garnered to shut down any online systems hosting information pertaining to and supporting the Pro-Democracy Movement in Hong Kong. All the while, they continue to shut down Social Media via the Great FireWall of China and thereby limit access to information on the Internet.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...